Skip to content

Keep SDK dev toolchain audit clean#6

Open
PetriLahdelma wants to merge 1 commit into
mainfrom
codex/sdk-dev-audit-fix
Open

Keep SDK dev toolchain audit clean#6
PetriLahdelma wants to merge 1 commit into
mainfrom
codex/sdk-dev-audit-fix

Conversation

@PetriLahdelma
Copy link
Copy Markdown
Member

@PetriLahdelma PetriLahdelma commented Apr 26, 2026

Summary

  • refresh SDK package-lock to patched YAML, Rollup, and PostCSS transitive versions
  • keep package.json and the published SDK version unchanged
  • preserve the package-lock name alignment with @vertaaux/sdk

Verification

  • npm run typecheck
  • npm test
  • npm run build
  • npm audit --audit-level=moderate

Notes

Dependabot PRs #3 and #4 were merged first; this handles the remaining full dev-audit findings reported after syncing the merged lockfile.

@PetriLahdelma
Keep SDK dev toolchain audit clean
85aecba 
The Dependabot lockfile bumps left dev-only audit findings in the local dependency graph, so this refreshes the package lock to patched YAML, Rollup, and PostCSS versions while preserving the published SDK version and API.

Constraint: npm audit reported dev-only advisories after merging Dependabot PRs #3 and #4
Rejected: Ignore dev advisories | the SDK build and test toolchain still consumes these packages locally and in CI
Confidence: high
Scope-risk: narrow
Tested: npm run typecheck; npm test; npm run build; npm audit --audit-level=moderate
Not-tested: npm publish dry-run
Copilot AI review requested due to automatic review settings April 26, 2026 15:31
Copilot AI reviewed Apr 26, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 26, 2026

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1c93fc1c-1c67-4162-95d2-e2e52e24babd

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/sdk-dev-audit-fix

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@PetriLahdelma