chore: Upgrade vulnerable dependencies.

[Artmann]

Summary by CodeRabbit

• Chores

  • Updated runtime and tooling dependencies (BigQuery client, YAML lib), added multiple package resolutions, enabled TypeScript skipLibCheck, and added a Node engine constraint; build externals updated accordingly.
  • Switched config YAML parsing to the newer parsing API.

• Tests

  • Added a consolidated test script to run server, parser, and linter tests.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request updates package manifests and build config across the monorepo. The root package.json adds a parallel test script and expands resolutions with multiple pinned packages (including tar, axios, semver, js-yaml, @octokit/*, etc.). packages/server/package.json sets engines.node to >=18.0.0, externalizes ssh2 and cpu-features in build/watch commands, and upgrades @google-cloud/bigquery to ^8.1.1. packages/sqlint bumps js-yaml to ^4.1.1 and @types/js-yaml to ^4.0.9, and yaml.safeLoad() was replaced with yaml.load(). tsconfig.json adds skipLibCheck: true.

Pre-merge checks

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the primary change: upgrading vulnerable dependencies across multiple packages (tar, axios, semver, js-yaml, etc.). It's concise and clearly summarizes the main purpose.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 773fb16 and 4b50314.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• package.json (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: lint-and-test

🔇 Additional comments (2)

package.json (2)

30-30: Add parallel test execution script.

The new test script cleanly orchestrates testing across all packages in parallel. Good addition for CI/CD efficiency.

---

117-132: Pinned versions are appropriately secured with no known vulnerabilities.

The pinned dependency versions already include important security fixes and maintain API compatibility:

• js-yaml ^4.1.1 includes the prototype-pollution fix (CVE-2025-64718) and uses yaml.load() as the safe default API for v4
• @octokit/request ^10.0.7 and @octokit/plugin-paginate-rest ^14.0.0 have no breaking changes and are API-compatible patch/minor releases
• semver ^7.7.3 is patched for CVE-2022-25883 (>= 7.5.2)
• cross-spawn ^7.0.6 is patched for CVE-2024-21538 (>= 7.0.5)

No further action required on these resolutions.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between da60487 and 92ab1f0.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (4)

• package.json (2 hunks)
• packages/server/package.json (1 hunks)
• packages/sqlint/package.json (1 hunks)
• packages/sqlint/src/cli/loadConfig.ts (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

packages/sqlint/src/cli/loadConfig.ts (1)

packages/sqlint/src/index.ts (1)

• RawConfig (11-11)

🔇 Additional comments (4)

package.json (2)

30-30: LGTM!

Consolidates test execution across packages.

---

117-133: LGTM!

Pinning transitive dependencies addresses known vulnerabilities.

packages/sqlint/src/cli/loadConfig.ts (1)

126-126: LGTM!

Correct migration for js-yaml v4, where load() is safe by default.

packages/sqlint/package.json (1)

38-38: LGTM!

Runtime and type definitions aligned for js-yaml v4.

Also applies to: 43-43

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

packages/server/package.json (1)

44-44: Node.js engine requirement still missing.

BigQuery v8.1.1 requires Node.js 18+. Add "engines": { "node": ">=18.0.0" } to enforce this requirement.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 92ab1f0 and 8d14e2f.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (5)

• package.json (2 hunks)
• packages/server/package.json (1 hunks)
• packages/sqlint/package.json (1 hunks)
• packages/sqlint/src/cli/loadConfig.ts (1 hunks)
• tsconfig.json (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

packages/sqlint/src/cli/loadConfig.ts (1)

packages/sqlint/src/index.ts (1)

• RawConfig (11-11)

🔇 Additional comments (4)

tsconfig.json (1)

15-15: Approve skipLibCheck for this upgrade.

Adding skipLibCheck: true is reasonable for this multi-dependency upgrade to avoid type conflicts. Monitor for any runtime issues that might surface from bypassed type checks.

package.json (1)

30-30: LGTM on parallel test execution.

The new test script efficiently runs all package tests in parallel.

packages/sqlint/package.json (1)

38-38: js-yaml v4 upgrade looks correct.

Major version bump properly paired with type definitions and code migration (safeLoad → load in loadConfig.ts).

Also applies to: 43-43

packages/sqlint/src/cli/loadConfig.ts (1)

126-126: Correct js-yaml v4 migration.

Replacing safeLoad with load is the proper upgrade path. In v4, load is safe by default.