Bump deps to clear Dependabot security alerts + CI deprecations#2315
Merged
Conversation
github-actions
Bot
added
💻 FW Lite
|
Important Review skippedAuto incremental reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
📝 WalkthroughWalkthroughComprehensive infrastructure and dependency modernization updating GitHub Actions versions across 14 workflows, bumping backend platform requirements, and coordinating frontend package upgrades with transitive dependency overrides to ensure consistent resolution across the monorepo. ChangesDependency and CI Infrastructure Upgrades
🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Suggested labels
Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
UI unit Tests 1 files 59 suites 30s ⏱️ Results for commit 0faf8da. ♻️ This comment has been updated with latest results. |
|
The latest updates on your projects. Learn more about Argos notifications ↗︎
|
Contributor
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 8
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/claude.yml:
- Line 29: Replace the mutable actions/checkout@v5 reference with a pin to the
corresponding full commit SHA: locate the workflow step that uses "uses:
actions/checkout@v5" and update it to the immutable "uses:
actions/checkout@<full-commit-sha>" for the same release (use the official
actions/checkout repository to find the latest commit SHA for v5), commit the
change, and ensure other workflow steps remain unchanged.
In @.github/workflows/codeql.yml:
- Line 46: Replace mutable action tags with immutable commit SHAs in the CodeQL
workflow: locate the `uses:` entries for `actions/checkout@v5`,
`github/codeql-action/init@v3`, and `github/codeql-action/analyze@v3` and pin
each to the corresponding full commit SHA (e.g., `actions/checkout@<sha>`,
`github/codeql-action/init@<sha>`, `github/codeql-action/analyze@<sha>`) so the
workflow references exact, immutable revisions; update the three `uses:` lines
accordingly and verify the SHAs match the intended release commits before
committing.
In @.github/workflows/deploy.yaml:
- Line 57: The workflow currently references the mutable tag
"actions/checkout@v5" which should be replaced with a SHA-pinned ref to reduce
supply-chain risk; locate both occurrences of actions/checkout@v5 in the deploy
workflow and replace them with the corresponding immutable commit SHAs (e.g.,
actions/checkout@<full-sha>) for the checkout steps that operate on the lexbox
and fleet repos, obtaining the correct SHA from the actions/checkout GitHub
repository release commit and using that SHA in both checkout steps so the
workflow always runs a fixed, verifiable action version.
In @.github/workflows/develop-ui.yaml:
- Around line 54-55: Replace the mutable action refs with SHA-pinned refs for
supply-chain hardening: locate the uses entries for actions/checkout@v5,
pnpm/action-setup@v5 and actions/setup-node@v5 in the develop-ui workflow and
update each to the equivalent full commit SHA ref (e.g.,
actions/checkout@<commit-sha>, pnpm/action-setup@<commit-sha>,
actions/setup-node@<commit-sha>), ensuring the SHAs match the corresponding
releases you intend to pin to and run a quick workflow lint/echo to verify the
YAML remains valid.
In @.github/workflows/fw-lite.yaml:
- Around line 37-40: The workflow uses several GitHub Action entries with
mutable tags (e.g., actions/checkout@v5, actions/setup-dotnet@v5,
arduino/setup-task@v2, pnpm/action-setup@v5, actions/setup-node@v5,
actions/upload-artifact@v5, actions/download-artifact@v5) — replace each "uses:
owner/repo@<tag>" occurrence with the corresponding "uses:
owner/repo@<full-commit-sha>" pinned to that release commit SHA; locate every
"uses:" line for the listed actions (checkout, setup-dotnet, arduino/setup-task,
pnpm/action-setup, setup-node, upload-artifact, download-artifact, etc.) and
update the tag to the exact commit SHA for the intended release to avoid mutable
tags and supply-chain risk. Ensure you fetch the canonical commit SHA from the
action's release or GitHub tags and use the full 40-character SHA in each
"uses:" entry.
In @.github/workflows/integration-test-gha.yaml:
- Around line 22-25: The workflow uses mutable action tags which can drift;
replace the `uses:` entries `actions/checkout@v5`, `actions/setup-dotnet@v5`,
and `actions/upload-artifact@v5` with their corresponding pinned commit SHAs
(immutable refs) across the workflow (lines where those `uses:` appear) by
looking up each action's latest stable commit on GitHub and updating the `uses:`
value to e.g. `actions/checkout@<SHA>`, `actions/setup-dotnet@<SHA>`, and
`actions/upload-artifact@<SHA>` so all references are fixed to exact commits.
In @.github/workflows/integration-test.yaml:
- Line 71: Replace the mutable GitHub Action tags with immutable commit SHAs:
locate the usages of actions/checkout@v5 and actions/setup-dotnet@v5 in the
workflow and swap the tag form for the corresponding full commit SHA for each
action (use the officially published SHA for the version you reviewed), updating
both occurrences so the workflow pins to specific commits rather than the `@v5`
tag.
In @.github/workflows/labeler.yaml:
- Line 13: The workflow uses an unpinned third-party action reference ("uses:
actions/labeler@v6") in the pull_request_target workflow with elevated
permission (pull-requests: write); replace the tag with a full commit SHA for
actions/labeler (e.g., actions/labeler@<commit-sha>) so the workflow is
SHA-pinned, ensuring the "uses: actions/labeler@v6" reference is updated to the
specific commit SHA while leaving the pull_request_target trigger and
pull-requests: write permission intact.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 0328f499-7c52-4fcf-af10-00c1b5304b71
⛔ Files ignored due to path filters (2)
frontend/pnpm-lock.yamlis excluded by!**/pnpm-lock.yamlplatform.bible-extension/package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (18)
.github/workflows/claude.yml.github/workflows/codeql.yml.github/workflows/deploy.yaml.github/workflows/develop-ui.yaml.github/workflows/fw-lite.yaml.github/workflows/integration-test-gha.yaml.github/workflows/integration-test.yaml.github/workflows/labeler.yaml.github/workflows/lexbox-api.yaml.github/workflows/lexbox-fw-headless.yaml.github/workflows/lexbox-hgweb.yaml.github/workflows/lexbox-ui.yaml.github/workflows/platform.bible-extension.yamlbackend/FwLite/FwLiteMaui/FwLiteMaui.csprojbackend/FwLite/FwLiteWeb/Program.csfrontend/package.jsonfrontend/pnpm-workspace.yamlplatform.bible-extension/package.json
myieye
force-pushed
the
chore/dependabot-security-bumps
branch
2 times, most recently
from
18a818b to
f097c33
Compare
Frontend (pnpm) — direct: @sveltejs/kit 2.49→2.60.1, @opentelemetry/sdk-node
0.208→0.217, @opentelemetry/auto-instrumentations-node 0.67→0.75, js-cookie
3.0.5→3.0.7. Catalog: vite→7.3.2, postcss→8.5.10. In viewer: lint-staged 13→15
(clears micromatch + yaml advisories naturally). Minimal pnpm.overrides for the
three transitives that don't have a clean parent-bump path: cookie (SvelteKit
still pins ^0.6), minimatch@9 (mjml→js-beautify chain), immutable@3
(graphql-codegen→relay-compiler@12 chain).
GitHub Actions — bump actions/{checkout,setup-node,setup-dotnet,upload-artifact,
download-artifact} v4→v5, pnpm/action-setup and arduino/setup-task SHA pins
→ v5/v2 tags, actions/labeler v5→v6, SHA-pin remaining actions, all for Node-24
compatibility ahead of the June 2026 deprecation. Drop the unused Claude Code
workflow.
FwLiteMaui — bump android SupportedOSPlatformVersion 23→24 to clear CA1416
warnings on BlazorWebView APIs (Android 6.0 Marshmallow is rounding-error
share in 2026; the WebView is the app, so the platform attribute was
inaccurate, not actually enabling API 23 support).
FwLiteWeb — drop the Assembly.Location dance, use AppContext.BaseDirectory
directly (IL3000).
The svelte 5.53→5.55 bump + detached-resource test harness moved to #2323; the
Platform.Bible extension (npm) bumps moved to their own PR. This PR is the
pnpm/CI/.NET dependency bumps only.
Not fixed (need follow-up issues): mjml ≤4.18.0 (no patch in v4 line — needs
v5 migration; html-minifier ReDoS is transitive via it).
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
myieye
force-pushed
the
chore/dependabot-security-bumps
branch
from
f097c33 to
0faf8da
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Dependency and CI bumps only — kept trivially mergeable. The svelte 5.55+ bump and the detached-resource test harness that originally rode along here have moved to #2323.
Frontend (pnpm) —
@sveltejs/kit2.49→2.60.1,@opentelemetry/sdk-node0.208→0.217,@opentelemetry/auto-instrumentations-node0.67→0.75,js-cookie3.0.5→3.0.7; catalogvite→7.3.2,postcss→8.5.10; viewerlint-staged13→15. Minimalpnpm.overridesfor three transitives without a clean parent bump:cookie,minimatch@9,immutable@3. svelte stays at develop's 5.53.5.GitHub Actions — checkout/setup-node/setup-dotnet/upload-/download-artifact v4→v5, pnpm/action-setup + arduino/setup-task SHA→tag, labeler v5→v6, SHA-pin the rest (Node-24 deprecation). Drops the unused Claude Code workflow.
FwLiteMaui — android
SupportedOSPlatformVersion23→24 (clears CA1416 on BlazorWebView APIs). FwLiteWeb — useAppContext.BaseDirectoryinstead ofAssembly.Location(IL3000).Not fixed (follow-up issues): mjml ≤4.18.0 (needs v5 migration).
Verified locally: build +
svelte-checkclean (0 errors / 0 warnings) with the bumps applied.