chore: consolidate safe dependency updates and tighten Dependabot policy#411
Merged
Merged
Conversation
Contributor
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
Contributor
|
@cursor review |
Co-Authored-By: rlamb@launchdarkly.com <4955475+kinyoklion@users.noreply.github.com>
Co-Authored-By: rlamb@launchdarkly.com <4955475+kinyoklion@users.noreply.github.com>
bcd772d to
503cc1f
Compare
joker23
approved these changes
Jul 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Requirements
Related issues
Replaces the currently open Dependabot PRs (#374, #377, #388, #392, #393, #394), all of which are major-version bumps.
Describe the solution you've provided
This consolidates dependency maintenance into a single, tested PR and codifies a safer Dependabot policy.
Dependency update (
package.json) — bumps theesbuilddevDependency^0.24.0→^0.28.1to resolve the moderate advisory GHSA-67mh-4wv8-2f99 (esbuild<=0.24.2dev server request).npm auditnow reports 0 vulnerabilities. esbuild0.28.1was released 2026-06-11 (~25 days ago), satisfying a 7-day quarantine. This is the only actionable update under the new same-major policy:npm outdatedshows every other outstanding update is a major bump with no security justification, and everything else is already at the latest version within its current major.Dependabot policy (
.github/dependabot.yml) — for both thenpmandgithub-actionsecosystems:cooldown: { default-days: 7 }enforces the dependency quarantine (only adopt releases ≥7 days old) going forward.ignoreondependency-name: "*"withupdate-types: ["version-update:semver-major"]restricts version-update PRs to the current major. Per GitHub's docs,update-typesdoes not affect security updates, so Dependabot will still open a major-version PR when required to resolve a vulnerability.Validated locally:
npm run build,npm run lint,tsc, and the fulljestsuite (93 tests) all pass, andnpm auditis clean.Describe alternatives you've considered
@types) andactions/setup-nodev6. These are all major bumps with no security driver, so they are intentionally excluded under the new same-major policy. They can be pursued separately as deliberate, tested major upgrades if desired.semver-majorignore alone (without noting the security exemption): documented behavior confirms security updates are unaffected byupdate-types, so the security-major path remains open.Additional context
The 7-day quarantine and same-major restriction reduce exposure to supply-chain risk from freshly published or major releases while keeping security fixes flowing.
Link to Devin session: https://app.devin.ai/sessions/9a6e6afb929646c3b9d14c4f13a17601
Requested by: @kinyoklion
Note
Low Risk
DevDependency and Dependabot config only; no changes to the published SDK runtime or consumer-facing APIs.
Overview
Bumps the esbuild devDependency from
^0.24.0to^0.28.1to address moderate advisory GHSA-67mh-4wv8-2f99 (dev-server request handling in older esbuild). This is a build-time-only change.Updates
.github/dependabot.ymlfor both npm and github-actions: documents the existing 7-day cooldown quarantine and adds a globalignoreforversion-update:semver-major, so routine Dependabot PRs stay on the current major. Security-driven updates can still propose major bumps per GitHub’s rules.Reviewed by Cursor Bugbot for commit 503cc1f. Bugbot is set up for automated code reviews on this repo. Configure here.