Quality baseline + release 1.0.2 (ESLint/Prettier, qs security pin)#50
Merged
Conversation
- Add flat-config ESLint (type-checked typescript-eslint on src + mcp-server), Prettier, and .editorconfig matched to the existing house style; add lint / lint:fix / format / format:check scripts. - Wire `npm run lint` into CI (Ubuntu matrix + Windows) and all release gates so the enforced baseline cannot regress. - Pin transitive `qs` to ^6.15.2 via overrides to resolve GHSA-q8mj-m7cp-5q26 (moderate DoS) disclosed after the 1.0.1 cut. Production `npm audit` is clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Brings the tree to zero lint errors under the new type-checked config with no rule suppression: - routes.ts: read request bodies via c.req.json<RouteBody>() against a completed wire-contract type instead of Hono's default `any` (one root cause behind 123 findings); behavior-preserving (http-api tests stay green). - Type the three MCP `server: any` seams as McpServer (kept lazy via import type). - Type LocalEmbeddingProvider._pipeline structurally; cast once at the untyped library boundary instead of propagating `any`. - EventTypeLike for the `EventType | string` collapse; JSON.parse/return casts; attach error `cause` on rethrows; drop dead imports/bindings in tests/scripts. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
One-time normalization to the new Prettier config (single quotes, semicolons, 2-space indent, trailing commas, 100-col). Pure formatting — no behavior change; lint, typecheck, build, and the full test suite are unchanged. This commit is listed in .git-blame-ignore-revs so it does not pollute `git blame`. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- Add `npm run format:check` to CI (both jobs) and release:gate / release:gate:sandbox / release:gate:paper, after lint. - Add .git-blame-ignore-revs pointing at the formatting commit so blame stays meaningful (GitHub honors it automatically; locally run `git config blame.ignoreRevsFile .git-blame-ignore-revs`). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Maintenance and engineering-quality release. No runtime behavior change. - Bump version to 1.0.2 across package.json, package-lock.json, mcp-server/config.ts, and python/audrey_memory/_version.py. - CHANGELOG: accurate 1.0.2 notes — qs security pin (GHSA-q8mj-m7cp-5q26) and the ESLint/Prettier tooling + source-level lint cleanup. - README: document the lint/format workflow and enforced quality gates. - Track the released version in the release-cut idempotency / readiness tests. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
The existing .gitattributes forced LF for .js/.json/.md/.svg/.yml but omitted .ts and .mjs, so the Windows CI runner checked those out as CRLF (default autocrlf) and `prettier --check` (endOfLine: lf) failed on every src/*.ts and scripts/*.mjs file. Add .ts/.cjs/.mjs/.yaml and binary-asset markers. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Establishes an enforced engineering-quality baseline and cuts 1.0.2 (maintenance/quality release — no runtime behavior change).
Security
qsto^6.15.2viaoverridesto resolve GHSA-q8mj-m7cp-5q26 (moderate DoS via@modelcontextprotocol/sdk → express@5), disclosed after the 1.0.1 cut. Productionnpm auditis clean again.Tooling + code quality
typescript-eslintonsrc/+mcp-server/) + Prettier +.editorconfig, matched to house style. New scripts:lint,lint:fix,format,format:check.lint+format:checkwired into CI (Ubuntu matrix + Windows) and all release gates.c.req.json<RouteBody>()instead of Hono'sany; the three MCPserverparams typed asMcpServer; local embedding pipeline typed structurally;EventTypeLike; errorcauseon rethrows; dead imports/bindings removed..git-blame-ignore-revs.Release
Verification
typecheck ✓ · eslint ✓ · format:check ✓ · build ✓ · prod
npm audit0 vulns ✓ · smoke ✓ · pack ✓ · 783/798 tests (remaining fails are the known paper-artifact coupling, env-specific to local LaTeX).🤖 Generated with Claude Code