1.0.2

[brianvarskonst]

Workflows 1.0.2

Patch release for repository health and security maintenance on the stable v1 line.

This release does not change callable workflow behavior, inputs, permissions, security defaults, or consumer runtime behavior.

Security

• Forced markdown-it to 14.2.0 via npm overrides to resolve the Dependabot advisory for quadratic smartquotes parsing in vulnerable markdown-it releases.
• Forced js-yaml to 4.2.0 so the repository audit remains clean while markdownlint-cli2 keeps exact transitive dependency pins.
• Refreshed package-lock.json with the patched dependency graph.

Changes

• Fixed the README CodeQL badge so it points at the active workflow.
• Confirmed the repository dependency audit reports zero moderate-or-higher vulnerabilities.

Compatibility

No migration is required.

Consumers using the stable major alias can continue to use:

jobs:
  qa:
    uses: SymPress/workflows/.github/workflows/sympress-qa.yml@v1

Consumers pinned to 1.0.1 do not need to update for workflow behavior, but can move to 1.0.2 to track the latest repository security and documentation maintenance snapshot.

Maintainer Notes

The v1 tag is updated to point to 1.0.2 so consumers using the stable major release line receive the latest patch release.

Validation completed before release:

• Repository checks passed on main.
• CodeQL passed on main.
• npm audit --audit-level=moderate reports zero vulnerabilities.

---

This discussion was created from the release 1.0.2.