chore(deps): patch npm + rust security advisories#27
Conversation
cargo check passes.
Patches 4 transitive advisories within semver; typecheck passes.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 509afe59e6
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| picomatch@4.0.4: | ||
| resolution: {integrity: sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==} |
There was a problem hiding this comment.
This security update only changes pnpm-lock.yaml, but this repo's documented install/verification path is npm ci (AGENTS.md says npm-only and lists npm ci), so CI and normal installs ignore this patched resolution. The committed package-lock.json still resolves node_modules/picomatch to 4.0.3 at line 10511, so npm-based installs continue to use the pre-patch version even though this lockfile now points at 4.0.4.
Useful? React with 👍 / 👎.
1 participant
Patches transitive npm advisories (picomatch/minimatch/flatted/yaml) within semver plus rustls-webpki 0.103.13. Lockfile-only (pnpm-lock.yaml + src-tauri/Cargo.lock); typecheck passes. Dependabot security sweep.