Skip to content

chore(deps-dev): bump typescript from 5.9.3 to 6.0.3#33

Merged
Musiker15 merged 1 commit into
mainfrom
dependabot/npm_and_yarn/typescript-6.0.3
May 25, 2026
Merged

chore(deps-dev): bump typescript from 5.9.3 to 6.0.3#33
Musiker15 merged 1 commit into
mainfrom
dependabot/npm_and_yarn/typescript-6.0.3

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 25, 2026
edited
Loading

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

Bumps typescript from 5.9.3 to 6.0.3.

Release notes

Sourced from typescript's releases.

TypeScript 6.0.3

For release notes, check out the release announcement blog post.

Downloads are available on:

TypeScript 6.0

For release notes, check out the release announcement blog post.

Downloads are available on:

TypeScript 6.0 Beta

For release notes, check out the release announcement.

Downloads are available on:

Commits
  • 050880c Bump version to 6.0.3 and LKG
  • eeae9dd 🤖 Pick PR #63401 (Also check package name validity in...) into release-6.0 (#...
  • ad1c695 🤖 Pick PR #63368 (Harden ATA package name filtering) into release-6.0 (#63372)
  • 0725fb4 🤖 Pick PR #63310 (Mark class property initializers as...) into release-6.0 (#...
  • 607a22a Bump version to 6.0.2 and LKG
  • 9e72ab7 🤖 Pick PR #63239 (Fix missing lib files in reused pro...) into release-6.0 (#...
  • 35ff23d 🤖 Pick PR #63163 (Port anyFunctionType subtype fix an...) into release-6.0 (#...
  • e175b69 Bump version to 6.0.1-rc and LKG
  • af4caac Update LKG
  • 8efd7e8 Merge remote-tracking branch 'origin/main' into release-6.0
  • Additional commits viewable in compare view

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 25, 2026

Labels

The following labels could not be found: dependencies, npm. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@Musiker15
Copy link
Copy Markdown
Member

Musiker15 commented May 25, 2026

@dependabot rebase

1 similar comment
@Musiker15
Copy link
Copy Markdown
Member

Musiker15 commented May 25, 2026

@dependabot rebase

@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/typescript-6.0.3 branch from a698272 to 132219c Compare May 25, 2026 12:30
@Musiker15 Musiker15 mentioned this pull request May 25, 2026
Merged
4 tasks
Musiker15 added a commit that referenced this pull request May 25, 2026
@Musiker15 @claude
fix(tests): de-flake totp clock-drift tests with locked-clock + posit…
1d84af7 
…ive epochs (#37)

Two issues with the original clock-drift cases from #35:

1. `past = Math.floor(Date.now() / 1000) - 31` (and -90) is wall-clock
   dependent. When `Date.now()/1000 mod 30` happened to be 0 or 1, the
   `floor()` jumped two 30-s steps back instead of one, putting the
   token outside our ±30 s epochTolerance and flipping the assertion.
   ~3 % flake rate, hit both PR #32 and #33 on the same rebase.

2. The first attempt at a fix used a fake clock at second 15 with
   `epoch: -15`. otplib v13 has a new `TimeNegativeError` guardrail
   that rejects sub-zero epochs (visible in @otplib/core's `Ar`
   helper). The fix broke both tests deterministically.

This version:
- Locks `Date.now()` to Unix second 1000 (= step 33, second 10 within
  the step) — far from any boundary AND well above zero.
- Uses positive epoch offsets (`1000 - 30`, `1000 - 90`) so otplib's
  guardrail accepts them.
- Adds `afterEach(() => vi.useRealTimers())` so leakage into later
  tests is impossible.

10/10 local runs pass cleanly.

Signed-off-by: Musiker15 <info@musiker15.de>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@Musiker15
Copy link
Copy Markdown
Member

Musiker15 commented May 25, 2026

@dependabot rebase

@dependabot
chore(deps-dev): bump typescript from 5.9.3 to 6.0.3
877b919 
Bumps [typescript](https://github.com/microsoft/TypeScript) from 5.9.3 to 6.0.3.
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Commits](microsoft/TypeScript@v5.9.3...v6.0.3)

---
updated-dependencies:
- dependency-name: typescript
  dependency-version: 6.0.3
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/typescript-6.0.3 branch from 132219c to 877b919 Compare May 25, 2026 12:46
@Musiker15
Copy link
Copy Markdown
Member

Musiker15 commented May 25, 2026

@dependabot rebase

@Musiker15 Musiker15 merged commit cb23ddc into main May 25, 2026
8 checks passed
@Musiker15 Musiker15 deleted the dependabot/npm_and_yarn/typescript-6.0.3 branch May 25, 2026 12:49
Musiker15 added a commit that referenced this pull request May 29, 2026
@Musiker15 @claude
chore: docs-truth audit (Phase A) — drop 5 unused deps, complete Open…
13bfb98 
…API, correct overstated docs

Phase A of the gaps backlog (#43, #44, #45, #51): additive cleanup + doc truth,
no runtime behaviour change.

- Remove unused deps never imported in src/: @tanstack/react-query, bullmq,
  iron-session, socket.io(+client). Delete the never-wired tests/msw skeleton
  and drop msw from devDependencies.
- CLAUDE.md sections 2/6: correct tech-stack to reality (self-written auth not
  Auth.js, native ws not socket.io, in-process schedulers not BullMQ, libsodium
  crypto_pwhash not argon2-browser, fetch+Zustand not TanStack Query).
- OpenAPI -> v0.6.0: document the previously-missing Milestones, Automation and
  account/auth-settings routes; fix the wrong route count (~70 handlers).
- Clarify /api/auth/2fa/verify is not a standalone endpoint (verification runs
  inside /api/auth/login).
- threat-model.md + CLAUDE.md truth pass: exponential backoff is prepared but
  unwired (#27); safe-regex (#30) / HIBP (#29) / login-notification emails (#32)
  are planned-not-built; Markdown is escaped plaintext (no render -> no DOMPurify
  sink yet, #33); offline is read-only + description drafts (no Workbox/write
  sync-queue, #38); live cursors sit behind a default-off flag (ADR 0011);
  style-src still uses unsafe-inline; Apache must set no Content-Security-Policy.

Typecheck, ESLint and the 193-test suite all pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Musiker15 added a commit that referenced this pull request May 29, 2026
@Musiker15 @claude
security: per-user API rate limit in requireSession + wire RATE_LIMIT…
5c31864 
…_* env (Phase B/2)

Phase B, part 2 — #28.

- New `enforceUserApiLimit(userId)` in lib/ratelimit: a per-user sliding
  window (RATE_LIMIT_API_PER_MIN, default raised 120 -> 600/min ≈ 10 req/s).
  Called by `requireSession()`, the choke point every authenticated route
  already passes through, so a single account can't hammer the whole API.
  It FAILS OPEN on a Redis error (logs + allows) — the limiter sits in the
  hot path of every authenticated request and must never lock users out on
  a cache blip. Returns 429 + Retry-After when tripped.
- The previously-declared-but-unused RATE_LIMIT_* env vars are now read:
  RATE_LIMIT_AUTH_PER_MIN drives the login per-IP budget (replacing the
  hardcoded AUTH_POLICY.authAttemptsPerWindow, now removed), and
  RATE_LIMIT_API_PER_MIN drives the per-user limiter. .env.example bumped to
  600 to match the safe default.

Docs: threat-model.md DoS row + CLAUDE.md §3.4 updated; while there I made
two adjacent §3.4 claims honest too — Markdown is not rendered yet (no
DOMPurify sink; #33) and upload validation ships with attachments (#37).
CHANGELOG Security entry added. Typecheck, ESLint, 193 tests all pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Musiker15 added a commit that referenced this pull request May 29, 2026
@Musiker15 @claude
feat: sanitised Markdown rendering for descriptions + comments (Phase…
9355376 
… C/2, #33)

Card descriptions and comments now render Markdown instead of showing raw
source — closing the long-standing gap where content was typed as Markdown
but displayed as escaped plaintext (and the matching "DOMPurify on every
render" threat-model claim that had no sink).

- New src/components/shared/markdown.tsx: react-markdown (no rehype-raw, so
  raw HTML is inert text) + rehype-sanitize (GitHub allowlist; strips
  dangerous nodes/attributes and javascript: URLs). Rendering is client-side
  on already-decrypted content — HTML never reaches the server. Links open in
  a new tab with rel="noopener noreferrer".
- Comments render through it; the description gets a Write/Preview toggle
  (textarea ⇆ rendered preview) in the non-live-cursors path.
- Scoped .mskanban-prose styles in globals.css restore list/heading
  formatting that Tailwind preflight strips.
- New deps: react-markdown, remark-gfm, rehype-sanitize.
- vitest include now matches tests/unit/**/*.tsx so component tests run.
- XSS coverage: tests/unit/markdown.test.tsx (script / onerror / javascript:
  payloads are all neutralised; links get target+rel).

Docs: threat-model XSS row + CLAUDE.md §2/§3.4 updated. Typecheck, ESLint and
the suite (207 tests, +3) all pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Musiker15