You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After the Wrynose workspace update landed through #524 and #527, it may be useful to track the remaining dependency, npm audit, and parser-maintenance work in one place.
This is intended as a coordination issue, not as a proposal to solve everything in a single PR. I would appreciate maintainer guidance on the preferred direction before opening overlapping dependency or parser PRs.
A local npm audit check on current staging reports root-level audit warnings.
A local lockfile-only audit refresh experiment reduced the root audit report from 13 vulnerabilities to 3, made the client audit clean, and left the server audit clean.
The remaining root audit warnings are transitive through Mocha:
mocha@11.7.6 -> diff@7.0.0
mocha@11.7.6 -> serialize-javascript@6.0.2
npm audit fix without --force does not currently resolve those remaining Mocha-related advisories.
Several dependency and parser-related PRs are already open and may need review, refresh, merge, or closure before opening overlapping work:
Review the existing dependency bump PRs and decide which ones should be refreshed, merged, superseded, or closed.
Treat the remaining Mocha-related audit warnings separately, since they are not resolved by a normal npm audit fix.
Treat web-tree-sitter, tree-sitter-bash, and tree-sitter-bitbake parser maintenance as a separate track.
Avoid bundling all dependency, audit, and parser changes into one large PR unless maintainers prefer that approach.
Would you prefer contributors to help by refreshing existing Dependabot PRs one by one, by opening new focused PRs for the remaining audit/parser tracks, or by taking a different route?
After the Wrynose workspace update landed through #524 and #527, it may be useful to track the remaining dependency, npm audit, and parser-maintenance work in one place.
This is intended as a coordination issue, not as a proposal to solve everything in a single PR. I would appreciate maintainer guidance on the preferred direction before opening overlapping dependency or parser PRs.
Current observations:
stagingreports root-level audit warnings.mocha@11.7.6 -> diff@7.0.0mocha@11.7.6 -> serialize-javascript@6.0.2npm audit fixwithout--forcedoes not currently resolve those remaining Mocha-related advisories.Possible split, subject to maintainer preference:
npm audit fix.web-tree-sitter,tree-sitter-bash, andtree-sitter-bitbakeparser maintenance as a separate track.Would you prefer contributors to help by refreshing existing Dependabot PRs one by one, by opening new focused PRs for the remaining audit/parser tracks, or by taking a different route?