chore(deps): consolidate open dependabot updates (GMC-45) [semantic pr title]#131
Conversation
Combine all 13 open Dependabot PRs (#116–#129) into a single update. npm group (#129): @octokit/graphql 9.0.3, apollo3-cache-persist 0.15.0, chalk 5.6.2, dotenv 17.4.2, fuse.js 7.4.2, react 19.2.7, @types/react 19.2.17, tsup 8.5.1, vitest 4.1.9. npm majors: typescript 6.0.3 (#128), @vitest/coverage-v8 4.1.8 (#127), semantic-release 25.0.5 (#126), ink-testing-library 4.0.0 (#125), env-paths 4.0.0 (#124), @types/node 25.9.2 (#123), open 11.0.0 (#122). GitHub Actions: setup-node v6 (#120), checkout v6 (#119), github-script v9 (#118), download-artifact v8 (#117), cache v5 (#116). Verified: typecheck (TS 6), build, and full test suite (456/456) all pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
github-actions
Bot
changed the title
🤖 PR Title AutomatedI've automatically formatted your PR title to follow Conventional Commits: Current title: What happened:
Why this matters:Since we use squash merging, your PR title becomes the commit message. This ensures:
Automatic updates:Your title will be automatically recalculated when you add new commits. Opt-out:Add |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
✅ Files skipped from review due to trivial changes (1)
WalkthroughVersion bump maintenance across the repository: GitHub Actions steps in ChangesDependency and Actions Version Updates
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: dfb25c5ec3
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| "semantic-release": "^24.2.7", | ||
| "tsup": "^8.5.0", | ||
| "typescript": "^5.9.2", | ||
| "semantic-release": "^25.0.5", |
There was a problem hiding this comment.
This bump moves the release tool to semantic-release 25; the updated lockfile records its engine as node: ^22.14.0 || >= 24.10.0, but the Release Pipeline's semantic-release job still sets up Node 20 before running npx semantic-release. On the next non-release push to main, the publish job will run semantic-release on an unsupported runtime and can fail before creating the release; either keep semantic-release 24 or update that workflow to a supported Node version.
Useful? React with 👍 / 👎.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/pr-title-manager.yml:
- Line 49: Replace the mutable version tag references in the
pr-title-manager.yml workflow file with pinned commit SHAs. On line 49, change
the actions/github-script@v9 reference to use a specific commit SHA instead of
the major version tag. Similarly, update the references on lines 110 and 115
(which appear to be actions/checkout@v6 or similar) to use their respective
pinned commit SHAs. Look up the latest stable commit SHA for each action from
their respective repositories and replace the `@v9`, `@v6` tags with the full commit
hash format (e.g., actions/github-script@<commit-sha>) to ensure immutable
action references.
In @.github/workflows/release.yml:
- Line 24: Replace the mutable major-version tag reference `actions/checkout@v6`
on line 24 with a pinned full commit SHA (for example,
`actions/checkout@a5ac7e51b41094c5405359c7b978efb2fc9a1c42`). This applies to
all other unpinned `uses:` references mentioned in the comment (lines 30, 36,
105, 108, 113, 123, 143, 158, 163, 238, and 243). For each action reference,
replace the version tag with the corresponding full 40-character commit SHA to
ensure supply-chain integrity and prevent unexpected behavior from version tag
updates.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 1a372e4d-23d2-45a9-b7f8-108cc9979fea
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (3)
.github/workflows/pr-title-manager.yml.github/workflows/release.ymlpackage.json
| if: steps.bot-check.outputs.is_bot == 'false' | ||
| id: skip-check | ||
| uses: actions/github-script@v7 | ||
| uses: actions/github-script@v9 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify unpinned action refs in this workflow (should return no matches after fix)
rg -n '^\s*uses:\s*[^@]+@v[0-9]+(\s|$)' .github/workflows/pr-title-manager.ymlRepository: wiiiimm/gh-manager-cli
Length of output: 189
Pin action refs to immutable commit SHAs.
Lines 49, 110, and 115 use mutable major version tags (@v9, @v6) instead of pinned commit SHAs. This exposes the workflow to upstream tag drift and fails the unpinned-uses policy check.
Replace with commit SHA pins: e.g., actions/github-script@<commit-sha> and actions/checkout@<commit-sha>.
Also applies to: 110-110, 115-115
🧰 Tools
🪛 zizmor (1.25.2)
[error] 49-49: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/pr-title-manager.yml at line 49, Replace the mutable
version tag references in the pr-title-manager.yml workflow file with pinned
commit SHAs. On line 49, change the actions/github-script@v9 reference to use a
specific commit SHA instead of the major version tag. Similarly, update the
references on lines 110 and 115 (which appear to be actions/checkout@v6 or
similar) to use their respective pinned commit SHAs. Look up the latest stable
commit SHA for each action from their respective repositories and replace the
`@v9`, `@v6` tags with the full commit hash format (e.g.,
actions/github-script@<commit-sha>) to ensure immutable action references.
Source: Linters/SAST tools
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v6 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify unpinned action refs in this workflow (should return no matches after fix)
rg -n '^\s*uses:\s*[^@]+@v[0-9]+(\s|$)' .github/workflows/release.ymlRepository: wiiiimm/gh-manager-cli
Length of output: 540
Harden workflow by pinning every uses: reference to a full SHA.
The following lines contain unpinned mutable major-version tags, creating a supply-chain integrity risk: 24, 30, 36, 105, 108, 113, 123, 143, 158, 163, 238, and 243. Each must be pinned to a full commit SHA rather than a version tag.
🧰 Tools
🪛 zizmor (1.25.2)
[error] 24-24: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release.yml at line 24, Replace the mutable major-version
tag reference `actions/checkout@v6` on line 24 with a pinned full commit SHA
(for example, `actions/checkout@a5ac7e51b41094c5405359c7b978efb2fc9a1c42`). This
applies to all other unpinned `uses:` references mentioned in the comment (lines
30, 36, 105, 108, 113, 123, 143, 158, 163, 238, and 243). For each action
reference, replace the version tag with the corresponding full 40-character
commit SHA to ensure supply-chain integrity and prevent unexpected behavior from
version tag updates.
Source: Linters/SAST tools
semantic-release 25 requires Node ^22.14.0 || >=24.10.0; the release workflow still set up Node 20, which would fail `npx semantic-release` on the next push to main. Bump all setup-node steps to Node 22 (LTS). Flagged by Cursor Bugbot (High) and Codex (P1) on PR #131. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
env-paths@4 and open@11 both declare engines.node ">=20", but the package still advertised ">=18", letting Node 18-19 users install a build that breaks at startup (env-paths) and on browser open (open). Align engines.node and the setup docs to >=20. Node 18 is already EOL. Flagged by Cursor Bugbot (Medium) on PR #131. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
vercel/pkg (pkg@5.8.1) is archived and only ships base binaries up to Node 18, so release binaries embedded a Node 18 runtime — incompatible with env-paths 4 / open 11 (Node 20+) after raising the engine floor. Switch to the maintained @yao-pkg/pkg fork and build node20 targets in both the build:binaries script and the release workflow. The packager needs Node 22 to run, which the release jobs already use. Flagged by Cursor Bugbot (High) on PR #131. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 0fe3b68. Configure here.
|
|
||
| - name: Create binary | ||
| run: pkg dist/index.js --targets node18-${{ matrix.platform }}-${{ matrix.arch }} --output gh-manager-cli-${{ matrix.platform }}-${{ matrix.arch }}${{ matrix.ext }} | ||
| run: pkg dist/index.js --targets node20-${{ matrix.platform }}-${{ matrix.arch }} --output gh-manager-cli-${{ matrix.platform }}-${{ matrix.arch }}${{ matrix.ext }} |
There was a problem hiding this comment.
Invalid Windows pkg target
High Severity
The release workflow and build:binaries script pass windows as the pkg platform segment (e.g. node20-windows-x64), but @yao-pkg/pkg expects win in the target triple. Windows matrix builds likely fail or skip producing the .exe that gets uploaded to the GitHub release.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 0fe3b68. Configure here.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@package.json`:
- Line 81: Update the `engines.node` declaration in package.json to require Node
22 or higher to match the actual requirement of the `@yao-pkg/pkg` dependency, or
alternatively add clear documentation in the package.json or a README file
specifying that while the runtime requires Node 20+, the build:binaries script
specifically requires Node 22+. Choose the appropriate solution based on your
project's requirements.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 37db2fed-97ce-44e7-ba34-71ab11b16a32
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (2)
.github/workflows/release.ymlpackage.json
| "@types/node": "^25.9.2", | ||
| "@types/react": "^19.2.17", | ||
| "@vitest/coverage-v8": "^4.1.8", | ||
| "@yao-pkg/pkg": "^6.20.0", |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify engine requirements across package.json and resolved dependencies
# Check package.json engines declaration
echo "=== package.json engines ==="
jq '.engines.node' package.json
# Check `@yao-pkg/pkg` engine requirement in lockfile
echo -e "\n=== `@yao-pkg/pkg` engines from lockfile ==="
rg -A2 "^ '`@yao-pkg/pkg`@" pnpm-lock.yaml | rg "engines:"
# Check if build:binaries script uses `@yao-pkg/pkg`
echo -e "\n=== build:binaries script ==="
jq '.scripts["build:binaries"]' package.jsonRepository: wiiiimm/gh-manager-cli
Length of output: 331
Engine requirement mismatch between package declaration and dev dependency.
The @yao-pkg/pkg dependency requires node >=22.0.0 (per lockfile), but package.json declares engines.node: ">=20". Contributors using Node 20 or 21 will satisfy the package engine requirement but encounter failures when running build:binaries, since the underlying pkg tool mandates Node 22+.
Consider either raising the package engines requirement to >=22, or documenting that the build:binaries script requires Node 22+ whilst the runtime usage only requires 20+.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@package.json` at line 81, Update the `engines.node` declaration in
package.json to require Node 22 or higher to match the actual requirement of the
`@yao-pkg/pkg` dependency, or alternatively add clear documentation in the
package.json or a README file specifying that while the runtime requires Node
20+, the build:binaries script specifically requires Node 22+. Choose the
appropriate solution based on your project's requirements.
The CLI runtime engine stays at Node >=20, but @yao-pkg/pkg requires Node >=22 to run. Document this in the Packaging section so contributors on Node 20/21 know the binary build needs a newer Node, rather than raising engines.node and wrongly forcing end users onto Node 22. Addresses CodeRabbit engine-mismatch note on PR #131. The companion "Invalid Windows pkg target" finding is a false positive: pkg-fetch's toFancyPlatform aliases "windows" -> "win" during target parsing. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
@coderabbitai review |
✅ Action performedReview finished.
|
1 participant
Consolidates all 13 open Dependabot PRs (#116–#129) into a single update so they can be reviewed and merged together.
Closes #130
npm — group (#129)
npm — major bumps (individual)
GitHub Actions
Verification
pnpm typecheck(TypeScript 6) ✅pnpm build✅pnpm test— 456/456 passing across 47 files ✅Linear: GMC-45
🤖 Generated with Claude Code
Note
Medium Risk
Broad dependency and Node baseline changes affect build, release, and OAuth/browser-open behavior; major bumps (TS 6, semantic-release 25, open 11) warrant extra attention on CI and first release after merge.
Overview
This PR rolls up many open Dependabot bumps into one change: npm dependencies, GitHub Actions, and toolchain/runtime alignment.
Runtime & packaging:
engines.nodeand docs now require Node ≥20 (was ≥18). Standalone binaries switch from archivedpkgto@yao-pkg/pkg, withnode20-*pack targets (wasnode18-*). Release and binary CI jobs run on Node 22 because the new packager needs it; end users of the CLI still only need Node 20+ to run.Dependencies: Major bumps include TypeScript 6, semantic-release 25, Vitest/coverage 4.x, open 11, env-paths 4, ink-testing-library 4, plus minor/patch updates across Apollo/Octokit, React 19.2, chalk, dotenv, fuse.js, and related dev tooling. Lockfile reflects the full graph (including semantic-release’s newer Node requirements).
CI: Workflows bump
actions/checkout,setup-node,github-script,download-artifact, andcacheto current major versions inpr-title-manager.ymlandrelease.yml.Reviewed by Cursor Bugbot for commit fe28406. Bugbot is set up for automated code reviews on this repo. Configure here.
Summary by CodeRabbit
Summary by CodeRabbit
Chores
Documentation
pnpm build:binariesrequires Node.js ≥ 22, while the CLI runtime remains Node.js ≥ 20.