chore(deps): bump graphology from 0.25.4 to 0.26.0

[dependabot]

Bumps graphology from 0.25.4 to 0.26.0.

Release notes

Sourced from graphology's releases.

v0.26.0

• Removing obliterator dependency.
• Stopping to shim Array.from.
• ESM support.

Changelog

Sourced from graphology's changelog.

0.26.0

• Removing obliterator dependency.
• Stopping to shim Array.from.
• ESM support.

Commits

• feb3e5c Bump 0.26.0
• b2f21f8 Bump 0.26.0-rc1
• 2c6d67a Remove obliterator dependency by using plain Iterator objects
• 3bb705e [communities-louvain] fixing robust-randomness types
• 0310654 Bump operators 1.6.1
• 53d8466 [operators] avoid iterating twice on edges in mixed graphs when reversing graph
• dc5d914 [metrics] packaging node/clustering-ambiguity
• 96595e5 [metrics] adding node/clustering-ambiguity
• c9e5861 Bump communities-louvain 2.0.2
• 019d0f0 [communities-louvain] adding experimental/robust-randomness
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[greptile-apps]

Greptile Summary

This PR bumps graphology from 0.25.4 to 0.26.0, a minor release that removes the obliterator sub-dependency, drops the Array.from polyfill (safe given the project's Node ≥ 20 requirement), and adds ESM support. The graphology change itself is straightforward and aligns exactly with the published changelog.

The most notable side-effect is unrelated to graphology: Dependabot's lock-file regeneration exposed that all seven @optave/codegraph-* platform-specific native binary packages (version 3.0.4) lack valid integrity hashes in package-lock.json. The previous lock file stored "integrity": "" (an empty, non-functional value), which npm would ignore; the regenerated file omits the field entirely. In either state the binaries are installed without SRI verification, which is a supply-chain risk for native addons — these packages execute compiled native code directly on the host at runtime.

• ✅ graphology bump from 0.25.4 → 0.26.0 is clean and changelog-aligned
• ✅ obliterator sub-dependency correctly removed from the lock file
• ⚠️ Seven @optave/codegraph-* optional binary packages have no integrity hash — recommend republishing them via standard npm publish and regenerating the lock file to obtain valid SHA-512 hashes

Confidence Score: 3/5

• Safe to merge for the graphology bump itself, but the missing integrity hashes on native binary packages should be resolved before this pattern is normalised.
• The graphology update is routine and low-risk. The score is reduced because the regenerated lock file surfaces a pre-existing but now clearly visible supply-chain gap: native binary packages for all supported platforms have no integrity verification, meaning a compromised or substituted package would not be detected at install time.
• package-lock.json — integrity fields missing for all @optave/codegraph-* platform binary entries

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[npm install] --> B{package-lock.json integrity check}
    B -->|graphology 0.26.0| C[SHA-512 verified]
    B -->|optave codegraph platform binaries| D[No integrity hash]
    D --> E[Native .node addon executed on host]
    C --> F[Graph operations in application]
    E --> F

Loading

Comments Outside Diff (1)

1. package-lock.json, line 1649-1732 (link)

   Seven @optave/codegraph-* optional platform-specific binary packages now have no integrity field in the lock file (lines 1649–1732). Previously these entries held "integrity": "" (an empty/invalid hash), but after Dependabot regenerated the lock they were dropped entirely.

   Without valid SRI hashes, npm cannot verify that the downloaded binary matches what was originally published. Since these packages contain native compiled code (napi-rs addons executed directly on the host), a tampered or substituted package would execute arbitrary native code on the developer's or CI machine with no integrity check.

   Affected packages (all at version 3.0.4):

   • node_modules/@optave/codegraph-darwin-arm64
   • node_modules/@optave/codegraph-darwin-x64
   • node_modules/@optave/codegraph-linux-arm64-gnu
   • node_modules/@optave/codegraph-linux-arm64-musl
   • node_modules/@optave/codegraph-linux-x64-gnu
   • node_modules/@optave/codegraph-linux-x64-musl
   • node_modules/@optave/codegraph-win32-x64-msvc

   The recommended fix is to republish these packages through a standard npm publish flow so the registry records a valid SHA-512 integrity hash, then run npm install to regenerate the lock file with those hashes populated. Until then, the installed binaries are unverified at install time.

   Rule Used: CLAUDE.md (source)

_{Last reviewed commit: 0036478}