fix(ci): unblock OSV (paste unmaintained) + silence Vercel rate-limit status#81
Merged
Conversation
β¦ status Two CI-infra fixes that were blocking the open Dependabot PRs: 1. RUSTSEC-2024-0436 (`paste` 1.0.15 β unmaintained) was newly published and now fails the required Security Audit (OSV) on every branch (surfaced on cargo PR #78). `paste` is a build-time proc-macro helper with no runtime exposure and no fix release β added to src-tauri/osv-scanner.toml with the same justified pattern as proc-macro-error / unic-* / the GTK3 bindings. 2. Vercel preview deployments hit the free-tier 24h rate limit and reported a red "fail" status on PRs. Vercel was never a required check (so it never actually blocked merges), but to remove the cosmetic hard-fail noise, vercel.json now sets `github.silent: true` β deployments still run, but no commit statuses/comments are posted. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
CodeAnt AI is reviewing your PR. Thanks for using CodeAnt! πWe're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X Β· |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
CodeAnt AI finished reviewing your PR. |
qnbs
enabled auto-merge (squash)
June 3, 2026 17:53
qnbs
disabled auto-merge
June 3, 2026 17:54
qnbs
enabled auto-merge (squash)
June 3, 2026 18:06
qnbs
added a commit
that referenced
this pull request
Jun 3, 2026
Dependabot's react group PR (#79) bumped only react-dom (19.2.6 β 19.2.7) and left react at 19.2.6. That version skew breaks @testing-library rendering β every hook/component test file failed to collect ("0 test") in the Quality Gate. React and react-dom are released in lockstep and must match: bump both to 19.2.7. Rebuilt on current main, so it also inherits the RUSTSEC-2024-0436 paste-ignore (Security Audit) from #81. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
qnbs
added a commit
that referenced
this pull request
Jun 3, 2026
Dependabot's react group PR (#79) bumped only react-dom (19.2.6 β 19.2.7) and left react at 19.2.6. That version skew breaks @testing-library rendering β every hook/component test file failed to collect ("0 test") in the Quality Gate. React and react-dom are released in lockstep and must match: bump both to 19.2.7. Rebuilt on current main, so it also inherits the RUSTSEC-2024-0436 paste-ignore (Security Audit) from #81. Co-authored-by: qnbs <155236708+qnbs@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User description
Why
Two CI-infra issues are blocking the open Dependabot PRs (#74β#80):
RUSTSEC-2024-0436(paste1.0.15 β unmaintained) was newly published in the OSV DB and now fails the required Security Audit (OSV) check on every branch β first surfaced on the cargo PR build(deps): bump log from 0.4.30 to 0.4.31 in /src-tauriΒ #78.pasteis a build-time proc-macro helper: no runtime exposure, no CVSS, no fix release (1.0.15 is final). Added tosrc-tauri/osv-scanner.tomlwith the same justified pattern already used forproc-macro-error,unic-*, and the GTK3 bindings.vercel.jsonnow sets"github": { "silent": true }: deployments still run, no commit statuses/comments are posted.Effect
main).π€ Generated with Claude Code
CodeAnt-AI Description
Unblock security checks and remove noisy Vercel PR failures
What Changed
pasteadvisory, which unblocks affected branches and Dependabot PRs.Impact
β Fewer blocked dependency updatesβ Fewer false PR failuresβ Cleaner CI status on pull requestsπ‘ Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.