build(deps-dev): bump the typescript-tooling group across 1 directory with 3 updates#6
Closed
dependabot[bot] wants to merge 1 commit into
Closed
Conversation
dependabot
Bot
added
dependencies
dependabot
Bot
changed the title
Bumps the typescript-tooling group with 3 updates: [@biomejs/biome](https://github.com/biomejs/biome/tree/HEAD/packages/@biomejs/biome), [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) and [typescript](https://github.com/microsoft/TypeScript). Updates `@biomejs/biome` from 2.4.0 to 2.4.12 - [Release notes](https://github.com/biomejs/biome/releases) - [Changelog](https://github.com/biomejs/biome/blob/main/packages/@biomejs/biome/CHANGELOG.md) - [Commits](https://github.com/biomejs/biome/commits/@biomejs/biome@2.4.12/packages/@biomejs/biome) Updates `@types/node` from 20.14.0 to 25.6.0 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `typescript` from 5.9.3 to 6.0.3 - [Release notes](https://github.com/microsoft/TypeScript/releases) - [Commits](microsoft/TypeScript@v5.9.3...v6.0.3) --- updated-dependencies: - dependency-name: "@biomejs/biome" dependency-version: 2.4.12 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: typescript-tooling - dependency-name: "@types/node" dependency-version: 25.6.0 dependency-type: direct:development update-type: version-update:semver-major dependency-group: typescript-tooling - dependency-name: typescript dependency-version: 6.0.3 dependency-type: direct:development update-type: version-update:semver-major dependency-group: typescript-tooling ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/typescript-tooling-54c6e5fcc4
branch
from
54d4344 to
9edbdbf
Compare
7 tasks
Owner
|
Superseded by #18 (bulk dep bump). |
Contributor
Author
|
This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests. To ignore these dependencies, configure ignore rules in dependabot.yml |
theagenticguy
deleted the
dependabot/npm_and_yarn/typescript-tooling-54c6e5fcc4
branch
theagenticguy
added a commit
that referenced
this pull request
Apr 23, 2026
## Summary Sweep of every outdated direct dependency in the workspace, bringing each one to its latest version — except for two intentional holds (TypeScript 6, Zod 4) that need their own migration PRs. ## What's bumped **Safe minors + patches** (no behavior changes on our surface): | Package | From | To | |---|---|---| | `@biomejs/biome` | 2.4.0 | 2.4.12 | | `fast-xml-parser` | 5.7.0 | 5.7.1 | | `piscina` | 5.1.3 | 5.1.4 | | `envinfo` | 7.14.0 | 7.21.0 | | `lru-cache` | 11.2.2 | 11.3.5 | **Safe majors** (no source-level breakage; verified via full build + test matrix): | Package | From | To | |---|---|---| | `@apidevtools/swagger-parser` | 10.1.1 | 12.1.0 | | `@commitlint/cli` | 19.6.1 | 20.5.0 | | `@commitlint/config-conventional` | 19.6.0 | 20.5.0 | | `@types/node` | 20.14.0 | 22.19.17 (Node 22 LTS) | | `commander` | 13.1.0 | 14.0.3 | | `listr2` | 9.0.4 | 10.2.1 | | `write-file-atomic` | 6.0.0 | 7.0.1 | **Deliberately deferred** (need real migration work; track in follow-up PRs): - `typescript` 5.9.3 → 6.x — many workspace deps peer-declare `typescript@^5`; the jump needs a compatibility sweep first. - `zod` 3 → 4 — breaking changes (`.merge()` → `.extend()`, stricter coercion, different result shape) that touch the MCP + SARIF schema layers. ## License allowlist update `lru-cache` switched its declared license from `ISC` → `BlueOak-1.0.0` at 11.3.x. BlueOak-1.0.0 is an OSI-approved permissive license (explicitly designed as an MIT/ISC-class modernization with no ShareAlike / attribution friction). Added `BlueOak-1.0.0` and `0BSD` to the CI license allowlist (`.github/workflows/ci.yml`, `mise.toml`) to match what's actually in the SBOM today. `SECURITY.md` + `CONTRIBUTING.md` updated to mirror. ## Supply chain - `osv-scanner` — 0 issues on the refreshed 705-package lockfile. - `SBOM.cdx.json` regenerated from the new lockfile. - `THIRD_PARTY_LICENSES.md` regenerated (705 components). ## Drive-by fix `packages/cli/src/commands/setup.test.ts` asserted the bundled plugin manifest version was `2.0.0` (stale from the pre-launch internal versioning). Updated to `0.1.0` to match the launch version and unblock `pnpm -r test`. ## Closes Should supersede these open Dependabot PRs (will auto-close on next scan): #6, #7, #8, #9, #10, #11, #12, #13, #14, #15. ## Test plan - [x] `pnpm install` resolves cleanly - [x] `pnpm -r build` — all workspaces green - [x] `pnpm -r exec tsc --noEmit` — 0 type errors - [x] `pnpm -r test` — 1 stale-assertion fixed, remainder green - [x] `bash scripts/check-banned-strings.sh` — PASS - [x] `osv-scanner scan source --lockfile=pnpm-lock.yaml` — 0 issues - [x] `license-checker-rseidelsohn --onlyAllow '...'` — 0 violations
5 tasks
theagenticguy
added a commit
that referenced
this pull request
May 10, 2026
## Summary V1-launch readiness sweep: cherry-picks three known-good upstream bug fixes from the post-filter testbed, closes two residual smoke gaps, and deeply refreshes the v1 docs against current reality. ### Bug fixes (5 of 7 from UPSTREAM_BUGS.md) | Severity | Bug | Fix | |---|---|---| | HIGH (data corruption) | #2 — `codehub scan <path>` ingested SARIF into operator's CWD instead of the scanned repo | `c43c5aa fix(cli): scan ingests SARIF into the scanned repo, not CWD` | | HIGH (CI gate) | #3 — `scripts/smoke-mcp.sh` asserted EXPECTED_TOOLS=19; server registers 29 | `433f684 fix(repo): smoke-mcp asserts 29 tools, matching the v1.0 server` | | HIGH (CI dashboard) | #4 — `codehub bench` surfaced 9 of 17 acceptance gates (some titles also stale) | `c5f9047 fix(cli): bench dashboard surfaces all 17 acceptance gates` | | MEDIUM | #1 + #6 — `codehub doctor` false-WARN on tree-sitter / @duckdb / @LadybugDB under pnpm strict isolation; `duckdb close()` undefined on `@duckdb/node-api@1.x` | `c218c31 fix(cli): doctor resolves native bindings from owner workspaces` | | LOW (test hygiene) | #7 — `http-embedder.test.ts` cases failed when `CODEHUB_EMBEDDING_*` env was set in operator's shell | `317bdf1 fix(embedder): isolate http-embedder tests from operator env` | Bug #5 (testbed-only pytest-timeout) does not apply upstream. Bug fixes #1+#6, #2, #3 are direct cherry-picks of `def988b`, `6924b1b`, `ec66d4a` from the post-filter sibling — every changed file:line coordinate verified to match upstream HEAD before pick. ### Spec-coordinate hygiene - `fad766f` — scrub `AC-A-7` / `AC-A-10` from `scripts/m7-parity-audit.sh` header (per the durable lesson; scripts are not ADRs). - `e186aea` — restore ADR-permanent spec coordinates in `docs/adr/0013-m7-default-flip-and-abstraction.md` and `docs/adr/0014-scip-references-and-embedder-fingerprint.md` after an earlier docs-sweep commit over-scrubbed them. Per PR #74's carve-out, ADR text is the explicit place where coordinates ARE allowed. Final sweep: `rg -n 'AC-[A-Z]-[0-9]' packages/ scripts/` returns zero hits. ### Docs refresh - `898192e` — README: status flipped from "v0.1.0 initial public release" to "v1 — feature-complete on M1–M7" (the prerelease caveat stays since `package.json` is still `0.1.x`); 28 → 29 MCP tools across the mermaid diagram, table heading, and mcp-package row; new "Parse runtime — WASM default" section cross-linking ADR `0013-parse-runtime-wasm-default.md`; Repository Layout regenerated against `ls packages/` (now 17 packages — adds `cobol-proleap`, `frameworks`, `pack`, `policy`, `wiki`; drops `eval` and `gym` with a sibling-testbed note); 14 → 15 GA languages (COBOL via regex provider); requirements bumped to Node 22-or-24; tool table expanded to enumerate the cross-repo federation tools and `pack_codebase`. - `69eac8f` — ADR 0011 `Proposed → Accepted`; ADR 0013-m7 `Proposed → Accepted`; sibling-ADR cross-link banner on the duplicate-0013 collision (`0013-parse-runtime-wasm-default.md` and `0013-m7-default-flip-and-abstraction.md` both landed concurrently); ADR 0014 References block swapped from `.erpaval/specs/...` (gitignored, will rot once packet graduates) to durable code-path citations. - `edb362e` — CHANGELOG `[Unreleased]` entry summarizing this PR; AGENTS.md 28 → 29 tools and a divergence banner where it intentionally drops session-local coordinates that CLAUDE.md still carries; OBJECTIVES.md tool count + language count + sibling-testbed note. ## Validation - `pnpm install --frozen-lockfile` ✅ - `mise run check` (lint + typecheck + test + banned-strings + verdict) ✅ - `pnpm -F @opencodehub/cli test` — **236/236** pass (was 235; +1 from the new `[SKIP]` parsing case in `bench.test.ts`) - `pnpm -F @opencodehub/embedder test` — 79 pass / 0 fail / 1 skipped - `bash scripts/smoke-mcp.sh` — **PASS (29 tools listed)** - `node packages/cli/dist/index.js doctor` — `tree-sitter native binding: OK`, `duckdb native binding: OK`, `graph-db native binding: FAIL` (real opt-in build status — the `@ladybugdb/core` binding is not installed on this dev box, which is what `doctor` is supposed to surface; the false-WARN this PR fixes is gone) - `rg -n 'AC-[A-Z]-[0-9]' packages/ scripts/` — zero hits ## Test plan - [ ] CI green on `chore/v1-upstream-bug-sweep` - [ ] `codehub doctor` reports OK on tree-sitter + duckdb in CI matrix (Node 22 + Node 24) - [ ] `codehub scan /tmp/<fixture>` ingests into `<fixture>` not CWD (manual verification on a downstream repo) - [ ] `codehub bench` table now renders all 17 rows, none stuck on "skipped — script crashed" - [ ] License audit / banned-strings / commitlint stay green ## Out of scope - Bug #5 (testbed-only pytest-timeout). Listed for reference in UPSTREAM_BUGS.md; does not affect upstream.
theagenticguy
added a commit
that referenced
this pull request
May 10, 2026
## Summary V1-launch readiness sweep: cherry-picks three known-good upstream bug fixes from the post-filter testbed, closes two residual smoke gaps, and deeply refreshes the v1 docs against current reality. ### Bug fixes (5 of 7 from UPSTREAM_BUGS.md) | Severity | Bug | Fix | |---|---|---| | HIGH (data corruption) | #2 — `codehub scan <path>` ingested SARIF into operator's CWD instead of the scanned repo | `c43c5aa fix(cli): scan ingests SARIF into the scanned repo, not CWD` | | HIGH (CI gate) | #3 — `scripts/smoke-mcp.sh` asserted EXPECTED_TOOLS=19; server registers 29 | `433f684 fix(repo): smoke-mcp asserts 29 tools, matching the v1.0 server` | | HIGH (CI dashboard) | #4 — `codehub bench` surfaced 9 of 17 acceptance gates (some titles also stale) | `c5f9047 fix(cli): bench dashboard surfaces all 17 acceptance gates` | | MEDIUM | #1 + #6 — `codehub doctor` false-WARN on tree-sitter / @duckdb / @LadybugDB under pnpm strict isolation; `duckdb close()` undefined on `@duckdb/node-api@1.x` | `c218c31 fix(cli): doctor resolves native bindings from owner workspaces` | | LOW (test hygiene) | #7 — `http-embedder.test.ts` cases failed when `CODEHUB_EMBEDDING_*` env was set in operator's shell | `317bdf1 fix(embedder): isolate http-embedder tests from operator env` | Bug #5 (testbed-only pytest-timeout) does not apply upstream. Bug fixes #1+#6, #2, #3 are direct cherry-picks of `def988b`, `6924b1b`, `ec66d4a` from the post-filter sibling — every changed file:line coordinate verified to match upstream HEAD before pick. ### Spec-coordinate hygiene - `fad766f` — scrub `AC-A-7` / `AC-A-10` from `scripts/m7-parity-audit.sh` header (per the durable lesson; scripts are not ADRs). - `e186aea` — restore ADR-permanent spec coordinates in `docs/adr/0013-m7-default-flip-and-abstraction.md` and `docs/adr/0014-scip-references-and-embedder-fingerprint.md` after an earlier docs-sweep commit over-scrubbed them. Per PR #74's carve-out, ADR text is the explicit place where coordinates ARE allowed. Final sweep: `rg -n 'AC-[A-Z]-[0-9]' packages/ scripts/` returns zero hits. ### Docs refresh - `898192e` — README: status flipped from "v0.1.0 initial public release" to "v1 — feature-complete on M1–M7" (the prerelease caveat stays since `package.json` is still `0.1.x`); 28 → 29 MCP tools across the mermaid diagram, table heading, and mcp-package row; new "Parse runtime — WASM default" section cross-linking ADR `0013-parse-runtime-wasm-default.md`; Repository Layout regenerated against `ls packages/` (now 17 packages — adds `cobol-proleap`, `frameworks`, `pack`, `policy`, `wiki`; drops `eval` and `gym` with a sibling-testbed note); 14 → 15 GA languages (COBOL via regex provider); requirements bumped to Node 22-or-24; tool table expanded to enumerate the cross-repo federation tools and `pack_codebase`. - `69eac8f` — ADR 0011 `Proposed → Accepted`; ADR 0013-m7 `Proposed → Accepted`; sibling-ADR cross-link banner on the duplicate-0013 collision (`0013-parse-runtime-wasm-default.md` and `0013-m7-default-flip-and-abstraction.md` both landed concurrently); ADR 0014 References block swapped from `.erpaval/specs/...` (gitignored, will rot once packet graduates) to durable code-path citations. - `edb362e` — CHANGELOG `[Unreleased]` entry summarizing this PR; AGENTS.md 28 → 29 tools and a divergence banner where it intentionally drops session-local coordinates that CLAUDE.md still carries; OBJECTIVES.md tool count + language count + sibling-testbed note. ## Validation - `pnpm install --frozen-lockfile` ✅ - `mise run check` (lint + typecheck + test + banned-strings + verdict) ✅ - `pnpm -F @opencodehub/cli test` — **236/236** pass (was 235; +1 from the new `[SKIP]` parsing case in `bench.test.ts`) - `pnpm -F @opencodehub/embedder test` — 79 pass / 0 fail / 1 skipped - `bash scripts/smoke-mcp.sh` — **PASS (29 tools listed)** - `node packages/cli/dist/index.js doctor` — `tree-sitter native binding: OK`, `duckdb native binding: OK`, `graph-db native binding: FAIL` (real opt-in build status — the `@ladybugdb/core` binding is not installed on this dev box, which is what `doctor` is supposed to surface; the false-WARN this PR fixes is gone) - `rg -n 'AC-[A-Z]-[0-9]' packages/ scripts/` — zero hits ## Test plan - [ ] CI green on `chore/v1-upstream-bug-sweep` - [ ] `codehub doctor` reports OK on tree-sitter + duckdb in CI matrix (Node 22 + Node 24) - [ ] `codehub scan /tmp/<fixture>` ingests into `<fixture>` not CWD (manual verification on a downstream repo) - [ ] `codehub bench` table now renders all 17 rows, none stuck on "skipped — script crashed" - [ ] License audit / banned-strings / commitlint stay green ## Out of scope - Bug #5 (testbed-only pytest-timeout). Listed for reference in UPSTREAM_BUGS.md; does not affect upstream.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the typescript-tooling group with 3 updates in the / directory: @biomejs/biome, @types/node and typescript.
Updates
@biomejs/biomefrom 2.4.0 to 2.4.12Release notes
Sourced from
@biomejs/biome's releases.... (truncated)
Changelog
Sourced from
@biomejs/biome's changelog.... (truncated)
Commits
baaacfcci: release (#9890)e0ba71dfeat: implement useIframeSandbox (#9949)2cff700feat(lint/js): adduseVarsOnTop(#9861)27dd7b1feat(react/js): add noComponentHookFactories (#9916)0d0e611feat(js_analyze): implement useReactAsyncServerFunction (#9909)f1c1363feat(lint/js): adduseStringStartsEndsWith(#9796)d417803feat(js_analyze): implement noJsxNamespace (#9913)9701a33feat(lint/js): addnoIdenticalTestTitle(#9376)c499f46feat(lint): implement useReduceTypeParameter nursery rule (#9577)40bd180feat(lint/js): addnoExcessiveSelectorClasses(#9866)Updates
@types/nodefrom 20.14.0 to 25.6.0Commits
Updates
typescriptfrom 5.9.3 to 6.0.3Release notes
Sourced from typescript's releases.
Commits
050880cBump version to 6.0.3 and LKGeeae9dd🤖 Pick PR #63401 (Also check package name validity in...) into release-6.0 (#...ad1c695🤖 Pick PR #63368 (Harden ATA package name filtering) into release-6.0 (#63372)0725fb4🤖 Pick PR #63310 (Mark class property initializers as...) into release-6.0 (#...607a22aBump version to 6.0.2 and LKG9e72ab7🤖 Pick PR #63239 (Fix missing lib files in reused pro...) into release-6.0 (#...35ff23d🤖 Pick PR #63163 (Port anyFunctionType subtype fix an...) into release-6.0 (#...e175b69Bump version to 6.0.1-rc and LKGaf4caacUpdate LKG8efd7e8Merge remote-tracking branch 'origin/main' into release-6.0