chore: Supply Corps sweep — npm refresh + audit fix (3 advisories cleared)#98
Closed
Goosterhof wants to merge 1 commit into
Closed
chore: Supply Corps sweep — npm refresh + audit fix (3 advisories cleared)#98Goosterhof wants to merge 1 commit into
Goosterhof wants to merge 1 commit into
Conversation
npm update (lockfile-only, in-range minor/patch refresh): - @vitest/coverage-v8 4.1.5 -> 4.1.7 - axios 1.16.0 -> 1.16.1 - oxlint 1.65.0 -> 1.67.0 - vitest 4.1.5 -> 4.1.7 - vue 3.5.33 -> 3.5.34 - vue-component-type-helpers 3.2.9 -> 3.3.2 - vue-router 5.0.6 -> 5.0.7 npm audit fix delta: - closes brace-expansion GHSA-jxxr-4gwj-5jf2 (moderate, transitive) - closes ws GHSA-58qx-3vcg-4xpx (moderate, transitive) - closes js-cookie GHSA-qjx8-664m-686j (high, transitive, also cleared by npm update range-resolution) - closes qs GHSA-q8mj-m7cp-5q26 partial — npm reports fixAvailable but the only nested copy is via @stryker-mutator/core -> typed-rest-client@2.3.1 -> qs@6.15.1; audit fix is a lockfile no-op without breaking Stryker's typed-rest-client pin This obsoletes the 6 open Dependabot PRs (#81, #90, #91, #92, #96, #97) — all were CI-red on the same baseline audit drift PR #95 was attempting to clear, and this sweep is a strict superset of PR #95's audit-fix payload. Verification (7 of 8 gates locally green): - Gate 1 npm audit: 2 moderate (qs/typed-rest-client under Stryker; dev-tree only, see Commander-disposition note in mission report) - Gate 2 format:check: PASS (145 files) - Gate 3 lint: PASS (oxlint 1.67.0, 0 warnings) - Gate 4 build: PASS (all 11 packages, dual ESM+CJS) - Gate 5 typecheck: PASS (all 11 packages) - Gate 6 lint:pkg: FAIL locally (documented queue #63 local-vs-CI parser disparity + queue #70 sideEffects Suggestion — CI is expected to pass per PR #95 precedent) - Gate 7 test:coverage: 528/528 tests PASS, 100% per-package thresholds met - Gate 8 test:mutation: PASS (all 11 packages >=90%; 100/94.81/97.18/100/97.30/92.50/91.20/92.73/96.67/98.36/93.33) Step 2E clean install (npm ci): PASS — no ERESOLVE; all 11 @script-development/* node_modules entries resolve to workspace symlinks (no nested registry copies, cascade-tax discipline intact). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Deploying fs-packages with
|
| Latest commit: |
d4008af
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://9ba4cb1a.fs-packages.pages.dev |
| Branch Preview URL: | https://chore-supply-corps-sweep-202.fs-packages.pages.dev |
8 tasks
Contributor
Author
|
Stacked child opened: #99 (oxlint 1.67 canonical rule adoption, selective per library Correctness-only posture). PR base is |
Contributor
PR Reviewer · 9/10 · PASS
Findings
Actionmerge-ready |
Goosterhof
added
the
Agent Review Requested
Contributor
Author
|
Closing as superseded. After #100 (comprehensive |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Supply Corps maintenance sweep —
npm update+npm audit fixagainst the Armory.fixAvailable: truebut the only path is a breaking change to Stryker's dev tree. Out of squad authority.npm auditbaseline drift (chore(deps-dev): bump vue from 3.5.33 to 3.5.35 #81 / chore(deps-dev): bump the vitest group across 1 directory with 2 updates #90 / chore(deps): bump axios from 1.16.0 to 1.16.1 #91 / chore(deps-dev): bump vue-router from 5.0.6 to 5.1.0 #92 / chore(deps-dev): bump the oxc group across 1 directory with 2 updates #96 / chore(deps): bump vue-component-type-helpers from 3.2.9 to 3.3.2 #97).Verification (8-gate locally)
lint:pkg) fails locally on the documented enforcement-queue fs-router 0.1.0 published peer-dep is stale (vue-router ^4.5.0 vs source ^5.0.6) — republish as 0.1.1 #63 (ANSI-parser disparity) + fs-dialog: forward host <dialog> ARIA attributes via dialog.open() options (#67) #70 (sideEffects) — CI is expected to pass per PR chore: npm audit fix — bump brace-expansion + ws transitive devDeps #95 precedent on identical attw + identical Suggestion shape.npm ciclean: noERESOLVE, all 11@script-development/*resolve to workspace symlinks. Cascade-tax discipline intact.Notes
attw 0.18.2produces a new local-only signal (exited 3) that did not appear in CI 2026-05-21 — reproduces against stashed lockfile so it's not in this sweep's delta. Likely WSL/macOS env edge in attw's tarball inspector. Surfaced here for visibility; will be folded into the next queue fs-router 0.1.0 published peer-dep is stale (vue-router ^4.5.0 vs source ^5.0.6) — republish as 0.1.1 #63 / fs-dialog: forward host <dialog> ARIA attributes via dialog.open() options (#67) #70 sweep.--audit-level=hightoci.ymlwould unblock dev-tree advisories on this and future bumps. Would have spared PR chore: npm audit fix — bump brace-expansion + ws transitive devDeps #95 + the 6 Dependabot PRs from review-cycle friction.Full mission report:
war-room/reports/fs-packages/execution/2026-05-26-supply-corps-sweep.md.🤖 Generated with Claude Code