deps(deps): bump which from 5.0.0 to 7.0.0

[dependabot]

Bumps which from 5.0.0 to 7.0.0.

Release notes

Sourced from which's releases.

v7.0.0

7.0.0 (2026-05-08)

⚠️ BREAKING CHANGES

• which now supports node ^22.22.2 || ^24.15.0 || >=26.0.0
• template-oss-apply

Features

• 471d90b #176 bump to new node engine range (@​owlstronaut)
• 8aac36f #176 template-oss-apply (@​owlstronaut)

Chores

• 9bdf003 #176 template-oss-apply (@​owlstronaut)

v6.0.1

6.0.1 (2026-02-10)

Dependencies

• bd22353 #168 bump isexe from 3.1.5 to 4.0.0 (#168) (@​dependabot[bot])

Chores

• fc4c209 #163 bump @​npmcli/eslint-config from 5.1.0 to 6.0.0 (#163) (@​dependabot[bot])
• 46b25d7 #165 bump @​npmcli/template-oss from 4.28.0 to 4.28.1 (#165) (@​dependabot[bot], @​npm-cli-bot)

v6.0.0

6.0.0 (2025-10-22)

⚠️ BREAKING CHANGES

• align to npm 11 node engine range (#161)

Bug Fixes

• cf1a1bc #161 align to npm 11 node engine range (#161) (@​owlstronaut)

Chores

• 66cf669 #160 bump @​npmcli/template-oss from 4.26.0 to 4.27.1 (#160) (@​dependabot[bot], @​npm-cli-bot)

Changelog

Sourced from which's changelog.

7.0.0 (2026-05-08)

⚠️ BREAKING CHANGES

• which now supports node ^22.22.2 || ^24.15.0 || >=26.0.0
• template-oss-apply

Features

• 471d90b #176 bump to new node engine range (@​owlstronaut)
• 8aac36f #176 template-oss-apply (@​owlstronaut)

Chores

• 9bdf003 #176 template-oss-apply (@​owlstronaut)

6.0.1 (2026-02-10)

Dependencies

• bd22353 #168 bump isexe from 3.1.5 to 4.0.0 (#168) (@​dependabot[bot])

Chores

• fc4c209 #163 bump @​npmcli/eslint-config from 5.1.0 to 6.0.0 (#163) (@​dependabot[bot])
• 46b25d7 #165 bump @​npmcli/template-oss from 4.28.0 to 4.28.1 (#165) (@​dependabot[bot], @​npm-cli-bot)

6.0.0 (2025-10-22)

⚠️ BREAKING CHANGES

• align to npm 11 node engine range (#161)

Bug Fixes

• cf1a1bc #161 align to npm 11 node engine range (#161) (@​owlstronaut)

Chores

• 66cf669 #160 bump @​npmcli/template-oss from 4.26.0 to 4.27.1 (#160) (@​dependabot[bot], @​npm-cli-bot)

Commits

• 297db11 chore: release 7.0.0 (#177)
• 9bdf003 chore: template-oss-apply
• 471d90b feat!: bump to new node engine range
• 8aac36f feat!: template-oss-apply
• 4824908 deps & engine update
• bbc63ba chore: release 6.0.1 (#169)
• bd22353 deps: bump isexe from 3.1.5 to 4.0.0 (#168)
• 46b25d7 chore: bump @​npmcli/template-oss from 4.28.0 to 4.28.1 (#165)
• af2ddb4 chore: bump @​npmcli/template-oss from 4.27.1 to 4.28.0 (#164)
• fc4c209 chore: bump @​npmcli/eslint-config from 5.1.0 to 6.0.0 (#163)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for which since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

❌ Changes requested

🤖 Claude Sonnet 4.6 (OpenRouter) (anthropic/claude-sonnet-4.6) via OpenRouter

⚠️ Review call failed (fail-closed): OPENROUTER_API_KEY not set — a maintainer must review.

---

Gate wrong or a false positive? Do not edit this workflow to pass — open an issue on lagowski/pr-review-gate.

[github-actions]

⚠️ Human review required

🤖 Claude Sonnet 4.6 (OpenRouter) (anthropic/claude-sonnet-4.6) via OpenRouter

⚠️ Engine rate-limited or out of credits; will retry on the next cron tick. A maintainer may review meanwhile.

---

Gate wrong or a false positive? Do not edit this workflow to pass — open an issue on lagowski/pr-review-gate.

[github-actions]

❌ Changes requested

🤖 Claude Sonnet 4.6 (OpenRouter) (anthropic/claude-sonnet-4.6) via OpenRouter

This PR bumps which from 5.0.0 to 7.0.0 and removes @upstash/context7-mcp from dependencies. The critical concern is that which 7.0.0 declares a Node.js engine requirement of ^22.22.2 || ^24.15.0 || >=26.0.0, which is incompatible with the project's stated minimum of Node.js >=16 and the current LTS baseline, meaning the package will fail to install or produce engine warnings on any Node 16, 18, or 20 environment.

1 finding:

• 🟠 HIGH HIGH package.json:153 / package-lock.json:10676 — which@7.0.0 declares engines: { node: '^22.22.2 || ^24.15.0 || >=26.0.0' } but package.json specifies engines: { node: '>=16' } for this project. Any CI runner or user on Node 16, 18, or 20 (all still in common use and within the project's stated support range) will get an engine incompatibility error or silent misbehaviour when npm strict-engine checks are enabled, and npm install with --engine-strict will hard-fail. The lock file confirms the new top-level node_modules/which entry carries this constraint.
  • Fix: Either pin which to ^5.0.0 (or ^6.x which supports >=18) until the project's own engines field is updated to require Node >=22, or update package.json engines to ^22.22.2 || ^24.15.0 || >=26.0.0 and update CI matrix accordingly before merging.
  • Evidence: '"engines": { "node": "^22.22.2 || ^24.15.0 || >=26.0.0" }' in lock file for 'node_modules/which' vs project 'engines: '>=16''

---

Gate wrong or a false positive? Do not edit this workflow to pass — open an issue on lagowski/pr-review-gate.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

[Dixter999]

Closing per AI Review Gate finding.

which@7.0.0 declares engines: { node: '^22.22.2 || ^24.15.0 || >=26.0.0' } but this project's package.json specifies engines: { node: '>=16' }. Merging would break Node 16/18/20 users — npm install --engine-strict would hard-fail, and even without strict mode users would get engine warnings or silent misbehaviour.

Two paths forward (separate decisions):

• Stay on which@^5.x (or bump to ^6.x which supports Node >=18) until we're ready to drop Node 16/18/20 support.
• Bump our own engines to ^22.22.2 || ^24.15.0 || >=26.0.0 + update CI matrix, then revisit which@7. That's coupled with the eslint 10 question (deps-dev(deps-dev): bump eslint from 9.39.4 to 10.5.0 #683/deps-dev(deps-dev): bump @eslint/js from 9.39.4 to 10.0.1 #684 closed for the same Node version mismatch reason).

Both are real architectural calls, not auto-merge material.