chore(deps-dev): bump @typescript-eslint/parser from 7.18.0 to 8.32.1#8
Closed
dependabot[bot] wants to merge 1 commit into
Closed
chore(deps-dev): bump @typescript-eslint/parser from 7.18.0 to 8.32.1#8dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Conversation
dependabot
Bot
added
dependencies
Bumps [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) from 7.18.0 to 8.32.1. - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.32.1/packages/parser) --- updated-dependencies: - dependency-name: "@typescript-eslint/parser" dependency-version: 8.32.1 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
Contributor
Author
|
Superseded by #17. |
dependabot
Bot
deleted the
dependabot/npm_and_yarn/typescript-eslint/parser-8.32.1
branch
edobry
added a commit
that referenced
this pull request
Apr 22, 2026
… non-blockers Chinese-wall reviewer (mt#1073 pattern) caught 2 blocking issues on this PR's initial scaffold that would have broken deployment and quietly dropped mandatory Tier-3 reviews under transient failures. Fixing both plus several non-blocking improvements flagged in the same review. Blocking fixes: 1. Dockerfile lockfile mismatch. COPY glob was bun.lockb* matching the pre-1.2 binary format; Bun 1.2+ uses bun.lock text format which is what the repo actually tracks. Every Railway deploy would fail at the RUN bun install step. Fixed to COPY package.json bun.lock explicitly. 2. HTTP 200 on review failure. The webhook handler swallowed all errors and returned void, causing verifyAndReceive to resolve cleanly and the server to return 200 for failed reviews. GitHub only retries on 4xx/5xx. A Tier-3 PR where the model or GitHub API timed out would be silently dropped with no retry and no review, breaking the mandatory-review guarantee. Fixed by removing the try/catch in handlePullRequestEvent so errors propagate to verifyAndReceive and return 500, causing GitHub to retry. Cost: duplicate-review risk on flaky errors; Sprint B adds per-SHA idempotency. Non-blocking fixes: - Startup warning when REVIEWER_PROVIDER=anthropic — operators who set this without reading docs deploy a degraded Chinese wall (same family as Claude implementer); log a degraded_config_warning at server start. - README corrected: removed false claim about Minsky provenance lookup (that is Sprint B; Sprint A only reads PR-body marker), removed reference to scripts/create-github-app.ts (not in repo yet, mt#997 tracks). - Self-review identity check now case-insensitive via .toLowerCase(); GitHub usernames are case-insensitive at platform level. - services/ lint-console-usage exclusion narrowed to services/reviewer/ specifically, so future services must opt in explicitly. - Stale bun.lockb entry removed from .gitignore. Deferred to follow-up tasks: - mt#1085 (Sprint B prereq): switch tier lookup from PR-body marker to MCP provenance record. Eliminates the marker-forgetting failure mode the reviewer flagged (non-blocking #5). - mt#1086: explicit network-call timeouts on model and GitHub API paths. Non-blocking #8 from the review. Validation: 18/18 service tests pass, typecheck clean, lint clean at 30-warning threshold.
4 tasks
6 tasks
edobry
added a commit
that referenced
this pull request
May 6, 2026
R1-A BLOCKING #1 (command injection at session-commands.ts CAS site): The shell-interpolated mainRef in could let a crafted .minsky-freshness-sha file inject commands. Closed by adding strict regex validation in readFreshnessMarker: - mainRef must match /^[A-Za-z0-9._/-]+$/ (rejects quotes, backticks, semicolons, dollar-signs, parens, all shell metacharacters) - sha must match /^[0-9a-f]{40}$/ (lowercase 40-hex) A malicious marker now fails parsing -> CAS bypasses with no-marker instead of running the rev-parse with poisoned input. R1-B BLOCKING #5 (cleanup not on early-return paths): Marker was only cleaned after a successful CAS check, leaving stale state on clean-tree early returns, NothingToCommitError, and pre-CAS exceptions. Restructured sessionCommit to wrap the entire post-workdir body in try/finally with cleanupFreshnessMarker(workdir) in the finally. Cleanup now runs on every exit path: successful CAS+push, CAS abort, commit failure, push failure, and both early-return cases. Removed the redundant inline cleanup from the CAS block. R1-B BLOCKING #6 (marker write on budget-skipped path): The hook's gate () was too loose. The overBudget(GIT_TIMEOUT_MS * 2) path returns mainRef but skips the listCommitsAhead probe, so the marker would be written despite the freshness comparison never running. Fix: added to BranchFreshnessResult, set true only on the two paths that pass through listCommitsAhead (count===0 silent + count>0 blocked). Marker write now requires . R1-A NON-BLOCKING #2 (duplication): replaced the hook's inline writeFile + FRESHNESS_MARKER_FILENAME literal with an import of writeFreshnessMarker from src/domain/session/freshness-marker.ts. Single source of truth for marker payload shape and filename; the hook now uses the same helper as the read+CAS side. Verified bun resolves the cross-directory import without dependency-surface bloat (the helper imports only node:fs + node:path + the local errors module). R1-A NON-BLOCKING #3 (validation hardening): subsumed by R1-A BLOCKING #1 fix above (SHA + ref shape validation in readFreshnessMarker). R1-A NON-BLOCKING #4 (CAS error code): introduced FreshnessCasError class with and structured fields (capturedSha, currentSha, mainRef). session-commands now throws FreshnessCasError on CAS abort instead of generic MinskyError. Allows UX/policy/telemetry layers to distinguish a CAS-prevented push from other commit failures programmatically. R1-B NON-BLOCKING #7 (.git/ existence): documented the assumption in markerPath + writeFreshnessMarker JSDoc — workdir must be a regular git checkout (always true for session workspaces). Bare repos / worktrees / unusual layouts are out of scope. R1-B NON-BLOCKING #8 (sessionCommit integration test): declined for this round. The unit-test coverage on freshness-marker.ts (decision matrix + 3 spec acceptance scenarios) plus the now-finally-guaranteed cleanup behavior covers the substantive paths. Adding a full sessionCommit integration test would require spinning up a temp git repo + fake hook + push target — out of proportion to the marginal value vs the existing coverage. Can be filed as a follow-up if the reviewer wants explicit end-to-end coverage of the new CAS branch. Tests: 4 new freshness-marker tests covering the validation regex (shell metachars rejected, rejected, short SHA rejected, nested-feature ref accepted). 90 tests pass total (16 prior + 4 new + 70 hook tests). validate-all clean.
edobry
added a commit
that referenced
this pull request
May 19, 2026
Reviewer-bot CHANGES_REQUESTED on initial submission. All five findings addressed: BLOCKING #1: Spec mismatch on cultural code (mission-control vs Cyberbrain / Section 9) The original spec Success Criterion #6 required recommending the "mission-control / instrument-panel" code. The workshop refined this to "Cyberbrain / Section 9" — an autonomous-flock cybernetic-substrate code that better carries the exocortex myth, with the mission-control register demoted to "appropriate for the cockpit widget, not the site myth." Took the reviewer's suggested option (b): updated the spec to reflect the workshop's refined lock via tasks_spec_search_replace. Spec now acknowledges both forms (initial generic mission-control + refined Cyberbrain / Section 9 with the five-layer reference architecture) and names the workshop output as the canonical lock. The SKILL.md positioning is now consistent with the spec. BLOCKING #2 + #3: Missing body-level Vendored from attribution Both vendored skills (seo-skill, motion-framer) had attribution only in YAML frontmatter description. Reviewer wanted explicit body-level attribution lines for human readability and consistent provenance. Added "> Attribution: Vendored from [repo-link] (retrieved 2026-05-19)" blockquote at the top of each skill's body, naming the source repo and any minor edits applied during vendoring. NON-BLOCKING #4 + #5: Out-of-repo / ephemeral path references NON-BLOCKING #4 (~/Projects/minsky-site references): no change — that IS the correct path for the marketing site on the principal's local filesystem; the "out-of-repo" status is intentional (the marketing site is a separate repo, not part of edobry/minsky). NON-BLOCKING #5 (ephemeral /var/folders/... tweet-archive path): replaced the ephemeral temp-folder citation with the durable source path (~/Downloads/twitter-2025-09-21-*.zip) plus a clear note that the workshop extraction was ephemeral and the durable indexing path is specced in follow-up #8 (the principal-corpus namespace on Minsky's shared pgvector infra). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps @typescript-eslint/parser from 7.18.0 to 8.32.1.
Release notes
Sourced from
@typescript-eslint/parser's releases.... (truncated)
Changelog
Sourced from
@typescript-eslint/parser's changelog.... (truncated)
Commits
af077a0chore(release): publish 8.32.1b2be3dcchore: simplifytsconfigsetup usingconfigDir(#11136)aeb7402chore(ast-spec): finish migrating tovitest(#11126)819a03fchore(release): publish 8.32.0172ab8achore(eslint-plugin): resolve remaining issues fromvitestmigration (#11100)a9c9251chore: revertvitestrelated changes intsconfigfiles (#11124)f5c588cchore(release): publish 8.31.12cc7656chore(release): publish 8.31.09531492chore(release): publish 8.30.1b3688bechore(release): publish 8.30.0Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)