Skip to content

chore(deps-dev): bump knip from 6.4.1 to 6.5.0#149

Closed
dependabot[bot] wants to merge 1 commit into
developmentfrom
dependabot/npm_and_yarn/development/knip-6.5.0
Closed

chore(deps-dev): bump knip from 6.4.1 to 6.5.0#149
dependabot[bot] wants to merge 1 commit into
developmentfrom
dependabot/npm_and_yarn/development/knip-6.5.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Apr 20, 2026

Copy link
Copy Markdown
Contributor

Bumps knip from 6.4.1 to 6.5.0.

Release notes

Sourced from knip's releases.

Release 6.5.0

  • Drop project-extension-redundant config hint (resolve #1683) (f86092949d6dbd041fd621876da674fd3eac7534)
  • Add instructions to .agents/PLUGINS.md (e2943ed8fb6d2c0ab4cf12ff04d10bd5ab9fd5f7)
  • Add a plugin for react-email (#1684) (d8ae4d3ccb810b9a9211fd43e9d1e7d7b704fcaf) - thanks @​xaqrox!
  • Replace fast-glob with tinyglobby (#1462) (9f6b4c8aa6857fea40e66d008c905c948af10939) - thanks @​gameroman!
  • Added plugin for Serverless framework (#1478) (f885f1ded52427d984c67e7172e3141eb4e5ee29) - thanks @​BenCrinion-IW!
  • Add args to Prettier plugin to resolve --config CLI flag (#1685) (f4658c84e714afd8a2233b72be6169da1ac3723e) - thanks @​xaqrox!
  • fix(util): tolerate JSONC and array extends in findRootDirsBase (#1681) (f7e5464a6f70e9024a341fdb923766b5ff53a831) - thanks @​Hoffs!
  • Format (15bd7e7a56b470096cfee1690263d5d13ddb8fb6)
  • Inherit outDir/rootDir from tsconfig project references (resolve #1680) (b89b4f716f4c117b0106e9a212e9e5c46aa85035)
  • tsc → tsgo (a6e09ca1b65936b3790a6c3628a4646f030d18b8)
  • Update dependencies (4cb05c96a2ae7c790d29ee76ff13288c5bbb97a2)
  • Housekeep (28c56cb8bf68031b1c8e9bee75b18ee7274ec981)
  • Test test test (7eb4ab3a8a6635dcaf756bb2b4a88e1298615994)
  • Add pino plugin with transportCall visitor (resolve #1480) (53a033e4ddc5036c6a4a0e55c0abc42c5c64e4f5)
  • Add signal to projects using knip (dbedd665c1f8d735030600d3f68ef1825d9a2668)
  • Tune logos (3148f4d0485875370634b9b53c1b3aa7f6eafcc3)
  • Tweak knip-run tool response (42940381a947c46996ae4055e8789f6ea39cfca4)
  • Add workspace option to knip-run tool (64c4aaea89e3abb41d8695ebffc5538878520b21)
  • Remove old lingering experimentalTags (e503d108e5535800ac6467f4d92c7dd6a9e90037)
  • Fix compiler type (resolve #1689) (e7a69adb5e584eb6e5af9b4007820afcbcf27a08)
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [knip](https://github.com/webpro-nl/knip/tree/HEAD/packages/knip) from 6.4.1 to 6.5.0.
- [Release notes](https://github.com/webpro-nl/knip/releases)
- [Commits](https://github.com/webpro-nl/knip/commits/knip@6.5.0/packages/knip)

---
updated-dependencies:
- dependency-name: knip
  dependency-version: 6.5.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 20, 2026
@github-actions

Copy link
Copy Markdown

Knip Code Analysis

Found 8 total issues

Category Count
Unused Dependencies 1
Unused Dev Dependencies 3
Unused Exports 4
View details

Run pnpm knip locally to see the full report.

Use pnpm knip:filter pattern to filter results by file path.


Use /** @public */ JSDoc tags to mark intentionally exported symbols.

@github-actions

Copy link
Copy Markdown

✅ Security audit passed

Passed (38/38)

  • ✅ Auth enforcement on protected routes (per-handler)
  • ✅ No dangerous functions (eval, innerHTML, etc.)
  • ✅ No hardcoded secrets in source
  • ✅ Security headers in next.config.ts
  • ✅ Cookie security (httpOnly, sameSite, secure)
  • ✅ No sensitive fields in API responses
  • ✅ No .env files committed to repo
  • ✅ No raw SQL in API routes
  • ✅ No fetch/redirect with unvalidated URLs in routes
  • ✅ Timing-safe comparison for secret values
  • ✅ No raw SQL migration files (schema-first only)
  • ✅ External fetch calls have timeouts
  • ✅ Docker container runs as non-root user
  • ✅ Public routes match proxy allowlist
  • ✅ File delete operations have path traversal defense
  • ✅ Password hashing uses Argon2 (not SHA-256/bcrypt)
  • ✅ Encrypted columns written via encrypt()
  • ✅ TOTP 2FA flow integrity
  • ✅ Emergency lockdown flow integrity
  • ✅ Scrub & delete (nuke) flow integrity
  • ✅ Backup restore flow integrity
  • ✅ Login flow integrity
  • ✅ Auth result checked before proceeding
  • ✅ Backup password inputs bounded before key derivation
  • ✅ Webhook delivery fetch uses redirect: "error"
  • ✅ SESSION_SECRET minimum-length guard in auth/crypto modules
  • ✅ Notification URL validators include SSRF protection
  • ✅ Dockerfile does not COPY sensitive files
  • ✅ No secret env vars in client components
  • ✅ Adapter Cookie headers guard against injection
  • ✅ Adapter files do not log credential values
  • ✅ No console.log in API routes
  • ✅ No TODO/FIXME in security-critical files
  • ✅ JSON.parse wrapped in try-catch
  • ✅ No swallowed errors in catch blocks
  • ✅ Request body size validation on upload routes
  • ✅ BigInt fields use string serialization
  • ✅ No raw error messages in API responses

Summary: 38/38 checks passed

See scripts/security-audit.ts for check definitions and SECURITY.md for the full security architecture.

@dependabot @github

dependabot Bot commented on behalf of github Apr 21, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #162.

@dependabot dependabot Bot closed this Apr 21, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/development/knip-6.5.0 branch April 21, 2026 14:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants