chore(deps): comprehensive workspace dep update sweep#23
Merged
Conversation
Workspace-wide dependency update sweep across root + action + worker. Clears all 6 pnpm audit advisories (was 2 high / 4 moderate). | Workspace | Package | From | To | |-----------|----------------------------------|--------------|--------------| | root | @vitest/coverage-v8 | ^4.1.2 | ^4.1.6 | | root | tsx | ^4.21.0 | ^4.22.2 | | root | zod | ^4.3.6 | ^4.4.3 | | root | pnpm.overrides undici | — | <6.24.0 → ^6.24.0 | | root | pnpm.overrides ws | — | <8.20.1 → ^8.20.1 | | action | @types/node | ^25.5.0 | ^25.9.0 | | action | esbuild | ^0.25.0 | ^0.25.12 | | action | typescript | ^5.8.0 | ^5.9.3 | | worker | @cloudflare/workers-types | ^4.20260329.1| ^4.20260518.1| | worker | @cloudflare/vitest-pool-workers | ^0.13.5 | 0.13.5 (PIN) | | worker | @playwright/test | ^1.59.1 | ^1.60.0 | | worker | @types/node | ^25.6.0 | ^25.9.0 | | worker | prettier | ^3.8.1 | ^3.8.3 | | worker | vitest | ^4.1.2 | ^4.1.6 | | worker | wrangler | ^4.78.0 | ^4.92.0 | | worker | zod | ^3.25.0 | ^4.4.3 | | worker | oslo | ^1.2.1 | REMOVED | Notable: - wrangler 4.78 → 4.92: aligns with notme.bot PR #2 baseline; Node 22 runtime - zod 3 → 4 in worker: only one file (gha-oidc.ts) uses zod; uses safeParse + .error.message which are stable across v3/v4. Aligns with root manifest (was already ^4.3.6 there). - oslo removed: deprecated meta-package; zero imports in src/. Worker already uses the successor @oslojs/crypto + @oslojs/encoding directly. - @cloudflare/vitest-pool-workers pinned to exact 0.13.5 (no caret): per rosary-8ae6ab, 0.13.5 has the CF API 10375 issue; we don't yet know if 0.14+ fixes it. Pin makes the constraint explicit. - pnpm.overrides force undici≥6.24.0 and ws≥8.20.1: clears all 5 undici advisories (transitive via @actions/http-client v2) and the ws advisory (transitive via miniflare). Avoids taking the @actions/* major bumps (4.0 is ESM-only — separate refactor). Deferred (need code change or evidence — separate beads): - @actions/core 1 → 3 / @actions/http-client 2 → 4: ESM-only migration; action is currently bundled via esbuild but the ESM-only constraint is a real refactor. Advisories handled via pnpm.overrides instead. - @peculiar/x509 1 → 2: security-sensitive cert API surface; cert-authority.ts + signing-authority.ts need careful review of v2's extension/generator API. - typescript 5 → 6 (action): major TS bump warrants its own pass across the workspace, not bundled in deps sweep. - esbuild 0.25 → 0.28 (action): 0.x bumps frequently change defaults; aligned worker is already at 0.28 — leaving action at 0.25 line for now to avoid bundling-flag drift. Test status: - worker: 425 passed | 6 todo (28 files) — matches baseline - task worker:check: typecheck + tests both green - task schema:check: green - action: pnpm build green, dist/index.js rebuilt and node --check clean - pnpm audit: 0 advisories (was 2 high / 4 moderate) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…y::collapsible_match)
The outer 'contains("..")' check was strictly redundant — the inner
's == ".."' check (the only one that returned) implies it. Collapse
the pair into a match guard. No behavior change; UDS paths containing
'..' as a substring (e.g. 'foo..bar.sock') are still permitted, only
exact '..' components reject.
CI for the whole repo couldn't pass while this lint was hot under
-D warnings. Unblocks PRs #20/#21/#22 once #23 merges and they rebase.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Workspace-wide dep update sweep across root + action + worker. Clears all 6
pnpm auditadvisories (was 2 high / 4 moderate, all from transitiveundici/ws).Companion to the AIO consolidation work. notme.bot will inherit these deps after the B.1 lift; wrangler line aligned with notme.bot PR #2 (4.78 → 4.92).
Bumps taken
@vitest/coverage-v8tsxzodpnpm.overridesundici<6.24.0→^6.24.0pnpm.overridesws<8.20.1→^8.20.1@types/nodeesbuildtypescript@cloudflare/workers-types@cloudflare/vitest-pool-workers0.13.5(PIN)@playwright/test@types/nodeprettiervitestwranglerzodosloNotable
src/gha-oidc.ts) uses zod; it usessafeParse+.error.message, both stable across v3/v4. Root manifest was already on^4.3.6; this aligns worker with root and avoids two zod copies in the lockfile.osloremoved — deprecated meta-package, zero imports underworker/src/. Worker already uses successor@oslojs/crypto+@oslojs/encodingdirectly.@cloudflare/vitest-pool-workerspinned to exact0.13.5(no caret) — perrosary-8ae6ab,0.13.5has the CF API 10375 issue but newer versions might too; pin makes the constraint explicit and prevents accidental lockfile drift.pnpm.overridesforundici/ws— clears all 5undiciadvisories (transitive via@actions/http-client@2) and thewsadvisory (transitive viaminiflare). Lets us hold off on the@actions/*ESM-only majors.Deferred (need code change or evidence — separate beads)
@actions/core 1 → 3/@actions/http-client 2 → 4— both are ESM-only in their majors. Action is currently bundled by esbuild (which CAN consume ESM-only deps and emit a CJS bundle), but the migration warrants a focused PR with a smoke test on a real workflow run. Advisories handled viapnpm.overridesfor now.@peculiar/x509 1 → 2— security-sensitive.cert-authority.ts+signing-authority.tsuseX509CertificateGenerator+ extension classes; v2's API surface needs careful review against our cert format.typescript 5 → 6(action only) — major TS bump warrants its own pass across the workspace, not bundled in deps sweep.esbuild 0.25 → 0.28(action) — 0.x bumps frequently change defaults; worker is already at 0.28 line but keeping action at 0.25 to avoid bundling-flag drift in one PR.Test plan
pnpm install -r— cleanpnpm audit— 0 advisories (was 2 high / 4 moderate)cd worker && pnpm test— 425 passed | 6 todo (28 files) — matches baselinetask worker:check— typecheck + tests greentask schema:check— greencd action && pnpm build— green;dist/index.jsrebuilt +node --checkcleanFiles
package.json(root) — bumps + newpnpm.overridesaction/package.json— devDep bumpsworker/package.json— devDep + prod-dep bumps;osloremoved; zod majorpnpm-lock.yaml— regeneratedaction/dist/index.js— rebuilt (GHA action ships pre-bundled JS; required so the deployed action picks up the bumped deps)🤖 Generated with Claude Code