fix(deps): pin versions of all GitHub Actions workflows and NPM packages

[timoa]

Description

Due to multiple supply-chain attacks by AI bots, this PR adds another layer of security by pinning all dependencies to a specific version and, when possible, to a hash.

Type of change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that changes existing behaviour)
• Documentation update
• Refactor/code quality improvement
• Dependency update

Checklist

Code quality

• My commit messages follow Conventional Commits (e.g. feat:, fix:, docs:, chore:)
• I have not introduced any TypeScript types without justification
• I have not left debug code, console.log, or commented-out blocks

Testing

• I have tested the changes locally by pressing F5 in VSCode to launch the Extension Development Host
• I have run pnpm test, and all tests pass
• I have run pnpm lint, and there are no lint errors
• I have added or updated tests to cover my changes (if applicable)

Build & compatibility

• I have run pnpm run compile and pnpm run webpack without errors
• The extension works in VSCode (and ideally Cursor/Windsurf)

Documentation

• I have updated the README.md if my change adds a new feature, keyboard shortcut, or changes existing behaviour
• I have updated or added JSDoc comments for non-obvious logic (if applicable)

Screenshots/recordings

Summary by CodeRabbit

• Chores
  • Updated Node.js and package manager used by CI workflows to newer versions for more reliable builds.
  • Improved CI cache keys and restore behavior to speed up workflows.
  • Upgraded release tooling plugins to newer patch versions.
  • Updated all project dependencies and dev-dependencies to fixed, newer versions for stability and security.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a2fd07a and cbc4bb1.

📒 Files selected for processing (1)

• .github/workflows/publish.yml

---

📝 Walkthrough

Walkthrough

Updated CI workflows and package.json to pin tool and dependency versions: Node.js set to 24.13.1, pnpm to 10.30.3 across workflows, semantic-release plugins pinned, and dependencies/devDependencies in package.json changed from ranged to fixed versions.

Changes

Cohort / File(s)	Summary
CI Workflows .github/workflows/codeql-analysis.yml, .github/workflows/publish.yml, .github/workflows/pull-request.yml, .github/workflows/release.yml	Pinned Node.js to 24.13.1 and pnpm to 10.30.3 across workflows; publish.yml cache key now includes a node-version hash and expanded restore-keys; release.yml pins semantic-release plugin patch versions.
Dependency Pinning package.json	Converted dependencies and devDependencies from range specifiers to fixed, explicit versions for runtime and dev tooling (many packages updated to specific releases).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• fix(deps): fix vulnerabilities in rollup, minimatch & serialize-javascript #70: Also updates package.json dependency versioning and pnpm-related workflow configuration.

Suggested labels

released

Poem

🐰 I hopped through YAML, tidy and spry,
Pinning versions under the sky,
Node and pnpm now sit in line,
Packages steady, build trees align —
A carrot-coded change, neat and spry.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and accurately summarizes the main change: pinning versions of GitHub Actions workflows and NPM packages for security purposes.
Description check	✅ Passed	The PR description is mostly complete, following the template structure with a clear rationale for security, proper type classification (Dependency update), and comprehensive checklist completion.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/pin-dependencies

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/publish.yml (1)

85-88: Reorder cache restore keys from most-specific to least-specific.

The current order checks the broad prefix first, so the lockfile-scoped fallback at Line 88 is rarely used.

Suggested diff

       restore-keys: |
-        ${{ runner.os }}-pnpm-
         ${{ runner.os }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}-
+        ${{ runner.os }}-pnpm-

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/publish.yml around lines 85 - 88, The restore-keys are
ordered from least-specific to most-specific so the broad prefix wins and the
lockfile-scoped fallback is ignored; inside the cache step adjust the
"restore-keys" block so the most-specific key (${{ runner.os }}-pnpm-${{
hashFiles('**/pnpm-lock.yaml') }}-node-${{ hashFiles('.nvmrc') }}) appears
first, then the lockfile-scoped key (${{ runner.os }}-pnpm-${{
hashFiles('**/pnpm-lock.yaml') }}-), and finally the broad prefix (${{ runner.os
}}-pnpm-), ensuring the cache lookup goes from most-specific to least-specific.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/publish.yml:
- Around line 85-88: The restore-keys are ordered from least-specific to
most-specific so the broad prefix wins and the lockfile-scoped fallback is
ignored; inside the cache step adjust the "restore-keys" block so the
most-specific key (${{ runner.os }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml')
}}-node-${{ hashFiles('.nvmrc') }}) appears first, then the lockfile-scoped key
(${{ runner.os }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}-), and finally the
broad prefix (${{ runner.os }}-pnpm-), ensuring the cache lookup goes from
most-specific to least-specific.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 48698f5 and a2fd07a.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (5)

• .github/workflows/codeql-analysis.yml
• .github/workflows/publish.yml
• .github/workflows/pull-request.yml
• .github/workflows/release.yml
• package.json

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.68%. Comparing base (48698f5) to head (cbc4bb1).
⚠️ Report is 7 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #73   +/-   ##
=======================================
  Coverage   93.68%   93.68%           
=======================================
  Files           8        8           
  Lines         269      269           
  Branches      101      101           
=======================================
  Hits          252      252           
  Misses          1        1           
  Partials       16       16           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🩺 React Doctor

react-doctor v0.0.29

�[32m✔�[39m Select projects to scan �[2m›�[22m workflow-visual-editor
�[33mNo feature branch or uncommitted changes detected. Running full scan.�[39m

�[2mScanning /home/runner/work/workflow-editor/workflow-editor...�[22m


  �[33m⚠�[39m Array index "idx" used as key — causes bugs when list is reordered or filtered�[33m (12)�[39m
�[2m    Use a stable unique identifier: `key={item.id}` or `key={item.slug}` — index keys break on reorder/filter�[22m
�[2m    src/webview/components/TriggerNode.tsx: 26�[22m
�[2m    src/webview/components/TriggerPropertyPanel.tsx: 144�[22m
�[2m    src/webview/components/TriggerBadge.tsx: 64�[22m
�[2m    src/webview/components/JobPropertyPanel.tsx: 885�[22m
�[2m    src/App.tsx: 632�[22m
�[2m    src/webview/components/SourceCodeDialog.tsx: 220�[22m
�[2m    src/webview/App.tsx: 649�[22m
�[2m    src/components/TriggerNode.tsx: 26�[22m
�[2m    src/components/JobPropertyPanel.tsx: 885�[22m
�[2m    src/components/SourceCodeDialog.tsx: 206�[22m
�[2m    src/components/TriggerPropertyPanel.tsx: 144�[22m
�[2m    src/components/TriggerBadge.tsx: 64�[22m

  �[33m⚠�[39m A form label must be associated with a control.�[33m (45)�[39m
�[2m    Either give the label a `htmlFor` attribute with the id of the associated control, or wrap the label around the control.�[22m
�[2m    src/webview/components/TriggerPropertyPanel.tsx: 130, 158, 175, 219, 263, 325, 369, 414, 432�[22m
�[2m    src/webview/components/JobPropertyPanel.tsx: 200, 212, 219, 277, 359, 401, 426, 494, 851, 874, 915�[22m
�[2m    src/webview/components/WorkflowPropertyPanel.tsx: 71, 81, 92�[22m
�[2m    src/components/JobPropertyPanel.tsx: 200, 212, 219, 277, 359, 401, 426, 494, 851, 874, 915�[22m
�[2m    src/components/TriggerPropertyPanel.tsx: 130, 158, 175, 219, 263, 325, 369, 414�[22m
�[2m    src/components/WorkflowPropertyPanel.tsx: 71, 81, 92�[22m

  �[33m⚠�[39m Component "TriggerPropertyPanel" is 500 lines — consider breaking it into smaller focused components�[33m (6)�[39m
�[2m    Extract logical sections into focused components: `<UserHeader />`, `<UserActions />`, etc.�[22m
�[2m    src/webview/components/TriggerPropertyPanel.tsx: 48�[22m
�[2m    src/webview/components/JobPropertyPanel.tsx: 40�[22m
�[2m    src/App.tsx: 56�[22m
�[2m    src/webview/App.tsx: 56�[22m
�[2m    src/components/JobPropertyPanel.tsx: 40�[22m
�[2m    src/components/TriggerPropertyPanel.tsx: 48�[22m

  �[33m⚠�[39m Enforce a clickable non-interactive element has at least one keyboard event listener.�[33m (20)�[39m
�[2m    Visible, non-interactive elements with click handlers must have one of `keyup`, `keydown`, or `keypress` listener.�[22m
�[2m    src/webview/components/PasteYamlDialog.tsx: 21, 28�[22m
�[2m    src/webview/components/JobPropertyPanel.tsx: 1017�[22m
�[2m    src/App.tsx: 489�[22m
�[2m    src/webview/components/SourceCodeDialog.tsx: 160, 167�[22m
�[2m    src/webview/components/ConfirmDialog.tsx: 30, 37�[22m
�[2m    src/webview/components/RunScriptDialog.tsx: 123, 130�[22m
�[2m    src/webview/App.tsx: 533�[22m
�[2m    src/components/PasteYamlDialog.tsx: 21, 28�[22m
�[2m    src/components/JobPropertyPanel.tsx: 1017�[22m
�[2m    src/components/ConfirmDialog.tsx: 30, 37�[22m
�[2m    src/components/SourceCodeDialog.tsx: 146, 153�[22m
�[2m    src/components/RunScriptDialog.tsx: 111, 118�[22m

  �[33m⚠�[39m Static HTML elements with event handlers require a role.�[33m (10)�[39m
�[2m    Add a role attribute to this element, or use a semantic HTML element instead.�[22m
�[2m    src/webview/components/PasteYamlDialog.tsx: 28�[22m
�[2m    src/webview/components/JobPropertyPanel.tsx: 1017�[22m
�[2m    src/webview/components/SourceCodeDialog.tsx: 167�[22m
�[2m    src/webview/components/ConfirmDialog.tsx: 37�[22m
�[2m    src/webview/components/RunScriptDialog.tsx: 130�[22m
�[2m    src/components/PasteYamlDialog.tsx: 28�[22m
�[2m    src/components/JobPropertyPanel.tsx: 1017�[22m
�[2m    src/components/ConfirmDialog.tsx: 37�[22m
�[2m    src/components/SourceCodeDialog.tsx: 153�[22m
�[2m    src/components/RunScriptDialog.tsx: 118�[22m

  �[33m⚠�[39m 3 setState calls in a single useEffect — consider using useReducer or deriving state�[33m (3)�[39m
�[2m    Combine into useReducer: `const [state, dispatch] = useReducer(reducer, initialState)`�[22m
�[2m    src/webview/components/JobPropertyPanel.tsx: 139�[22m
�[2m    src/webview/App.tsx: 105�[22m
�[2m    src/components/JobPropertyPanel.tsx: 139�[22m

  �[33m⚠�[39m Component "AppInner" has 11 useState calls — consider useReducer for related state�[33m (2)�[39m
�[2m    Group related state: `const [state, dispatch] = useReducer(reducer, { field1, field2, ... })`�[22m
�[2m    src/App.tsx: 56�[22m
�[2m    src/webview/App.tsx: 56�[22m

  �[33m⚠�[39m "@codemirror/view" is a heavy library — use React.lazy() or next/dynamic for code splitting�[33m (8)�[39m
�[2m    Use `const Component = dynamic(() => import('library'), { ssr: false })` from next/dynamic or React.lazy()�[22m
�[2m    src/webview/components/SourceCodeDialog.tsx: 2, 3�[22m
�[2m    src/webview/components/RunScriptDialog.tsx: 2, 3�[22m
�[2m    src/components/SourceCodeDialog.tsx: 2, 3�[22m
�[2m    src/components/RunScriptDialog.tsx: 2, 3�[22m

  �[2m┌────────────────────────────────────────────────────┐�[22m
  �[2m│�[22m �[32m┌─────┐�[39m                                            �[2m│�[22m
  �[2m│�[22m �[32m│ ◠ ◠ │�[39m                                            �[2m│�[22m
  �[2m│�[22m �[32m│  ▽  │�[39m                                            �[2m│�[22m
  �[2m│�[22m �[32m└─────┘�[39m                                            �[2m│�[22m
  �[2m│�[22m React Doctor �[2m(www.react.doctor)�[22m                    �[2m│�[22m
  �[2m│�[22m                                                    �[2m│�[22m
  �[2m│�[22m �[32m94�[39m / 100  �[32mGreat�[39m                                    �[2m│�[22m
  �[2m│�[22m                                                    �[2m│�[22m
  �[2m│�[22m �[32m███████████████████████████████████████████████�[39m�[2m░░░�[22m �[2m│�[22m
  �[2m│�[22m                                                    �[2m│�[22m
  �[2m│�[22m �[33m⚠ 106 warnings�[39m  �[2macross 20/64 files�[22m  �[2min 775ms�[22m       �[2m│�[22m
  �[2m└────────────────────────────────────────────────────┘�[22m

�[2m  Full diagnostics written to /tmp/react-doctor-14977e79-50d4-4742-bb85-72fe8c97b6b3�[22m

�[2m  Share your results: �[36mhttps://www.react.doctor/share?p=workflow-visual-editor&s=94&w=106&f=20�[39m�[22m

[timoa-bot]

🎉 This PR is included in version 1.2.35 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀