chore(deps): drop Java + npm Dependabot sections; add gomod#154
Merged
Conversation
The Spring Boot / React SPA was removed at the Phase 6 cutover (#132), but the Dependabot config still listed maven (/) and npm (/src/main/ frontend) ecosystems. Those directories no longer exist; the maven / npm jobs have been silently failing on each run and producing the stale `dependabot/maven/*` and `dependabot/npm_and_yarn/*` PRs that have been accumulating on origin. Replaces: - maven (`/`) — gone with the Java app - npm (`/src/main/frontend`) — gone with the React SPA Adds: - gomod (`/go`) — the actual Go module + groups: kuzu, tree-sitter, mcp, cobra-viper, sqlite, test-libs Preserves the github-actions ecosystem (PR #115 lives there). Also removes stale `ci-java.yml / PR #131` reference from the go-ci header comment — both are pre-Go-cutover history. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2 tasks
aksOps
added a commit
that referenced
this pull request
May 14, 2026
Stale doc references after Phase 6 (Java deletion, #132) and the Kuzu 0.7.1 → 0.11.3 bump (#155 + #159). - CLAUDE.md / PROJECT_SUMMARY.md: bump Kuzu 0.7.1 → 0.11.3, go-sqlite3 1.14.22 → 1.14.44, cobra to 1.10.2; note native FTS. - AGENTS.md: rewrite "What this repo is" (no more "REST API"); flip `mvn -B -ntp clean verify` → `go test ./...`; clarify that REST + React SPA were deleted in Phase 6 and won't return. - SECURITY.md: rewrite scope. Drop the dead JAR / serve / REST API / React UI / H2 / Neo4j Embedded references. New in-scope list covers every codeiq subcommand, the 10 MCP tools (with `run_cypher` mutation gate called out), `.codeiq/cache/` (SQLite) + `.codeiq/graph/` (Kuzu), and `read_file` path sandboxing. Add the security CI workflows (CodeQL, Semgrep, OSV-Scanner, Trivy, Gitleaks, SBOM, Socket Security) + perf-gate to the hardening references. - CHANGELOG.md: populate [Unreleased] with the OOM-fix saga (PRs #145-#148), the five correctness fixes (#149-#153), the Kuzu 0.7.1 → 0.11.3 bump (#155-#158), the FTS migration (#159), the Dependabot config rewrite (#154), and the enrich CLI knobs. No code changes. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
`.github/dependabot.yml` still configures three ecosystems from the Java era — `maven` at `/`, `npm` at `/src/main/frontend` — but Phase 6 cutover (#132) deleted both `pom.xml` and `src/main/frontend/`. Those Dependabot jobs have been silently failing each weekly run and producing dead `dependabot/maven/` and `dependabot/npm_and_yarn/` PRs (now also cleaned up on origin).
Worse: there's no `gomod` config, so the actual Go dependencies have had no Dependabot coverage since the cutover. The MCP SDK, Kuzu binding, tree-sitter wrapper etc. could ship CVEs and we wouldn't be paged.
Changes
Test plan
🤖 Generated with Claude Code