chore(deps): bulk bring dependencies to latest#18
Merged
Conversation
Safe minors + patches: - @biomejs/biome 2.4.0 -> 2.4.12 - fast-xml-parser 5.7.0 -> 5.7.1 - piscina 5.1.3 -> 5.1.4 - envinfo 7.14.0 -> 7.21.0 - lru-cache 11.2.2 -> 11.3.5 Safe majors (no source-level breakage on our surface): - @apidevtools/swagger-parser 10.1.1 -> 12.1.0 - @commitlint/cli 19.6.1 -> 20.5.0 - @commitlint/config-conventional 19.6.0 -> 20.5.0 - @types/node 20.14.0 -> 22.19.17 (Node 22 LTS) - commander 13.1.0 -> 14.0.3 - listr2 9.0.4 -> 10.2.1 - write-file-atomic 6.0.0 -> 7.0.1 Deliberately deferred (real code-migration needed; separate PRs): - typescript 5.9.3 -> 6.x (peer-declared as ^5 by many grammars / deps) - zod 3 -> 4 (breaking: .merge -> .extend, stricter coercion, result shape) License allowlist: - lru-cache switched to BlueOak-1.0.0 at 11.3.x (OSI-approved permissive). Added BlueOak-1.0.0 + 0BSD to the CI allowlist to match the SBOM reality. Fixed in same commit: - packages/cli setup.test.ts asserted plugin version "2.0.0" (stale from the internal pre-release); corrected to "0.1.0" to match launch version. Supply chain: - osv-scanner: 0 issues on refreshed 705-package lockfile. - Regenerated SBOM.cdx.json and THIRD_PARTY_LICENSES.md. Closes most of the open Dependabot npm PRs (#6-#15 will close on next scan).
This was referenced Apr 23, 2026
Biome 2.4.12 caught this as a useOptionalChain violation.
Simpler form: !profile?.apiContracts.includes("openapi").
theagenticguy
force-pushed
the
chore/bulk-dep-bump
branch
from
465954f to
9c83102
Compare
24 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Sweep of every outdated direct dependency in the workspace, bringing each one to its latest version — except for two intentional holds (TypeScript 6, Zod 4) that need their own migration PRs.
What's bumped
Safe minors + patches (no behavior changes on our surface):
@biomejs/biomefast-xml-parserpiscinaenvinfolru-cacheSafe majors (no source-level breakage; verified via full build + test matrix):
@apidevtools/swagger-parser@commitlint/cli@commitlint/config-conventional@types/nodecommanderlistr2write-file-atomicDeliberately deferred (need real migration work; track in follow-up PRs):
typescript5.9.3 → 6.x — many workspace deps peer-declaretypescript@^5; the jump needs a compatibility sweep first.zod3 → 4 — breaking changes (.merge()→.extend(), stricter coercion, different result shape) that touch the MCP + SARIF schema layers.License allowlist update
lru-cacheswitched its declared license fromISC→BlueOak-1.0.0at 11.3.x. BlueOak-1.0.0 is an OSI-approved permissive license (explicitly designed as an MIT/ISC-class modernization with no ShareAlike / attribution friction).Added
BlueOak-1.0.0and0BSDto the CI license allowlist (.github/workflows/ci.yml,mise.toml) to match what's actually in the SBOM today.SECURITY.md+CONTRIBUTING.mdupdated to mirror.Supply chain
osv-scanner— 0 issues on the refreshed 705-package lockfile.SBOM.cdx.jsonregenerated from the new lockfile.THIRD_PARTY_LICENSES.mdregenerated (705 components).Drive-by fix
packages/cli/src/commands/setup.test.tsasserted the bundled plugin manifest version was2.0.0(stale from the pre-launch internal versioning). Updated to0.1.0to match the launch version and unblockpnpm -r test.Closes
Should supersede these open Dependabot PRs (will auto-close on next scan): #6, #7, #8, #9, #10, #11, #12, #13, #14, #15.
Test plan
pnpm installresolves cleanlypnpm -r build— all workspaces greenpnpm -r exec tsc --noEmit— 0 type errorspnpm -r test— 1 stale-assertion fixed, remainder greenbash scripts/check-banned-strings.sh— PASSosv-scanner scan source --lockfile=pnpm-lock.yaml— 0 issueslicense-checker-rseidelsohn --onlyAllow '...'— 0 violations