Skip to content

Use bundled version of spectral #35573

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 3, 2025
Merged

Use bundled version of spectral #35573

merged 3 commits into from
Oct 3, 2025
+15 −814

Conversation

silverwind
Copy link
Member

@silverwind silverwind commented Oct 3, 2025
edited
Loading

To reduce the risk of npm supply chain attacks and to speed up dependency installation, I've bundled the spectral package into a zero-dependency module. The upstream package is pretty dead currently, so I expect to keep up with their updates.

The package exports a spectral bin script, so pnpm exec spectral continues to work as-is.

In total, this removes 86 dependencies from the npm dependency tree.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Oct 3, 2025
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Oct 3, 2025
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Oct 3, 2025
@lunny lunny added the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Oct 3, 2025
@lunny lunny enabled auto-merge (squash) October 3, 2025 22:20
@lunny lunny merged commit 6589326 into go-gitea:main Oct 3, 2025
26 checks passed
@GiteaBot GiteaBot added this to the 1.26.0 milestone Oct 3, 2025
@GiteaBot GiteaBot removed the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Oct 3, 2025
@silverwind silverwind deleted the spectral-bundle branch October 4, 2025 07:37
rossigee pushed a commit to rossigee/gitea that referenced this pull request Oct 4, 2025
@silverwind @rossigee
Use bundled version of spectral (go-gitea#35573)
f98346c 
To reduce the risk of npm supply chain attacks and to speed up
dependency installation, I've
[bundled](https://github.com/silverwind/spectral-cli-bundle) the
spectral package into a zero-dependency module. The upstream package is
pretty dead currently, so I expect to keep up with their updates.

The package
[exports](https://github.com/silverwind/spectral-cli-bundle/blob/de05948c53a0a6f9690cdf65d35c3fc3324a583c/package.json#L9)
a `spectral` bin script, so `pnpm exec spectral` continues to work
as-is.

In total, this removes 86 dependencies from the npm dependency tree.
rossigee pushed a commit to rossigee/gitea that referenced this pull request Oct 4, 2025
@silverwind @rossigee
Use bundled version of spectral (go-gitea#35573)
137d46a 
To reduce the risk of npm supply chain attacks and to speed up
dependency installation, I've
[bundled](https://github.com/silverwind/spectral-cli-bundle) the
spectral package into a zero-dependency module. The upstream package is
pretty dead currently, so I expect to keep up with their updates.

The package
[exports](https://github.com/silverwind/spectral-cli-bundle/blob/de05948c53a0a6f9690cdf65d35c3fc3324a583c/package.json#L9)
a `spectral` bin script, so `pnpm exec spectral` continues to work
as-is.

In total, this removes 86 dependencies from the npm dependency tree.
zjjhot added a commit to zjjhot/gitea that referenced this pull request Oct 5, 2025
@zjjhot
Merge remote-tracking branch 'giteaofficial/main'
06198a4 
* giteaofficial/main:
  fix: auto-expand and auto-scroll for actions logs (go-gitea#35570) (go-gitea#35583)
  [skip ci] Updated translations via Crowdin
  [skip ci] Updated translations via Crowdin
  Fix creating pull request failure when the target branch name is the same as some tag (go-gitea#35552)
  Use bundled version of spectral (go-gitea#35573)
  Add rebase push display wrong comments bug (go-gitea#35560)
  Address some CodeQL security concerns (go-gitea#35572)
  fix(webhook): prevent tag events from bypassing branch filters targets go-gitea#35449 (go-gitea#35567)
  Added button to copy file name in PR files (go-gitea#35509)
  Update JS and PY deps (go-gitea#35565)
  Enable a few more tsconfig options (go-gitea#35553)
  Bump github.com/wneessen/go-mail from 0.6.2 to 0.7.1 (go-gitea#35557)
  add more routes to the "expensive" list (go-gitea#35547)
  Drop json-iterator dependency (go-gitea#35544)
  Add proper error message if session provider can not be created (go-gitea#35520)
  use experimental go json v2 library (go-gitea#35392)
  Use global lock instead of status pool for cron lock (go-gitea#35507)
  Move some functions to gitrepo package (go-gitea#35503)
  Move GetDiverging functions to gitrepo (go-gitea#35524)
  [skip ci] Updated translations via Crowdin
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lunny lunny lunny approved these changes

@techknowlogick techknowlogick techknowlogick approved these changes

Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/dependencies
Projects
None yet
Milestone
1.26.0
Development

Successfully merging this pull request may close these issues.
4 participants
@silverwind @lunny @techknowlogick @GiteaBot