chore: release main#26
Closed
github-actions[bot] wants to merge 13 commits into
Closed
Conversation
The tree-sitter native binding requires node-gyp at install time, which isn't on the ubuntu-latest runner path. All CI jobs except 'test' only need the TypeScript sources, not the compiled native module — so skip install scripts there. The test matrix installs node-gyp explicitly before pnpm install so tree-sitter can rebuild on each OS.
The @v2 ref doesn't exist as a tag on google/osv-scanner-action — only full semver tags do. This was causing the CI workflow to fail at parse time with a 'workflow file issue' error before any job could run.
- actions/checkout v4 -> v6 (Node 20 -> 24 runtime) - actions/upload-artifact v4 -> v7 - jdx/mise-action v2 -> v4 - github/codeql-action v3 -> v4 - ossf/scorecard-action v2.4.0 -> v2.4.3 - googleapis/release-please-action remains v4 (latest major) - Replace osv-scanner reusable workflow (which doesn't have a @v2 major tag) with direct binary install. Pin to v2.3.5. Upload SARIF via codeql-action/upload-sarif. Closes the five outstanding Dependabot github_actions bumps (#1-5). Eliminates the 'Node.js 20 actions are deprecated' runner warning.
🤖 Automated release via release-please --- <details><summary>root: 0.1.1</summary> ## [0.1.1](root-v0.1.0...root-v0.1.1) (2026-04-22) ### Bug Fixes * **ci:** build workspace dist before typecheck so cross-package .d.ts resolves ([2935965](2935965)) * **ci:** pin osv-scanner reusable workflow to v2.3.5 ([fb7f137](fb7f137)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
## Summary Sweep of every outdated direct dependency in the workspace, bringing each one to its latest version — except for two intentional holds (TypeScript 6, Zod 4) that need their own migration PRs. ## What's bumped **Safe minors + patches** (no behavior changes on our surface): | Package | From | To | |---|---|---| | `@biomejs/biome` | 2.4.0 | 2.4.12 | | `fast-xml-parser` | 5.7.0 | 5.7.1 | | `piscina` | 5.1.3 | 5.1.4 | | `envinfo` | 7.14.0 | 7.21.0 | | `lru-cache` | 11.2.2 | 11.3.5 | **Safe majors** (no source-level breakage; verified via full build + test matrix): | Package | From | To | |---|---|---| | `@apidevtools/swagger-parser` | 10.1.1 | 12.1.0 | | `@commitlint/cli` | 19.6.1 | 20.5.0 | | `@commitlint/config-conventional` | 19.6.0 | 20.5.0 | | `@types/node` | 20.14.0 | 22.19.17 (Node 22 LTS) | | `commander` | 13.1.0 | 14.0.3 | | `listr2` | 9.0.4 | 10.2.1 | | `write-file-atomic` | 6.0.0 | 7.0.1 | **Deliberately deferred** (need real migration work; track in follow-up PRs): - `typescript` 5.9.3 → 6.x — many workspace deps peer-declare `typescript@^5`; the jump needs a compatibility sweep first. - `zod` 3 → 4 — breaking changes (`.merge()` → `.extend()`, stricter coercion, different result shape) that touch the MCP + SARIF schema layers. ## License allowlist update `lru-cache` switched its declared license from `ISC` → `BlueOak-1.0.0` at 11.3.x. BlueOak-1.0.0 is an OSI-approved permissive license (explicitly designed as an MIT/ISC-class modernization with no ShareAlike / attribution friction). Added `BlueOak-1.0.0` and `0BSD` to the CI license allowlist (`.github/workflows/ci.yml`, `mise.toml`) to match what's actually in the SBOM today. `SECURITY.md` + `CONTRIBUTING.md` updated to mirror. ## Supply chain - `osv-scanner` — 0 issues on the refreshed 705-package lockfile. - `SBOM.cdx.json` regenerated from the new lockfile. - `THIRD_PARTY_LICENSES.md` regenerated (705 components). ## Drive-by fix `packages/cli/src/commands/setup.test.ts` asserted the bundled plugin manifest version was `2.0.0` (stale from the pre-launch internal versioning). Updated to `0.1.0` to match the launch version and unblock `pnpm -r test`. ## Closes Should supersede these open Dependabot PRs (will auto-close on next scan): #6, #7, #8, #9, #10, #11, #12, #13, #14, #15. ## Test plan - [x] `pnpm install` resolves cleanly - [x] `pnpm -r build` — all workspaces green - [x] `pnpm -r exec tsc --noEmit` — 0 type errors - [x] `pnpm -r test` — 1 stale-assertion fixed, remainder green - [x] `bash scripts/check-banned-strings.sh` — PASS - [x] `osv-scanner scan source --lockfile=pnpm-lock.yaml` — 0 issues - [x] `license-checker-rseidelsohn --onlyAllow '...'` — 0 violations
## Summary Partial fix for #19. Raises the supported runtime floor and gets type-level Node 24 coverage in place ahead of the full Node 24 CI matrix. - `@types/node` → `24.12.2` across all 11 `package.json`s - `engines.node` → `>=22.0.0` (Node 20 is EOL) - License allowlist: add `BlueOak-1.0.0` + `0BSD` (lru-cache@11.3.x relicense from ISC) - Stale `setup.test.ts` plugin-version assertion fixed (`2.0.0` → `0.1.0`) ## Why no Node 24 in the CI matrix `tree-sitter@0.25.0` (current latest on npm) does not compile against Node 24's V8 ABI — signatures like `v8::Template::Set` and `v8::internal::Internals::ReadExternalPointerField<...>` changed, and there are no prebuilt binaries in the 0.25.0 tarball to bypass the source compile. The upstream fix is already merged and tagged as `v0.25.1` (commit `f8805e7`), but the npm publish is blocked on an OIDC Trusted-Publishing misconfig — see [tree-sitter/node-tree-sitter#268](tree-sitter/node-tree-sitter#268) (the C++20/Node 24 compat bug) and [#276](tree-sitter/node-tree-sitter#276) (the publish blocker). Both are open as of 2026-04-21. Once 0.25.1 lands on npm, re-adding Node 24 to the matrix is a one-line CI diff — and with `@types/node@24.12.2` in this PR we still get early type-level Node 24 coverage today. Tracking: see follow-up issue. ## Why no TS4111 fixes? Issue #19 listed 17 call sites that `@types/node@22+` would break. In practice **zero** surfaced under `@types/node@24.12.2` — the sarif package already used bracket notation (`record["rules"]`, `pf["primaryLocationLineHash"]`, etc.) at every flagged site. The concern in #19 was forward-looking; the code had already evolved into the correct shape. ## Test plan - [x] `pnpm -r build` clean - [x] `pnpm -r exec tsc --noEmit` clean under `@types/node@24.12.2` - [x] `pnpm -r test` → **952 pass / 0 fail** under Node 22.22.0 - [x] `pnpm -r test` → **952 pass / 0 fail** under Node 24.15.0 (local-only, tree-sitter binaries already cached) - [x] `biome ci .` clean (52 warnings / 484 infos are pre-existing — separate PR) - [x] `bash scripts/check-banned-strings.sh` clean - [x] `license-checker-rseidelsohn` clean with expanded allowlist - [ ] CI: all jobs green on the PR ## Follow-up - New issue: re-add Node 24 to CI matrix once `tree-sitter` ≥ 0.25.1 is published to npm. - Biome cleanup pass (bump `@biomejs/biome` 2.4.0 → 2.4.12 and review the 52 warnings in isolation).
## Summary Closes #21. Much smaller migration than anticipated — the codebase never used the Zod 3 APIs that changed incompatibly in Zod 4. - `zod`: `3.25.76` → `4.3.6` in `@opencodehub/mcp` + `@opencodehub/sarif` - `packages/sarif/src/schemas.ts`: `z.record(z.string())` → `z.record(z.string(), z.string())` (Zod 4 requires an explicit key schema) ## What we didn't have to touch The issue flagged these as migration hazards — none of them apply: - **`.merge()`** — not used anywhere in the codebase (the one `.merge()` match in `packages/cli/src/commands/setup.ts` is a custom `writer.merge`, not Zod). - **`.partial()` / `.deepPartial()`** — not used. - **`z.coerce.*`** — not used. - **`z.string().email()` / `.url()`** — not used. - **`.format()` / `.flatten()` on `ZodError`** — not used. - **`.safeParse(x)` / `.parse(x)`** — both still return/throw the same shapes in Zod 4. ## On `.passthrough()` Used 11 times in `packages/sarif/src/schemas.ts`. It's deprecated in Zod 4 but still functional and is the smallest-diff migration path. A separate cleanup PR can migrate these to `z.looseObject(...)` or `.loose()` if we want. ## Dep-tree note `zod@3.25.76` remains in the tree transitively via `@graphty/algorithms` → `pupt` → `zod`. Our direct deps are exclusively on `4.3.6`; no source-level mixing. The two versions coexist harmlessly. ## Test plan - [x] `pnpm -r build` clean - [x] `pnpm -r exec tsc --noEmit` clean - [x] `pnpm -r test` → **952 pass / 0 fail** - [x] `pnpm -F @opencodehub/sarif run validate-schema` → 4 pass / 0 fail - [x] `biome ci .` clean - [x] `bash scripts/check-banned-strings.sh` clean - [x] `license-checker-rseidelsohn` clean - [ ] CI: all jobs green on the PR - [ ] End-to-end smoke: MCP server list_repos / query / context / impact against live Claude Code client (recommend before merge; can't automate locally) ## Follow-up (out of scope) - Migrate the 11 `.passthrough()` call sites to `z.looseObject(...)` when convenient.
github-actions
Bot
force-pushed
the
release-please--branches--main
branch
from
e855ae6 to
1c0fa0a
Compare
## Summary Closes #20. - `typescript` → `6.0.3` across all 11 workspace `package.json`s - `tsconfig.base.json`: add `"types": ["node"]` ## The one mandatory fix TypeScript 6.0 [flipped the default](https://www.typescriptlang.org/docs/handbook/release-notes/typescript-6-0.html) of `compilerOptions.types` from *"every package under `node_modules/@types`"* to `[]`. Without an explicit entry, `@types/node` is no longer auto-loaded and `node:*` module specifiers fail to resolve — surfacing as the misleading error: ``` error TS2591: Cannot find name 'node:assert/strict'. ``` Adding `"types": ["node"]` once in `tsconfig.base.json` flows through every workspace via `extends`. If any package later needs extras (e.g. `vitest/globals`), it overrides `types` locally — `types` doesn't merge across `extends`. ## Peer-compat sweep The issue flagged tree-sitter grammars, `@apidevtools/swagger-parser`, `@modelcontextprotocol/sdk`, `zod`, `piscina`, etc. as possible peer-range risks. Checked with `npm view <pkg> peerDependencies.typescript`: - `tree-sitter`, `tree-sitter-typescript`, `tree-sitter-python`, `tree-sitter-c`, `tree-sitter-java`, `tree-sitter-rust`, `web-tree-sitter` — **none declare typescript as a peer**. They're runtime parsers, not language-service plugins. - Other flagged packages likewise declare no `typescript` peer. No peer overrides needed. ## Test plan - [x] `pnpm -r build` clean - [x] `pnpm -r exec tsc --noEmit` clean - [x] `pnpm -r test` → **952 pass / 0 fail** - [x] `biome ci .` clean (52 warnings / 485 infos are pre-existing) - [x] `bash scripts/check-banned-strings.sh` clean - [x] `license-checker-rseidelsohn` clean - [ ] CI: all jobs green on the PR
github-actions
Bot
force-pushed
the
release-please--branches--main
branch
from
1c0fa0a to
1c179f5
Compare
## Summary Brings the repo to **0 errors / 0 warnings / 0 infos** from Biome. Three config changes + 4 small code fixes. ## Why the 537 findings were noise, not signal Before this PR: | Rule | Count | Reality | |---|---|---| | `lint/complexity/useLiteralKeys` | 480 infos | Biome wants `record.key` but the tsconfig has `noPropertyAccessFromIndexSignature: true`, which requires `record["key"]` on `Record`-typed index signatures. The two rules contradict each other. tsconfig wins. | | `lint/suspicious/noConsole` | 52 warnings | All 52 live in `packages/cli/src/commands/` where `console.log` is how CLI commands emit their primary output (verdict markdown, impact lists, etc.). Not debug leakage. | | `lint/style/useTemplate` | 4 infos | Real small-win improvements. Fixed by hand. | ## Changes ### `biome.json` 1. `lint/complexity/useLiteralKeys`: `off` — resolves the tsconfig conflict, lets us drop 10 per-site `biome-ignore` suppression comments that were papering over it. 2. `overrides` entry turning off `lint/suspicious/noConsole` for `packages/cli/src/commands/**`. 3. `$schema` bumped from `2.4.0` → `2.4.12` to match the installed Biome. ### Code - `packages/embedder/src/onnx-embedder.ts` — 2 concat → template literal fixes. - `packages/ingestion/src/pipeline/phases/profile.test.ts` — 2 concat → template literal fixes. - Dropped 10 now-unused `// biome-ignore lint/complexity/useLiteralKeys` comments across `mcp/src/next-step-hints.ts` + test, `mcp/src/resources/repo-context.ts`, `sarif/src/enrich.ts`, `storage/src/meta.ts`. Kept the load-bearing explanatory comment in `storage/src/meta.ts` that documents *why* bracket access is required (tsconfig setting) since that's still non-obvious to readers. ## Test plan - [x] `pnpm exec biome check .` → **0 errors / 0 warnings / 0 infos** - [x] `pnpm -r build` clean - [x] `pnpm -r exec tsc --noEmit` clean - [x] `pnpm -r test` → **952 pass / 0 fail** - [x] `bash scripts/check-banned-strings.sh` clean - [ ] CI: all jobs green on the PR
github-actions
Bot
force-pushed
the
release-please--branches--main
branch
from
1c179f5 to
0c9dba3
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated release via release-please
analysis: 0.2.0
0.2.0 (2026-04-23)
Features
Dependencies
cli: 0.2.0
0.2.0 (2026-04-23)
Features
Dependencies
core-types: 0.2.0
0.2.0 (2026-04-23)
Features
embedder: 0.2.0
0.2.0 (2026-04-23)
Features
Dependencies
ingestion: 0.2.0
0.2.0 (2026-04-23)
Features
Dependencies
mcp: 0.2.0
0.2.0 (2026-04-23)
Features
Dependencies
sarif: 0.2.0
0.2.0 (2026-04-23)
Features
scanners: 0.2.0
0.2.0 (2026-04-23)
Features
Dependencies
search: 0.2.0
0.2.0 (2026-04-23)
Features
Dependencies
storage: 0.2.0
0.2.0 (2026-04-23)
Features
Dependencies
root: 0.2.0
0.2.0 (2026-04-23)
Features
This PR was generated with Release Please. See documentation.