Skip to content

chore(deps): consolidate dependency bumps, fix audit-prod CI gate#1118

Merged
matthewhanson merged 3 commits into
mainfrom
chore/deps-consolidation
Jun 20, 2026
Merged

chore(deps): consolidate dependency bumps, fix audit-prod CI gate#1118
matthewhanson merged 3 commits into
mainfrom
chore/deps-consolidation

Conversation

@matthewhanson

Copy link
Copy Markdown
Member

Summary

Gets the dependency tree current, fixes the red audit-prod CI gate, and consolidates the open lockfile/dev dependabot PRs into one reviewable change. Also adds dependabot grouping so this pileup doesn't recur.

Why CI was red for everyone (including main)

The audit-prod step (better-npm-audit --production) was failing on every branch — not because of any one dependency, but because ~33 newly-published advisories weren't excluded in .nsprc. The individual dependabot PRs each fixed only one advisory, so each alone still failed the gate. Only a combined update turns it green.

What this does

  • npm update of the production trees carrying advisories@redocly/cli (2.19.0 → 2.34.0, the bulk of the advisories), express, lodash-es, fast-uri, fast-xml-parser/builder, path-to-regexp, picomatch, qs, and the aws-sdk clients. Clears all production advisories; audit-prod now passes.
  • npm update of dev-tree packages with remaining advisories — form-data, esbuild, tsx, axios, @hapi/wreck, @hapi/content, serialize-javascript, follow-redirects, brace-expansion, flatted. Full npm audit drops 27 → 18.
  • Empties .nsprc — all 32 prior exclusions are now stale (no longer match any advisory).
  • Adds dependabot grouping (.github/dependabot.yml) — batches minor/patch bumps into a couple of grouped PRs (separate prod/dev), groups security and github-actions updates, and leaves majors ungrouped so risky upgrades stay individually reviewable.

Intentionally excluded

  • @stoplight/spectral-* (openapi-lint, dev only): left at current versions because spectral-core 1.23.0 regresses check-openapi (crashes on openapi.yaml). Its advisory is dev-only and not in the CI gate.
  • got 13 → 14 and eslint 8 → 10: breaking majors handled in separate PRs (got 14 is an ESM rewrite used in ingest; eslint 9/10 needs a flat-config migration).

No package.json dependency changes — every update is within existing semver ranges.

Verification

All green locally (mirrors push.yaml): lint, typecheck, audit-prod (the previously-red gate), check-openapi, test:unit (69), test:system (171), build.

Supersedes these dependabot PRs

Closing as superseded (their target versions are present in this lockfile):
#1116 #1115 #1114 #1113 #1112 #1110 #1109 #1107 #1106 #1105 #1104 #1101 #1100 #1099 #1097 #1091 #1088 #1085 #1080 #1079 #1078 #1076 #1073 #1072

🤖 Generated with Claude Code

matthewhanson and others added 3 commits June 19, 2026 18:10
Surgically update the production dependency trees carrying open
advisories — @redocly/cli (2.19.0 -> 2.34.0, the bulk), express,
lodash-es, fast-uri, fast-xml-parser/builder, path-to-regexp,
picomatch, qs, and the aws-sdk clients — via in-range `npm update`.
This clears all ~33 production advisories that were failing the
`audit-prod` gate on every branch including main.

The update is intentionally narrow: the dev-only openapi-lint
toolchain (@stoplight/spectral-*) is left at its current versions
because spectral-core 1.23.0 regresses `check-openapi` (crashes on
openapi.yaml). got and eslint are likewise excluded — their major
bumps are handled separately. No package.json changes; every update
is within existing semver ranges.

With the lockfile current, all 32 prior .nsprc exclusions are stale
(no longer match any advisory), so .nsprc is emptied.

Consolidates the open lockfile-only dependabot PRs into one pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Batch npm minor/patch version updates into grouped PRs (separate
production and development groups) and group security updates, so
routine transitive bumps no longer arrive as dozens of individual
PRs. Major bumps are deliberately left ungrouped so risky upgrades
stay isolated and individually reviewable. Add a github-actions
ecosystem (grouped) and per-ecosystem open-pull-requests-limit.

Prevents recurrence of the dependabot PR pileup this branch
consolidates.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
In-range `npm update` of the development-tree packages still carrying
advisories that the production update did not reach: form-data,
esbuild, tsx, axios, @hapi/wreck, @hapi/content, serialize-javascript,
follow-redirects, brace-expansion, flatted. Full `npm audit` drops
from 27 to 18 advisories; the remainder are rooted in the pinned
openapi-lint toolchain (@stoplight/spectral-*) and other dev tooling
without available in-range fixes, and do not affect the production
`audit-prod` gate.

Completes consolidation of the open lockfile-only dependabot PRs.
spectral-core remains pinned at 1.19.5 so check-openapi still passes.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates repo automation/config around dependency management by clearing stale better-npm-audit exclusions and adding Dependabot grouping to reduce PR noise, with the stated goal of getting the audit-prod CI gate back to green.

Changes:

  • Empties .nsprc so previously-excluded advisories are no longer ignored.
  • Adds Dependabot grouping to batch npm minor/patch updates (separating prod vs dev), group security updates, and group GitHub Actions updates.
  • Raises explicit open PR limits for Dependabot updates.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

File Description
.nsprc Removes all prior advisory exclusions by replacing the config with an empty JSON object.
.github/dependabot.yml Adds grouping rules for npm minor/patch updates (prod/dev), security updates, and GitHub Actions updates.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@matthewhanson matthewhanson merged commit fc239e4 into main Jun 20, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants