Commit e0816b7
chore: consolidate safe dependency updates and tighten Dependabot policy (#411)
**Requirements**
- [x] I have added test coverage for new or changed functionality
(existing suite validates the build/runtime; this change is dev-tooling
+ config only)
- [x] I have followed the repository's [pull request submission
guidelines](../blob/main/CONTRIBUTING.md#submitting-pull-requests)
- [x] I have validated my changes against all supported platform
versions
**Related issues**
Replaces the currently open Dependabot PRs (#374, #377, #388, #392,
#393, #394), all of which are major-version bumps.
**Describe the solution you've provided**
This consolidates dependency maintenance into a single, tested PR and
codifies a safer Dependabot policy.
1. **Dependency update (`package.json`)** — bumps the `esbuild`
devDependency `^0.24.0` → `^0.28.1` to resolve the moderate advisory
GHSA-67mh-4wv8-2f99 (esbuild `<=0.24.2` dev server request). `npm audit`
now reports **0 vulnerabilities**. esbuild `0.28.1` was released
2026-06-11 (~25 days ago), satisfying a 7-day quarantine. This is the
only actionable update under the new same-major policy: `npm outdated`
shows every other outstanding update is a major bump with no security
justification, and everything else is already at the latest version
within its current major.
2. **Dependabot policy (`.github/dependabot.yml`)** — for both the `npm`
and `github-actions` ecosystems:
- `cooldown: { default-days: 7 }` enforces the dependency quarantine
(only adopt releases ≥7 days old) going forward.
- `ignore` on `dependency-name: "*"` with `update-types:
["version-update:semver-major"]` restricts version-update PRs to the
current major. Per GitHub's docs, `update-types` does not affect
security updates, so Dependabot will still open a major-version PR when
required to resolve a vulnerability.
Validated locally: `npm run build`, `npm run lint`, `tsc`, and the full
`jest` suite (93 tests) all pass, and `npm audit` is clean.
**Describe alternatives you've considered**
- Adopting the open React 19 devDependency bumps (react, react-dom,
react-test-renderer and their `@types`) and `actions/setup-node` v6.
These are all major bumps with no security driver, so they are
intentionally excluded under the new same-major policy. They can be
pursued separately as deliberate, tested major upgrades if desired.
- A global `semver-major` ignore alone (without noting the security
exemption): documented behavior confirms security updates are unaffected
by `update-types`, so the security-major path remains open.
**Additional context**
The 7-day quarantine and same-major restriction reduce exposure to
supply-chain risk from freshly published or major releases while keeping
security fixes flowing.
Link to Devin session:
https://app.devin.ai/sessions/9a6e6afb929646c3b9d14c4f13a17601
Requested by: @kinyoklion
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> DevDependency and Dependabot config only; no changes to the published
SDK runtime or consumer-facing APIs.
>
> **Overview**
> Bumps the **esbuild** devDependency from `^0.24.0` to `^0.28.1` to
address moderate advisory GHSA-67mh-4wv8-2f99 (dev-server request
handling in older esbuild). This is a build-time-only change.
>
> Updates **`.github/dependabot.yml`** for both **npm** and
**github-actions**: documents the existing 7-day **cooldown** quarantine
and adds a global **`ignore`** for **`version-update:semver-major`**, so
routine Dependabot PRs stay on the current major. Security-driven
updates can still propose major bumps per GitHub’s rules.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
503cc1f. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
---------
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>1 parent 3cdfcf0 commit e0816b7
2 files changed
Lines changed: 15 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
4 | 4 | | |
5 | 5 | | |
6 | 6 | | |
| 7 | + | |
7 | 8 | | |
8 | 9 | | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
9 | 16 | | |
10 | 17 | | |
11 | 18 | | |
12 | 19 | | |
| 20 | + | |
13 | 21 | | |
14 | 22 | | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
63 | 63 | | |
64 | 64 | | |
65 | 65 | | |
66 | | - | |
| 66 | + | |
67 | 67 | | |
68 | 68 | | |
69 | 69 | | |
| |||
0 commit comments