chore(deps): consolidate dependency bumps, fix audit-prod CI gate#1118
Merged
Conversation
Surgically update the production dependency trees carrying open advisories — @redocly/cli (2.19.0 -> 2.34.0, the bulk), express, lodash-es, fast-uri, fast-xml-parser/builder, path-to-regexp, picomatch, qs, and the aws-sdk clients — via in-range `npm update`. This clears all ~33 production advisories that were failing the `audit-prod` gate on every branch including main. The update is intentionally narrow: the dev-only openapi-lint toolchain (@stoplight/spectral-*) is left at its current versions because spectral-core 1.23.0 regresses `check-openapi` (crashes on openapi.yaml). got and eslint are likewise excluded — their major bumps are handled separately. No package.json changes; every update is within existing semver ranges. With the lockfile current, all 32 prior .nsprc exclusions are stale (no longer match any advisory), so .nsprc is emptied. Consolidates the open lockfile-only dependabot PRs into one pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Batch npm minor/patch version updates into grouped PRs (separate production and development groups) and group security updates, so routine transitive bumps no longer arrive as dozens of individual PRs. Major bumps are deliberately left ungrouped so risky upgrades stay isolated and individually reviewable. Add a github-actions ecosystem (grouped) and per-ecosystem open-pull-requests-limit. Prevents recurrence of the dependabot PR pileup this branch consolidates. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
In-range `npm update` of the development-tree packages still carrying advisories that the production update did not reach: form-data, esbuild, tsx, axios, @hapi/wreck, @hapi/content, serialize-javascript, follow-redirects, brace-expansion, flatted. Full `npm audit` drops from 27 to 18 advisories; the remainder are rooted in the pinned openapi-lint toolchain (@stoplight/spectral-*) and other dev tooling without available in-range fixes, and do not affect the production `audit-prod` gate. Completes consolidation of the open lockfile-only dependabot PRs. spectral-core remains pinned at 1.19.5 so check-openapi still passes. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This was referenced Jun 19, 2026
Closed
Closed
Closed
Closed
Closed
Closed
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates repo automation/config around dependency management by clearing stale better-npm-audit exclusions and adding Dependabot grouping to reduce PR noise, with the stated goal of getting the audit-prod CI gate back to green.
Changes:
- Empties
.nsprcso previously-excluded advisories are no longer ignored. - Adds Dependabot grouping to batch npm minor/patch updates (separating prod vs dev), group security updates, and group GitHub Actions updates.
- Raises explicit open PR limits for Dependabot updates.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.nsprc |
Removes all prior advisory exclusions by replacing the config with an empty JSON object. |
.github/dependabot.yml |
Adds grouping rules for npm minor/patch updates (prod/dev), security updates, and GitHub Actions updates. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This was referenced Jun 20, 2026
Open
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Gets the dependency tree current, fixes the red
audit-prodCI gate, and consolidates the open lockfile/dev dependabot PRs into one reviewable change. Also adds dependabot grouping so this pileup doesn't recur.Why CI was red for everyone (including
main)The
audit-prodstep (better-npm-audit --production) was failing on every branch — not because of any one dependency, but because ~33 newly-published advisories weren't excluded in.nsprc. The individual dependabot PRs each fixed only one advisory, so each alone still failed the gate. Only a combined update turns it green.What this does
npm updateof the production trees carrying advisories —@redocly/cli(2.19.0 → 2.34.0, the bulk of the advisories),express,lodash-es,fast-uri,fast-xml-parser/builder,path-to-regexp,picomatch,qs, and the aws-sdk clients. Clears all production advisories;audit-prodnow passes.npm updateof dev-tree packages with remaining advisories —form-data,esbuild,tsx,axios,@hapi/wreck,@hapi/content,serialize-javascript,follow-redirects,brace-expansion,flatted. Fullnpm auditdrops 27 → 18..nsprc— all 32 prior exclusions are now stale (no longer match any advisory)..github/dependabot.yml) — batches minor/patch bumps into a couple of grouped PRs (separate prod/dev), groups security and github-actions updates, and leaves majors ungrouped so risky upgrades stay individually reviewable.Intentionally excluded
@stoplight/spectral-*(openapi-lint, dev only): left at current versions becausespectral-core1.23.0 regressescheck-openapi(crashes onopenapi.yaml). Its advisory is dev-only and not in the CI gate.got13 → 14 andeslint8 → 10: breaking majors handled in separate PRs (got 14 is an ESM rewrite used in ingest; eslint 9/10 needs a flat-config migration).No
package.jsondependency changes — every update is within existing semver ranges.Verification
All green locally (mirrors
push.yaml):lint,typecheck,audit-prod(the previously-red gate),check-openapi,test:unit(69),test:system(171),build.Supersedes these dependabot PRs
Closing as superseded (their target versions are present in this lockfile):
#1116 #1115 #1114 #1113 #1112 #1110 #1109 #1107 #1106 #1105 #1104 #1101 #1100 #1099 #1097 #1091 #1088 #1085 #1080 #1079 #1078 #1076 #1073 #1072
🤖 Generated with Claude Code