Skip to content

Commit 1632bdd

Browse files
chore: bump deps and adopt Socket Firewall Free in CI (#169)
* chore: bump deps and adopt Socket Firewall Free in CI Refresh toolchain and parser packages to latest, and route CI dependency installs through Socket Firewall Free so malicious packages are blocked before they reach runners. * chore: add changeset for dependency refresh
1 parent 231d6cc commit 1632bdd

7 files changed

Lines changed: 195 additions & 149 deletions

File tree

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
---
2+
"@stainless-code/codemap": patch
3+
---
4+
5+
Refresh runtime and toolchain dependencies (oxc-parser, oxc-resolver, oxfmt, oxlint, @clack/prompts, tinyglobby, and related dev tooling) to latest compatible releases.

.github/CONTRIBUTING.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,8 @@ Codemap is in **bootstrap / extraction** phase. Before large PRs, please open an
99

1010
```bash
1111
bun install # runs `prepare` → Husky git hooks
12+
# Optional supply-chain guard — [Socket Firewall Free](https://github.com/SocketDev/sfw-free):
13+
# npm i -g sfw && sfw bun install
1214
bun run dev # same as `bun src/index.ts` — CLI from source
1315
bun test
1416
bun run test:golden # golden SQL vs fixtures/minimal (also runs at end of `bun run check`)

.github/actions/setup/action.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,19 @@
11
name: Setup
2-
description: Setup Bun and install packages (frozen lockfile)
2+
description: Setup Bun and install packages (frozen lockfile, Socket Firewall)
33

44
runs:
55
using: composite
66
steps:
7+
- name: Socket Firewall
8+
uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f
9+
with:
10+
mode: firewall-free
11+
712
- name: Setup Bun
813
uses: oven-sh/setup-bun@v2
914
with:
1015
bun-version: latest
1116

1217
- name: Install packages
1318
shell: bash
14-
run: bun install --frozen-lockfile
19+
run: sfw bun install --frozen-lockfile

.github/workflows/release.yml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,13 +23,18 @@ jobs:
2323
with:
2424
fetch-depth: 0
2525

26+
- name: Socket Firewall
27+
uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f
28+
with:
29+
mode: firewall-free
30+
2631
- name: Setup Bun
2732
uses: oven-sh/setup-bun@v2
2833
with:
2934
bun-version: latest
3035

3136
- name: Install dependencies
32-
run: bun install --frozen-lockfile
37+
run: sfw bun install --frozen-lockfile
3338

3439
# Opens/updates the Version PR when `.changeset/*.md` exist. When there are none, the action
3540
# can still run `publish` (see changesets/action) so a just-merged Version PR can ship.

action.yml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -146,7 +146,12 @@ runs:
146146
RESOLVED_WORKDIR="$(bash "${{ github.action_path }}/scripts/action-resolve-working-directory.sh" "$GITHUB_WORKSPACE" "$WORK_DIR")"
147147
# Action runs without its own node_modules; install the detector lazily.
148148
# Pinned to a known version so consumers get reproducible builds.
149-
npm install --no-save --prefix "$ACTION_STAGE" package-manager-detector@1.6.0
149+
NPM_INSTALL=(npm install --no-save --prefix "$ACTION_STAGE" package-manager-detector@1.6.0)
150+
if command -v sfw >/dev/null 2>&1; then
151+
sfw "${NPM_INSTALL[@]}"
152+
else
153+
"${NPM_INSTALL[@]}"
154+
fi
150155
cp "${{ github.action_path }}/scripts/detect-pm.mjs" \
151156
"${{ github.action_path }}/scripts/codemap-invocation.mjs" \
152157
"$ACTION_STAGE/"

bun.lock

Lines changed: 160 additions & 136 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -75,15 +75,15 @@
7575
"version": "changeset version && bun run format CHANGELOG.md"
7676
},
7777
"dependencies": {
78-
"@clack/prompts": "1.4.0",
78+
"@clack/prompts": "1.5.1",
7979
"@modelcontextprotocol/sdk": "1.29.0",
8080
"better-sqlite3": "12.10.0",
8181
"chokidar": "5.0.0",
8282
"lightningcss": "1.32.0",
83-
"oxc-parser": "0.133.0",
84-
"oxc-resolver": "11.19.1",
83+
"oxc-parser": "0.134.0",
84+
"oxc-resolver": "11.20.0",
8585
"package-manager-detector": "1.6.0",
86-
"tinyglobby": "0.2.16",
86+
"tinyglobby": "0.2.17",
8787
"zod": "4.4.3"
8888
},
8989
"devDependencies": {
@@ -92,12 +92,12 @@
9292
"@types/better-sqlite3": "7.6.13",
9393
"@types/bun": "1.3.14",
9494
"@types/node": "25.9.1",
95-
"@typescript/native-preview": "7.0.0-dev.20260526.1",
95+
"@typescript/native-preview": "7.0.0-dev.20260604.1",
9696
"husky": "9.1.7",
97-
"lint-staged": "17.0.5",
98-
"oxfmt": "0.52.0",
99-
"oxlint": "1.67.0",
100-
"tsdown": "0.22.0",
97+
"lint-staged": "17.0.7",
98+
"oxfmt": "0.53.0",
99+
"oxlint": "1.68.0",
100+
"tsdown": "0.22.2",
101101
"typescript": "6.0.3",
102102
"unrun": "0.3.0"
103103
},

0 commit comments

Comments
 (0)