Skip to content

Upgrade NodeJS dependencies and rebuild server/dist/**#189

Merged
data-douser merged 5 commits intomainfrom
dd/update-deps/2
Mar 27, 2026
Merged

Upgrade NodeJS dependencies and rebuild server/dist/**#189
data-douser merged 5 commits intomainfrom
dd/update-deps/2

Conversation

@data-douser
Copy link
Copy Markdown
Collaborator

@data-douser data-douser commented Mar 27, 2026

Dependency updates:

  • Upgraded @modelcontextprotocol/sdk from ^1.27.1 to ^1.28.0 in both client/package.json and server/package.json to use the latest SDK features and fixes. [1] [2]
  • Updated typescript-eslint from ^8.57.1 to ^8.57.2 in package.json, server/package.json, and extensions/vscode/package.json for improved linting and TypeScript support. [1] [2] [3]
  • Bumped vitest and @vitest/coverage-v8 to ^4.1.2 in server/package.json and extensions/vscode/package.json for better test coverage and stability. [1] [2] [3]
  • Updated typescript-eslint and vitest in extensions/vscode/package.json to their latest versions for consistency across the codebase.

@data-douser data-douser self-assigned this Mar 27, 2026
Copilot AI review requested due to automatic review settings March 27, 2026 01:44
@data-douser data-douser requested review from a team and enyil as code owners March 27, 2026 01:44
@data-douser data-douser added the dependencies Pull requests that update a dependency file label Mar 27, 2026
github-license-compliance[bot]
github-license-compliance bot found potential problems Mar 27, 2026
View reviewed changes
Comment thread package-lock.json Fixed
Comment thread package-lock.json Fixed
Comment thread package-lock.json Fixed
Comment thread package-lock.json Fixed
Comment thread package-lock.json Fixed
Comment thread package-lock.json Fixed
Comment thread package-lock.json Fixed
Comment thread package-lock.json Fixed
Comment thread package-lock.json Fixed
Comment thread package-lock.json Fixed
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 27, 2026
edited
Loading

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 2 package(s) with unknown licenses.
See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 10c3dd2.
Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

client/package.json

PackageVersionLicenseIssue Type
@modelcontextprotocol/sdk^1.28.0NullUnknown License

server/package.json

PackageVersionLicenseIssue Type
@modelcontextprotocol/sdk^1.28.0NullUnknown License

OpenSSF Scorecard

Scorecard details
PackageVersionScoreDetails
npm/@modelcontextprotocol/sdk ^1.28.0 UnknownUnknown
npm/@vitest/coverage-v8 ^4.1.2 UnknownUnknown
npm/typescript-eslint ^8.57.2 UnknownUnknown
npm/vitest ^4.1.2 UnknownUnknown
npm/@emnapi/core 1.9.1 🟢 3.8
Details
CheckScoreReason
Code-Review⚠️ 0Found 1/30 approved changesets -- score normalized to 0
Maintained🟢 1016 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@emnapi/runtime 1.9.1 🟢 3.8
Details
CheckScoreReason
Code-Review⚠️ 0Found 1/30 approved changesets -- score normalized to 0
Maintained🟢 1016 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@emnapi/wasi-threads 1.2.0 🟢 3.8
Details
CheckScoreReason
Code-Review⚠️ 0Found 1/30 approved changesets -- score normalized to 0
Maintained🟢 1016 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@modelcontextprotocol/sdk 1.28.0 UnknownUnknown
npm/@napi-rs/wasm-runtime 1.1.1 🟢 5.2
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Code-Review⚠️ 2Found 2/10 approved changesets -- score normalized to 2
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 9license file detected
Packaging⚠️ -1packaging workflow not detected
Fuzzing⚠️ 0project is not fuzzed
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@oxc-project/types 0.122.0 UnknownUnknown
npm/@rolldown/binding-android-arm64 1.0.0-rc.12 UnknownUnknown
npm/@rolldown/binding-darwin-arm64 1.0.0-rc.12 UnknownUnknown
npm/@rolldown/binding-darwin-x64 1.0.0-rc.12 UnknownUnknown
npm/@rolldown/binding-freebsd-x64 1.0.0-rc.12 UnknownUnknown
npm/@rolldown/binding-linux-arm-gnueabihf 1.0.0-rc.12 UnknownUnknown
npm/@rolldown/binding-linux-arm64-gnu 1.0.0-rc.12 UnknownUnknown
npm/@rolldown/binding-linux-arm64-musl 1.0.0-rc.12 UnknownUnknown
npm/@rolldown/binding-linux-ppc64-gnu 1.0.0-rc.12 UnknownUnknown
npm/@rolldown/binding-linux-s390x-gnu 1.0.0-rc.12 UnknownUnknown
npm/@rolldown/binding-linux-x64-gnu 1.0.0-rc.12 UnknownUnknown
npm/@rolldown/binding-linux-x64-musl 1.0.0-rc.12 UnknownUnknown
npm/@rolldown/binding-openharmony-arm64 1.0.0-rc.12 UnknownUnknown
npm/@rolldown/binding-wasm32-wasi 1.0.0-rc.12 UnknownUnknown
npm/@rolldown/binding-win32-arm64-msvc 1.0.0-rc.12 UnknownUnknown
npm/@rolldown/binding-win32-x64-msvc 1.0.0-rc.12 UnknownUnknown
npm/@rolldown/pluginutils 1.0.0-rc.12 UnknownUnknown
npm/@tybys/wasm-util 0.10.1 UnknownUnknown
npm/@typescript-eslint/eslint-plugin 8.57.2 🟢 5.8
Details
CheckScoreReason
Code-Review🟢 7Found 21/27 approved changesets -- score normalized to 7
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/parser 8.57.2 🟢 5.8
Details
CheckScoreReason
Code-Review🟢 7Found 21/27 approved changesets -- score normalized to 7
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/project-service 8.57.2 🟢 5.8
Details
CheckScoreReason
Code-Review🟢 7Found 21/27 approved changesets -- score normalized to 7
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/scope-manager 8.57.2 🟢 5.8
Details
CheckScoreReason
Code-Review🟢 7Found 21/27 approved changesets -- score normalized to 7
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/tsconfig-utils 8.57.2 🟢 5.8
Details
CheckScoreReason
Code-Review🟢 7Found 21/27 approved changesets -- score normalized to 7
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/type-utils 8.57.2 🟢 5.8
Details
CheckScoreReason
Code-Review🟢 7Found 21/27 approved changesets -- score normalized to 7
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/types 8.57.2 🟢 5.8
Details
CheckScoreReason
Code-Review🟢 7Found 21/27 approved changesets -- score normalized to 7
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/typescript-estree 8.57.2 🟢 5.8
Details
CheckScoreReason
Code-Review🟢 7Found 21/27 approved changesets -- score normalized to 7
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/utils 8.57.2 🟢 5.8
Details
CheckScoreReason
Code-Review🟢 7Found 21/27 approved changesets -- score normalized to 7
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/visitor-keys 8.57.2 🟢 5.8
Details
CheckScoreReason
Code-Review🟢 7Found 21/27 approved changesets -- score normalized to 7
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@vitest/coverage-v8 4.1.2 UnknownUnknown
npm/@vitest/expect 4.1.2 UnknownUnknown
npm/@vitest/mocker 4.1.2 UnknownUnknown
npm/@vitest/pretty-format 4.1.2 UnknownUnknown
npm/@vitest/runner 4.1.2 UnknownUnknown
npm/@vitest/snapshot 4.1.2 UnknownUnknown
npm/@vitest/spy 4.1.2 UnknownUnknown
npm/@vitest/utils 4.1.2 UnknownUnknown
npm/brace-expansion 5.0.5 🟢 6.3
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1015 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review⚠️ 2Found 7/25 approved changesets -- score normalized to 2
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/lightningcss 1.32.0 UnknownUnknown
npm/lightningcss-android-arm64 1.32.0 UnknownUnknown
npm/lightningcss-darwin-arm64 1.32.0 UnknownUnknown
npm/lightningcss-darwin-x64 1.32.0 UnknownUnknown
npm/lightningcss-freebsd-x64 1.32.0 UnknownUnknown
npm/lightningcss-linux-arm-gnueabihf 1.32.0 UnknownUnknown
npm/lightningcss-linux-arm64-gnu 1.32.0 UnknownUnknown
npm/lightningcss-linux-arm64-musl 1.32.0 UnknownUnknown
npm/lightningcss-linux-x64-gnu 1.32.0 UnknownUnknown
npm/lightningcss-linux-x64-musl 1.32.0 UnknownUnknown
npm/lightningcss-win32-arm64-msvc 1.32.0 UnknownUnknown
npm/lightningcss-win32-x64-msvc 1.32.0 UnknownUnknown
npm/picomatch 2.3.2 🟢 6.2
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Maintained🟢 1020 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review🟢 3Found 6/20 approved changesets -- score normalized to 3
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Security-Policy🟢 10security policy file detected
SAST⚠️ 2SAST tool is not run on all commits -- score normalized to 2
npm/picomatch 4.0.4 🟢 6.2
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Maintained🟢 1020 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review🟢 3Found 6/20 approved changesets -- score normalized to 3
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Security-Policy🟢 10security policy file detected
SAST⚠️ 2SAST tool is not run on all commits -- score normalized to 2
npm/postcss 8.5.8 🟢 4.5
Details
CheckScoreReason
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained🟢 89 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 8
Code-Review⚠️ 2Found 7/30 approved changesets -- score normalized to 2
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Packaging⚠️ -1packaging workflow not detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies🟢 10all dependencies are pinned
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Signed-Releases⚠️ -1no releases found
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/rolldown 1.0.0-rc.12 UnknownUnknown
npm/tinyexec 1.0.4 UnknownUnknown
npm/tinyrainbow 3.1.0 UnknownUnknown
npm/typescript-eslint 8.57.2 🟢 5.8
Details
CheckScoreReason
Code-Review🟢 7Found 21/27 approved changesets -- score normalized to 7
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/vite 8.0.3 🟢 6.2
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 18 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 4Found 11/23 approved changesets -- score normalized to 4
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions🟢 5detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Binary-Artifacts🟢 5binaries present in source code
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Fuzzing⚠️ 0project is not fuzzed
Security-Policy🟢 10security policy file detected
SAST🟢 3SAST tool is not run on all commits -- score normalized to 3
npm/vitest 4.1.2 UnknownUnknown
npm/@modelcontextprotocol/sdk ^1.28.0 UnknownUnknown
npm/@vitest/coverage-v8 ^4.1.2 UnknownUnknown
npm/typescript-eslint ^8.57.2 UnknownUnknown
npm/vitest ^4.1.2 UnknownUnknown

Scanned Files

  • client/package.json
  • extensions/vscode/package.json
  • package-lock.json
  • server/package.json

Copilot AI reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the repo’s Node.js dependencies (notably the MCP SDK and test/lint tooling) and rebuilds the committed server bundle in server/dist/** so the published server artifact reflects the new dependency versions.

Changes:

  • Bump @modelcontextprotocol/sdk to ^1.28.0 in both server and client workspaces.
  • Update lint/test tooling versions (typescript-eslint, vitest, @vitest/coverage-v8) across the root, server, and VS Code extension.
  • Regenerate server/dist/codeql-development-mcp-server.js and refresh package-lock.json accordingly.

Reviewed changes

Copilot reviewed 4 out of 7 changed files in this pull request and generated no comments.

Show a summary per file
File Description
package.json Updates repo-level typescript-eslint to keep root tooling consistent.
package-lock.json Refreshes the lockfile to reflect updated direct + transitive dependencies across workspaces.
client/package.json Bumps @modelcontextprotocol/sdk to ^1.28.0.
server/package.json Bumps @modelcontextprotocol/sdk, vitest, @vitest/coverage-v8, and typescript-eslint.
server/dist/codeql-development-mcp-server.js Rebuilt bundled server output incorporating SDK changes.
extensions/vscode/package.json Bumps vitest, @vitest/coverage-v8, and typescript-eslint for extension tooling parity.

data-douser and others added 2 commits March 26, 2026 20:47
@data-douser
Merge branch 'main' into dd/update-deps/2
ab2cd53
@data-douser
Override vite deps to remove lightningcss
51f1f5a 
Adds an `overrides` config in root `package.json` to force the
vite dependency to not require the installation of transitive
depdendencies related to lightningcss, which has licensing concerns
yet is unused by this project.
Copilot AI review requested due to automatic review settings March 27, 2026 13:53
Copilot AI reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 7 changed files in this pull request and generated 1 comment.

Comment thread package.json Outdated
github-license-compliance[bot]
github-license-compliance bot found potential problems Mar 27, 2026
View reviewed changes
Comment thread package-lock.json
Comment thread package-lock.json
Comment thread package-lock.json
Comment thread package-lock.json
Comment thread package-lock.json
Comment thread package-lock.json
Comment thread package-lock.json
Comment thread package-lock.json
Comment thread package-lock.json
Comment thread package-lock.json
Copy link
Copy Markdown
Collaborator Author

@data-douser data-douser Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The lightningcss dependency is not actually used. It is a transitive dependency of vite, and we don't use vite for the things that would invoke some lightningcss dependency. I tried and failed to override the dependency config.

Copilot AI review requested due to automatic review settings March 27, 2026 14:38
Copilot AI reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 7 changed files in this pull request and generated no new comments.

@data-douser data-douser merged commit 94ff831 into main Mar 27, 2026
22 checks passed
@data-douser data-douser deleted the dd/update-deps/2 branch March 27, 2026 15:10
This was referenced Mar 27, 2026
Closed
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced Mar 27, 2026
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@enyil enyil Awaiting requested review from enyil enyil is a code owner

+1 more reviewer

@github-license-compliance github-license-compliance[bot] github-license-compliance[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@data-douser data-douser

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@data-douser