chore(deps): bump c8 from 10.1.3 to 11.0.0 in the dev-dependencies group across 1 directory#9
Merged
amacsmith merged 1 commit intoMay 10, 2026
Conversation
dependabot
Bot
added
dependencies
dependabot
Bot
added
dependencies
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
dependabot
Bot
changed the title
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/dev-dependencies-ffe201de11
branch
from
92a65f1 to
46c689a
Compare
Bumps the dev-dependencies group with 1 update in the / directory: [c8](https://github.com/bcoe/c8). Updates `c8` from 10.1.3 to 11.0.0 - [Release notes](https://github.com/bcoe/c8/releases) - [Changelog](https://github.com/bcoe/c8/blob/main/CHANGELOG.md) - [Commits](bcoe/c8@v10.1.3...v11.0.0) --- updated-dependencies: - dependency-name: c8 dependency-version: 11.0.0 dependency-type: direct:development update-type: version-update:semver-major dependency-group: dev-dependencies ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/dev-dependencies-ffe201de11
branch
from
46c689a to
0e78ba0
Compare
dependabot
Bot
deleted the
dependabot/npm_and_yarn/dev-dependencies-ffe201de11
branch
2 tasks
amacsmith
added a commit
that referenced
this pull request
May 11, 2026
… input, fix scorecard pins
- scripts/__tests__/{aggregate,integration}.test.mjs: gate handler dispatch
with Object.prototype.hasOwnProperty.call() to prevent prototype-chain
lookups (js/unvalidated-dynamic-method-call #5, #6).
- scripts/__tests__/render-latest.test.mjs: dispatch on URL hostname rather
than substring (js/incomplete-url-substring-sanitization #11).
- cli/src/add.mjs: openUrl() now validates input is a well-formed http(s)
URL before passing argv to open/cmd/xdg-open. Defense in depth against
js/indirect-command-line-injection #7; existing execFileSync (no shell)
pattern in spawn.mjs is preserved.
- .github/workflows/scorecard.yml: pin ossf/scorecard-action,
actions/checkout, and github/codeql-action/upload-sarif to underlying
commit SHAs (not annotated-tag-object SHAs) — fixes the
"imposter commit" rejection from the OSSF webapp.
Six other CodeQL alerts (#2, #3, #8, #9, #10, #12) were dismissed as
won't-fix with rationale recorded on the alert.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the dev-dependencies group with 1 update in the / directory: c8.
Updates
c8from 10.1.3 to 11.0.0Release notes
Sourced from c8's releases.
Changelog
Sourced from c8's changelog.
Commits
ce78df4chore(main): release 11.0.0 (#577)678eecafix(deps)!: pull newer minimatch addressing CVE-2026-26996 (#576)ec4c5e4chore: .editorconfig to avoid unintended mods to .snap files (#556)