chore: bump deps and adopt Socket Firewall Free in CI (#169)

SutuSebastian · web-flow · commit 1632bdd5cff7 · 2026-06-05T10:59:33.000+03:00
* chore: bump deps and adopt Socket Firewall Free in CI

Refresh toolchain and parser packages to latest, and route CI dependency
installs through Socket Firewall Free so malicious packages are blocked
before they reach runners.

* chore: add changeset for dependency refresh
diff --git a/.changeset/deps-socket-firewall-ci.md b/.changeset/deps-socket-firewall-ci.md
@@ -0,0 +1,5 @@
+---
+"@stainless-code/codemap": patch
+---
+
+Refresh runtime and toolchain dependencies (oxc-parser, oxc-resolver, oxfmt, oxlint, @clack/prompts, tinyglobby, and related dev tooling) to latest compatible releases.
diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md
@@ -9,6 +9,8 @@ Codemap is in **bootstrap / extraction** phase. Before large PRs, please open an
 
 ```bash
 bun install   # runs `prepare` → Husky git hooks
+# Optional supply-chain guard — [Socket Firewall Free](https://github.com/SocketDev/sfw-free):
+# npm i -g sfw && sfw bun install
 bun run dev   # same as `bun src/index.ts` — CLI from source
 bun test
 bun run test:golden   # golden SQL vs fixtures/minimal (also runs at end of `bun run check`)
diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
@@ -1,14 +1,19 @@
 name: Setup
-description: Setup Bun and install packages (frozen lockfile)
+description: Setup Bun and install packages (frozen lockfile, Socket Firewall)
 
 runs:
   using: composite
   steps:
+    - name: Socket Firewall
+      uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f
+      with:
+        mode: firewall-free
+
     - name: Setup Bun
       uses: oven-sh/setup-bun@v2
       with:
         bun-version: latest
 
     - name: Install packages
       shell: bash
-      run: bun install --frozen-lockfile
+      run: sfw bun install --frozen-lockfile
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -23,13 +23,18 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: Socket Firewall
+        uses: socketdev/action@ba6de6cc0565af1f42295590380973573297e31f
+        with:
+          mode: firewall-free
+
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
         with:
           bun-version: latest
 
       - name: Install dependencies
-        run: bun install --frozen-lockfile
+        run: sfw bun install --frozen-lockfile
 
       # Opens/updates the Version PR when `.changeset/*.md` exist. When there are none, the action
       # can still run `publish` (see changesets/action) so a just-merged Version PR can ship.
diff --git a/action.yml b/action.yml
@@ -146,7 +146,12 @@ runs:
         RESOLVED_WORKDIR="$(bash "${{ github.action_path }}/scripts/action-resolve-working-directory.sh" "$GITHUB_WORKSPACE" "$WORK_DIR")"
         # Action runs without its own node_modules; install the detector lazily.
         # Pinned to a known version so consumers get reproducible builds.
-        npm install --no-save --prefix "$ACTION_STAGE" package-manager-detector@1.6.0
+        NPM_INSTALL=(npm install --no-save --prefix "$ACTION_STAGE" package-manager-detector@1.6.0)
+        if command -v sfw >/dev/null 2>&1; then
+          sfw "${NPM_INSTALL[@]}"
+        else
+          "${NPM_INSTALL[@]}"
+        fi
         cp "${{ github.action_path }}/scripts/detect-pm.mjs" \
           "${{ github.action_path }}/scripts/codemap-invocation.mjs" \
           "$ACTION_STAGE/"
diff --git a/bun.lock b/bun.lock
diff --git a/package.json b/package.json
@@ -75,15 +75,15 @@
     "version": "changeset version && bun run format CHANGELOG.md"
   },
   "dependencies": {
-    "@clack/prompts": "1.4.0",
+    "@clack/prompts": "1.5.1",
     "@modelcontextprotocol/sdk": "1.29.0",
     "better-sqlite3": "12.10.0",
     "chokidar": "5.0.0",
     "lightningcss": "1.32.0",
-    "oxc-parser": "0.133.0",
-    "oxc-resolver": "11.19.1",
+    "oxc-parser": "0.134.0",
+    "oxc-resolver": "11.20.0",
     "package-manager-detector": "1.6.0",
-    "tinyglobby": "0.2.16",
+    "tinyglobby": "0.2.17",
     "zod": "4.4.3"
   },
   "devDependencies": {
@@ -92,12 +92,12 @@
     "@types/better-sqlite3": "7.6.13",
     "@types/bun": "1.3.14",
     "@types/node": "25.9.1",
-    "@typescript/native-preview": "7.0.0-dev.20260526.1",
+    "@typescript/native-preview": "7.0.0-dev.20260604.1",
     "husky": "9.1.7",
-    "lint-staged": "17.0.5",
-    "oxfmt": "0.52.0",
-    "oxlint": "1.67.0",
-    "tsdown": "0.22.0",
+    "lint-staged": "17.0.7",
+    "oxfmt": "0.53.0",
+    "oxlint": "1.68.0",
+    "tsdown": "0.22.2",
     "typescript": "6.0.3",
     "unrun": "0.3.0"
   },

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"@stainless-code/codemap": patch
 +---
++
 +Refresh runtime and toolchain dependencies (oxc-parser, oxc-resolver, oxfmt, oxlint, @clack/prompts, tinyglobby, and related dev tooling) to latest compatible releases.