Skip to content

Update NodeJS dependencies for security patches#245

Merged
data-douser merged 3 commits intomainfrom
dd/update-node-deps-in-main
Apr 13, 2026
Merged

Update NodeJS dependencies for security patches#245
data-douser merged 3 commits intomainfrom
dd/update-node-deps-in-main

Conversation

@data-douser
Copy link
Copy Markdown
Collaborator

@data-douser data-douser commented Apr 13, 2026

Dependency updates:

Linting and formatting tools:

  • Upgraded eslint to version ^10.2.0 and prettier to ^3.8.2 in all relevant package.json files. [1] [2] [3] [4]
  • Updated eslint-config-prettier, eslint-plugin-prettier, and typescript-eslint to their latest compatible versions where used. [1] [2] [3]

Type definitions and TypeScript:

  • Bumped @types/node and @types/vscode to newer versions, improving type coverage and compatibility. [1] [2]
  • Upgraded typescript-eslint and typescript dependencies to the latest patch versions. [1] [2] [3]

Testing tools:

  • Updated @vitest/coverage-v8 and vitest to newer versions for improved testing and coverage reporting. [1] [2]

These updates are routine maintenance and should not introduce breaking changes, but it's always good to run tests after upgrading dependencies.

@data-douser data-douser self-assigned this Apr 13, 2026
@data-douser data-douser added enhancement New feature or request dependencies Pull requests that update a dependency file labels Apr 13, 2026
@data-douser data-douser requested a review from enyil as a code owner April 13, 2026 03:08
Copilot AI review requested due to automatic review settings April 13, 2026 03:08
@data-douser data-douser requested a review from a team as a code owner April 13, 2026 03:08
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 13, 2026
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA a9dded2.
Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

OpenSSF Scorecard

Scorecard details
PackageVersionScoreDetails
npm/eslint ^10.2.0 UnknownUnknown
npm/prettier ^3.8.2 UnknownUnknown
npm/@types/node ^25.6.0 UnknownUnknown
npm/@vitest/coverage-v8 ^4.1.4 UnknownUnknown
npm/eslint ^10.2.0 UnknownUnknown
npm/prettier ^3.8.2 UnknownUnknown
npm/typescript-eslint ^8.58.1 UnknownUnknown
npm/vitest ^4.1.4 UnknownUnknown
npm/@emnapi/core 1.9.2 🟢 3.8
Details
CheckScoreReason
Code-Review⚠️ 0Found 0/30 approved changesets -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained🟢 1019 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@emnapi/runtime 1.9.2 🟢 3.8
Details
CheckScoreReason
Code-Review⚠️ 0Found 0/30 approved changesets -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained🟢 1019 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@emnapi/wasi-threads 1.2.1 🟢 3.8
Details
CheckScoreReason
Code-Review⚠️ 0Found 0/30 approved changesets -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained🟢 1019 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Signed-Releases⚠️ 0Project has not signed or included provenance with any releases.
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@hono/node-server 1.19.14 UnknownUnknown
npm/@napi-rs/wasm-runtime 1.1.3 🟢 5.4
Details
CheckScoreReason
Code-Review🟢 4Found 11/26 approved changesets -- score normalized to 4
Maintained🟢 1030 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Packaging⚠️ -1packaging workflow not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@oxc-project/types 0.124.0 UnknownUnknown
npm/@rolldown/binding-android-arm64 1.0.0-rc.15 UnknownUnknown
npm/@rolldown/binding-darwin-arm64 1.0.0-rc.15 UnknownUnknown
npm/@rolldown/binding-darwin-x64 1.0.0-rc.15 UnknownUnknown
npm/@rolldown/binding-freebsd-x64 1.0.0-rc.15 UnknownUnknown
npm/@rolldown/binding-linux-arm-gnueabihf 1.0.0-rc.15 UnknownUnknown
npm/@rolldown/binding-linux-arm64-gnu 1.0.0-rc.15 UnknownUnknown
npm/@rolldown/binding-linux-arm64-musl 1.0.0-rc.15 UnknownUnknown
npm/@rolldown/binding-linux-ppc64-gnu 1.0.0-rc.15 UnknownUnknown
npm/@rolldown/binding-linux-s390x-gnu 1.0.0-rc.15 UnknownUnknown
npm/@rolldown/binding-linux-x64-gnu 1.0.0-rc.15 UnknownUnknown
npm/@rolldown/binding-linux-x64-musl 1.0.0-rc.15 UnknownUnknown
npm/@rolldown/binding-openharmony-arm64 1.0.0-rc.15 UnknownUnknown
npm/@rolldown/binding-wasm32-wasi 1.0.0-rc.15 UnknownUnknown
npm/@rolldown/binding-win32-arm64-msvc 1.0.0-rc.15 UnknownUnknown
npm/@rolldown/binding-win32-x64-msvc 1.0.0-rc.15 UnknownUnknown
npm/@rolldown/pluginutils 1.0.0-rc.15 UnknownUnknown
npm/@types/node 25.6.0 🟢 6.5
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Code-Review🟢 8Found 26/29 approved changesets -- score normalized to 8
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Security-Policy🟢 10security policy file detected
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
Binary-Artifacts🟢 10no binaries found in the repo
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
npm/@types/vscode 1.115.0 🟢 6.5
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Code-Review🟢 8Found 26/29 approved changesets -- score normalized to 8
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Security-Policy🟢 10security policy file detected
License🟢 9license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
Binary-Artifacts🟢 10no binaries found in the repo
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
npm/@typescript-eslint/eslint-plugin 8.58.1 🟢 5.8
Details
CheckScoreReason
Code-Review🟢 7Found 15/21 approved changesets -- score normalized to 7
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/parser 8.58.1 🟢 5.8
Details
CheckScoreReason
Code-Review🟢 7Found 15/21 approved changesets -- score normalized to 7
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/project-service 8.58.1 🟢 5.8
Details
CheckScoreReason
Code-Review🟢 7Found 15/21 approved changesets -- score normalized to 7
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/scope-manager 8.58.1 🟢 5.8
Details
CheckScoreReason
Code-Review🟢 7Found 15/21 approved changesets -- score normalized to 7
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/tsconfig-utils 8.58.1 🟢 5.8
Details
CheckScoreReason
Code-Review🟢 7Found 15/21 approved changesets -- score normalized to 7
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/type-utils 8.58.1 🟢 5.8
Details
CheckScoreReason
Code-Review🟢 7Found 15/21 approved changesets -- score normalized to 7
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/types 8.58.1 🟢 5.8
Details
CheckScoreReason
Code-Review🟢 7Found 15/21 approved changesets -- score normalized to 7
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/typescript-estree 8.58.1 🟢 5.8
Details
CheckScoreReason
Code-Review🟢 7Found 15/21 approved changesets -- score normalized to 7
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/utils 8.58.1 🟢 5.8
Details
CheckScoreReason
Code-Review🟢 7Found 15/21 approved changesets -- score normalized to 7
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@typescript-eslint/visitor-keys 8.58.1 🟢 5.8
Details
CheckScoreReason
Code-Review🟢 7Found 15/21 approved changesets -- score normalized to 7
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@vitest/coverage-v8 4.1.4 UnknownUnknown
npm/@vitest/expect 4.1.4 UnknownUnknown
npm/@vitest/mocker 4.1.4 UnknownUnknown
npm/@vitest/pretty-format 4.1.4 UnknownUnknown
npm/@vitest/runner 4.1.4 UnknownUnknown
npm/@vitest/snapshot 4.1.4 UnknownUnknown
npm/@vitest/spy 4.1.4 UnknownUnknown
npm/@vitest/utils 4.1.4 UnknownUnknown
npm/hono 4.12.12 UnknownUnknown
npm/prettier 3.8.2 🟢 7.2
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 8Found 4/5 approved changesets -- score normalized to 8
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
Fuzzing⚠️ 0project is not fuzzed
SAST🟢 9SAST tool detected but not run on all commits
npm/rolldown 1.0.0-rc.15 UnknownUnknown
npm/typescript-eslint 8.58.1 🟢 5.8
Details
CheckScoreReason
Code-Review🟢 7Found 15/21 approved changesets -- score normalized to 7
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 22 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Signed-Releases⚠️ -1no releases found
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/undici-types 7.19.2 🟢 8.3
Details
CheckScoreReason
Dependency-Update-Tool🟢 10update tool detected
Maintained🟢 1030 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10
Code-Review🟢 10all changesets reviewed
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 9security policy file detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 8binaries present in source code
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies🟢 4dependency not pinned by hash detected -- score normalized to 4
Vulnerabilities🟢 100 existing vulnerabilities detected
SAST🟢 9SAST tool detected but not run on all commits
Fuzzing🟢 10project is fuzzed
Packaging🟢 10packaging workflow detected
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
CI-Tests🟢 1029 out of 29 merged PRs checked by a CI test -- score normalized to 10
Contributors🟢 10project has 83 contributing companies or organizations
npm/vite 8.0.8 🟢 6.5
Details
CheckScoreReason
Code-Review🟢 5Found 16/28 approved changesets -- score normalized to 5
Maintained🟢 1030 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions🟢 5detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Binary-Artifacts🟢 5binaries present in source code
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Fuzzing⚠️ 0project is not fuzzed
SAST🟢 6SAST tool is not run on all commits -- score normalized to 6
npm/vitest 4.1.4 UnknownUnknown
npm/eslint ^10.2.0 UnknownUnknown
npm/@types/node ^25.6.0 UnknownUnknown
npm/@vitest/coverage-v8 ^4.1.4 UnknownUnknown
npm/eslint ^10.2.0 UnknownUnknown
npm/prettier ^3.8.2 UnknownUnknown
npm/typescript-eslint ^8.58.1 UnknownUnknown
npm/vitest ^4.1.4 UnknownUnknown

Scanned Files

  • client/package.json
  • extensions/vscode/package.json
  • package-lock.json
  • package.json
  • server/package.json

Copilot AI reviewed Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates NodeJS development dependencies across the monorepo to pick up patch-level security and tooling fixes, and refreshes the generated server bundle artifact accordingly.

Changes:

  • Bumped eslint, prettier, and typescript-eslint versions in root and workspace package.json files.
  • Updated testing-related devDependencies (vitest, @vitest/coverage-v8) and type packages (notably @types/node, @types/vscode).
  • Regenerated/updated the tracked server bundle output under server/dist/.
Show a summary per file
File Description
package.json Updates root dev tooling versions (eslint/prettier/typescript-eslint).
package-lock.json Locks updated dependency graph reflecting the version bumps.
server/package.json Updates server workspace dev tooling/testing/type versions.
server/dist/codeql-development-mcp-server.js Updated tracked build artifact consistent with dependency updates.
extensions/vscode/package.json Updates VS Code extension workspace dev tooling/testing/type versions.
client/package.json Updates client workspace dev tooling versions (eslint/prettier).

Copilot's findings

  • Files reviewed: 4/7 changed files
  • Comments generated: 1

Comment thread extensions/vscode/package.json Outdated
@data-douser
Potential fix for pull request finding
8d884a8 
Keep "@types/vscode" at minimum version "^1.110.0" until follow-up "next" release.

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Nathan Randall <70299490+data-douser@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 13, 2026 03:13
Copilot AI reviewed Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates NodeJS/tooling dependencies across the repo’s workspaces to pick up security patches and routine maintenance releases, along with regenerated lockfile and bundled server artifacts.

Changes:

  • Bump lint/format toolchain versions (ESLint, Prettier, typescript-eslint) across the monorepo.
  • Update testing/tooling deps (Vitest + coverage, Node/VS Code type packages) and regenerate package-lock.json.
  • Regenerate the checked-in server bundle in server/dist/ after dependency changes.
Show a summary per file
File Description
package.json Updates root dev-tooling versions used across workspaces.
package-lock.json Regenerated lockfile reflecting updated direct + transitive dependencies.
server/package.json Updates server workspace tooling/test dependencies (ESLint/Prettier/Vitest/@types/node).
server/dist/codeql-development-mcp-server.js Updated bundled server artifact consistent with dependency/tooling updates.
client/package.json Aligns client workspace lint/format tooling versions with repo updates.
extensions/vscode/package.json Aligns VS Code extension workspace tooling/test dependency versions with repo updates.

Copilot's findings

  • Files reviewed: 4/7 changed files
  • Comments generated: 1

Comment thread extensions/vscode/package.json
@data-douser data-douser merged commit 6384d3b into main Apr 13, 2026
20 checks passed
@data-douser data-douser deleted the dd/update-node-deps-in-main branch April 13, 2026 03:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@enyil enyil Awaiting requested review from enyil enyil is a code owner

Assignees

@data-douser data-douser

Labels

dependencies Pull requests that update a dependency file enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@data-douser