build(deps): consolidate 15 open Dependabot updates into one lockfile refresh#55
Merged
Conversation
… refresh All 15 open Dependabot PRs are transitive (package-lock.json only) bumps. Rather than merge them as 15 cascading rebases, fold them into a single scoped `npm update` of exactly those packages, regenerating one coherent lockfile. - npm audit: 68 -> 45 (critical 7->6, high 23->10, moderate 36->28, low 2->1) - Validated on Node 18 (pinned): `npm run compile` and `npm run prod:build` both pass. - package-lock.json only; no package.json / source changes. Supersedes #34 #35 #36 #40 #41 #43 #44 #45 #46 #47 #48 #49 #50 #51 #52. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
There was a problem hiding this comment.
Copilot wasn't able to review any files in this pull request.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This was referenced Jun 4, 2026
Closed
mmcky
added a commit
that referenced
this pull request
Jun 4, 2026
Copilot consistency fixes: - Clarify the execution split: `gh` pushes the vX.Y.Z tag; the tag-triggered workflow creates the GitHub Release and uploads the zip asset. - Use the full `archive/refs/heads/main.zip` path. - "nothing points at the theme" -> "only lecture-wasm points at the theme". Refresh now-stale items (since #55-59 merged): - 2.0.0 scope now reflects @myst-theme 1.3.0 + Node 24 + consolidated dependency/security updates (all merged to main). - Mark the Dependabot triage done (consolidated via #55-58; audit 68->45). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
mmcky
added a commit
that referenced
this pull request
Jun 4, 2026
* docs(plan): rewrite Phase 0 as release/distribution modernisation Reframe Phase 0 from "deploy hygiene" to modernising the theme's release and distribution setup, based on how the theme is actually consumed (a direct GitHub zip URL in each lecture's myst.yml). - Decision: collapse the two-repo source/build split into a single repo distributing versioned GitHub Release zips, with rationale from upstream (jupyter-book/myst-theme is a monorepo + named registry — neither applies here — and is itself moving to release-zip assets per myst-enhancement-proposals#34). - Target architecture: rename to quantecon-theme.mystmd (matching the org's project.tool suffix style, e.g. QuantEcon.py/.jl, Bookshelf.theme); vX.Y.Z tag + GitHub Release + theme zip per version; lectures pin a direct zip URL. Caveat captured: no template registry / myst-cli resolution needed — direct GitHub links only. - Task groups: repo consolidation & rename, release pipeline (adapted from upstream theme-assets.yml), versioning & changelog (folds in the tagging task that resolves the CHANGELOG footer-link issue), cut 1.2.0 as the first release on the new flow, and carried-over hygiene. - Records open decisions (Changesets vs manual, pinned vs rolling consumer URL, 1.2.0 sequencing) and updated Effort/Risk/Deps. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * docs(plan): add Phase 0 consumer-migration checklist Replace the vague "~no lecture references the theme" note with the concrete finding from an org-wide search: the theme has exactly one current consumer, lecture-wasm. - Add a "Consumer migration" checklist: repoint lecture-wasm's site.template to the new pinned release URL, with explicit ordering (pipeline -> publish v1.2.0 -> repoint consumer -> archive old build repo) so the live consumer never breaks. - Note the flagship lecture repos are still on the Sphinx quantecon-book-theme and get repointed per-repo as they cut over to MyST/JB>=2, not in this phase. - Note workflow-backups only carries a repo-name glob (no action). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * docs(plan): record resolved Phase 0 decisions Convert the Phase 0 "open decisions" into resolved ones now that they are agreed: - Versioning: drop Changesets, use a manual Keep a Changelog + git tags (single non-npm artifact + small team; matches other QuantEcon repos). Documenting the bump -> changelog -> tag flow in CONTRIBUTING.md is a task under "Versioning & changelog". - Consumer URL: pinned per-lecture tag URLs. - 1.2.0: quick `make deploy` now to unstick v1.1.1, then re-release via the new pipeline. - Execution split: maintainer renames/archives the repos; tags and GitHub Releases via gh; all code/workflow/docs as PRs first. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * docs: bump proposed release 1.2.0 -> 2.0.0 (major) Treat the @myst-theme 0.14 -> 1.x upgrade as a major release: it carries backwards-incompatible changes for consumers (v1.0.0's new notebook output-node AST; raised runtime requirement Node >=14 -> >=18). - CHANGELOG [Unreleased]: propose 2.0.0 with the SemVer rationale. - PLAN Phase 0: update all 1.2.0 references to 2.0.0. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * docs(plan): address Copilot review on #54 + refresh stale Phase 0 items Copilot consistency fixes: - Clarify the execution split: `gh` pushes the vX.Y.Z tag; the tag-triggered workflow creates the GitHub Release and uploads the zip asset. - Use the full `archive/refs/heads/main.zip` path. - "nothing points at the theme" -> "only lecture-wasm points at the theme". Refresh now-stale items (since #55-59 merged): - 2.0.0 scope now reflects @myst-theme 1.3.0 + Node 24 + consolidated dependency/security updates (all merged to main). - Mark the Dependabot triage done (consolidated via #55-58; audit 68->45). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Consolidates all 15 open Dependabot PRs into a single lockfile refresh — reviewable/mergeable as one instead of 15 cascading rebases. All are transitive (lockfile-only) bumps, applied via a scoped
npm updateof exactly those packages on Node 18.Security impact:
npm audit68 → 45 (critical 7→6, high 23→10, moderate 36→28, low 2→1).Validation (Node 18, the pinned version):
npm run compile✅ ·npm run prod:build✅. Onlypackage-lock.jsonchanges.Key bumps landed (target met or exceeded): picomatch 2.3.2 (ReDoS fix), dompurify 3.4.8, mermaid 11.15.0, qs 6.15.2, express 4.22.2, terser-webpack-plugin 5.6.1, tmp 0.2.7, flatted 3.4.2, lodash 4.18.1.
Supersedes: #34 #35 #36 #40 #41 #43 #44 #45 #46 #47 #48 #49 #50 #51 #52 — these will auto-close once this merges (their targets are satisfied on
main).Remaining
npm auditfindings are mostly the React Router/Remix XSS class that needs the Remix v2 migration (#28).🤖 Generated with Claude Code