build(deps): clear all Dependabot advisories + harden CI security

[chhoumann]

Summary

Clears all 9 open Dependabot advisories, consolidates the three open Dependabot dependency PRs into one lockfile, and closes a couple of CI/supply-chain gaps. No user-facing behavior changes ship — every advisory was already unreachable, and the edits only update dependency versions/copies. Title is build(deps): so semantic-release does not cut a release.

Supersedes / consolidates: #1322 (svelte security bump), #1323 (dev-deps group), #1324 (svelte-dnd-action) — all closed in favour of this single PR.

Advisories cleared (all medium, all real-risk: none)

#	Pkg	CVE	Where	Why it was noise
41, 108–113	svelte@3.59.2	CVE-2024-45047, CVE-2026-27121/27122/27125/27901/42573/42599	root	Phantom EOL copy pinned by the obsidian-calendar-ui>svelte override; never bundled; shipped svelte@5.56.3 already patched
107	joi@17.13.3	CVE-2026-48038	docs	Docusaurus build-time config validation (trusted input)
106	uuid@8.3.2	CVE-2026-41907	docs	webpack-dev-server>sockjs, dev-server only; uses v4(), unaffected branch

Root cause (svelte cluster)

quickadd → obsidian-dataview → obsidian-calendar-ui → svelte. The override "obsidian-calendar-ui>svelte": "^3.59.2" pinned the EOL 3.x, which satisfies every new Svelte advisory's open-lower-bound range. The fix bumps it to ^5.56.3 so it dedupes onto the already-bundled, already-patched svelte 5.56.3 (only ≥5.55.7 clears the 2026 set; 4.2.19 would clear only #41).

Changes

Security / advisory fixes

• package.json: obsidian-calendar-ui>svelte override ^3.59.2 → ^5.56.3
• docs/package.json: add joi ^17.13.4, uuid ^11.1.1 overrides

Routine dependency bumps (folded from #1323/#1324)

• svelte-dnd-action 0.9.69 → 0.9.70 (prod, bundled)
• obsidian 1.13.0 → 1.13.1, @types/node 25.9.2 → 25.9.3, eslint → 10.5.0 (dev)

CI / supply-chain hardening

• dependency-review moved to its own workflow that runs on every PR (root CI path-ignores docs/**, so docs lockfile bumps were unreviewed); gate raised high → moderate + fail-on-scopes: runtime, development
• CodeQL now also scans the actions language (workflow files)

Repo settings (applied out-of-band, not in this diff)

• Deleted unused Actions secrets CLAUDE_CODE_OAUTH_TOKEN, FACTORY_API_KEY (only DISCORD_WEBHOOK remains)
• Disabled "Allow GitHub Actions to create and approve pull requests"

Verification (run locally on this branch)

• pnpm install --frozen-lockfile consistent (CI-safe)
• pnpm why svelte → 1 version (5.56.3); pnpm audit → no known vulnerabilities (root + docs)
• pnpm run build OK, main.js bundle has 0 svelte/internal refs (svelte 3 confirmed absent)
• pnpm run check → 0 errors; pnpm run test → 1856 passed / 31 skipped (incl. drag-reorder suites against svelte-dnd-action 0.9.70)
• docusaurus build → success

Notes / known follow-ups

• dependency-review is advisory until branch protection requires it. The master ruleset currently enforces only deletion/non_fast_forward; making the new check (and CodeQL) required conflicts with the release job's direct github-actions[bot] push and needs a token-strategy decision (release-via-PR, or a GitHub App/PAT bypass actor) first.
• Deeper svelte fix (out of scope): QuickAdd only uses getAPI from obsidian-dataview (src/utils/DataviewIntegration.ts); dropping the runtime dep and resolving Dataview through Obsidian's plugin API would remove the svelte-3 subtree entirely instead of overriding it.
• joi@17.13.4 is the correct 17.x fix; the GHSA's "upgrade to ≥18.2.1" free-text is misleading (two patched lines).
• uuid 8→11 only affects sockjs under docusaurus start (dev server); docusaurus build is unaffected.
• No CI job builds docs/ — a docs override/lockfile change is security-reviewed but not build-tested until release.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • CI now runs on every push and PR to master (no path-based ignores) and includes an extra Svelte check step.
  • CodeQL analysis expanded to include an additional language.
  • Added a dependency-review workflow that blocks PRs introducing new moderate+ advisories.
  • Release workflow now uses a short-lived app installation token.
  • Updated package dependency versions and override entries for compatibility.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7109e44e-1d30-41d6-889f-4c0019f5b521

📥 Commits

Reviewing files that changed from the base of the PR and between f1fca37 and 82bf126.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json

✅ Files skipped from review due to trivial changes (1)

• package.json

---

📝 Walkthrough

Walkthrough

This PR extracts dependency review to its own workflow, runs Svelte checks in CI, expands CodeQL to include Actions, switches the release job to use a GitHub App token, and updates pnpm overrides and several dependency versions.

Changes

CI Workflows and Dependency Management

Layer / File(s)	Summary
New dedicated dependency-review workflow .github/workflows/dependency-review.yml	Creates a standalone PR-triggered workflow with concurrency cancellation, minimal permissions, hardened runner and actions/dependency-review-action configured to fail on newly introduced moderate+ advisories across runtime and development scopes.
CI workflow restructuring .github/workflows/ci.yml	Removes the embedded pull-request dependency-review job, adds a Svelte check step (pnpm run check) to the build-lint job after pnpm run build-with-lint, and stops ignoring docs/** and **/*.md in triggers.
Release job: GitHub App token for checkout and semantic-release .github/workflows/release.yml	Generates an installation token via actions/create-github-app-token and uses it for checkout and as GITHUB_TOKEN for the semantic-release step.
CodeQL language matrix expansion .github/workflows/codeql.yml	Adds actions to the CodeQL matrix.language list alongside javascript-typescript.
Dependency overrides and version bumps docs/package.json, package.json	Adds joi and uuid pnpm overrides in docs/package.json; updates pnpm.overrides for obsidian-calendar-ui>svelte and bumps @types/node, obsidian, and svelte-dnd-action versions in root package.json.

Sequence Diagram

sequenceDiagram
  participant PR as Pull Request
  participant CI as Dependency Review Workflow
  participant Harden as step-security/harden-runner
  participant Checkout as actions/checkout
  participant DepAction as actions/dependency-review-action
  PR->>CI: open/update PR to master
  CI->>Harden: run runner hardening
  CI->>Checkout: checkout code (persist-credentials:false)
  CI->>DepAction: run dependency review (runtime & dev)
  DepAction->>CI: result (pass/fail)
  alt new moderate+ advisories
    DepAction->>PR: post comment and fail
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chhoumann/quickadd#1237: Both PRs modify package.json to bump the svelte-dnd-action dependency version.
• chhoumann/quickadd#1218: Overlapping CI and CodeQL workflow changes (ci.yml and codeql.yml).

Suggested labels

released

Poem

🐰 I hopped through workflows, tidy and neat,
Split checks to their own lane, no tangled repeat.
Svelte got a check, CodeQL learned a new song,
Tokens for release so pushes belong.
Bumps and overrides — the carrots are strong.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main changes: clearing Dependabot advisories and hardening CI security, which aligns with all major changes across dependency updates, workflow configurations, and security hardening.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chhoumann/github-dependency-advisory

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[cloudflare-workers-and-pages]

Deploying quickadd with    Cloudflare Pages

Latest commit:	82bf126
Status:	✅  Deploy successful!
Preview URL:	https://f361117e.quickadd.pages.dev
Branch Preview URL:	https://chhoumann-github-dependency.quickadd.pages.dev

View logs

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 26: Update the devDependency entry for `@types/node` in package.json to use
a caret prefixed semver (change "25.9.3" to "^25.9.3") so it matches the other
devDependencies and allows semver-compatible patch updates; edit the
"`@types/node`" value accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2c178502-ded4-49eb-9d54-a682bcb1909a

📥 Commits

Reviewing files that changed from the base of the PR and between fdde72d and b9cfb25.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 45-58: Move the "Generate release-bot token" (step id: app-token)
and the checkout that uses its token (the actions/checkout with token: ${{
steps.app-token.outputs.token }}) so they run only immediately before the
Release step: remove the app-token minting and the checkout-with-token from the
pre-build stages (before pnpm install/build/test), keep a normal checkout
earlier without the app-token, then add a new step sequence right before the
Release job that (1) generates the release-bot token via the existing
create-github-app-token invocation (id: app-token) and (2) performs a checkout
or configures git to use ${{ steps.app-token.outputs.token }} and exports that
token to GITHUB_TOKEN for the semantic-release step; this ensures the
bypass-capable App token is minted and persisted into git credentials only after
install/build/test succeed.
- Around line 47-50: The GitHub App installation token creation is granting the
App's full installation scopes by default; update the
actions/create-github-app-token step to pass explicit permission-* inputs
limiting scopes to only what actions/checkout and semantic-release require (for
example add permission-contents: write, permission-metadata: read,
permission-actions: read — adjust to your repo’s actual needs), so replace the
current invocation with one that includes those permission-* inputs to apply
least-privilege.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1eb8f7c0-f7d6-4e42-9d60-346d7a57ce72

📥 Commits

Reviewing files that changed from the base of the PR and between b9cfb25 and f1fca37.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• .github/workflows/release.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the workflow file with line numbers (bounded to keep output small)
nl -ba .github/workflows/release.yml | sed -n '1,200p'

Repository: chhoumann/quickadd

Length of output: 105

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Print workflow file with line numbers (no nl available)
awk '{printf "%6d\t%s\n", NR, $0}' .github/workflows/release.yml | sed -n '1,220p'

Repository: chhoumann/quickadd

Length of output: 9464

---

Delay minting the bypass-capable GitHub App token until right before the Release step

Generate release-bot token mints the App token before pnpm install/build/test, and Checkout immediately persists it into git credentials via token: ${{ steps.app-token.outputs.token }}. This exposes a branch-protection-bypass credential to lifecycle/build/test code that can execute arbitrary scripts. Mint the token only after install/build/test pass, then set the git credential/remote and GITHUB_TOKEN for semantic-release immediately before the Release step.

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 52-58: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 47-47: dangerous use of GitHub App tokens (github-app): app token inherits blanket installation permissions

(github-app)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 45 - 58, Move the "Generate
release-bot token" (step id: app-token) and the checkout that uses its token
(the actions/checkout with token: ${{ steps.app-token.outputs.token }}) so they
run only immediately before the Release step: remove the app-token minting and
the checkout-with-token from the pre-build stages (before pnpm
install/build/test), keep a normal checkout earlier without the app-token, then
add a new step sequence right before the Release job that (1) generates the
release-bot token via the existing create-github-app-token invocation (id:
app-token) and (2) performs a checkout or configures git to use ${{
steps.app-token.outputs.token }} and exports that token to GITHUB_TOKEN for the
semantic-release step; this ensures the bypass-capable App token is minted and
persisted into git credentials only after install/build/test succeed.

Source: Linters/SAST tools

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/release.yml"
echo "== File =="
ls -la "$FILE"
echo
echo "== Lines 1-120 =="
nl -ba "$FILE" | sed -n '1,140p'
echo
echo "== Search for app-token outputs usage =="
rg -n "app-token|create-github-app-token|steps\.app-token\.outputs|app_token|github-app-token" "$FILE" || true
echo
echo "== Search for GITHUB_TOKEN permissions usage =="
rg -n "permissions:|GITHUB_TOKEN|token:" "$FILE" || true

Repository: chhoumann/quickadd

Length of output: 232

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/release.yml"
echo "== File =="
ls -la "$FILE"
echo
echo "== Lines 1-200 =="
nl -ba "$FILE" | sed -n '1,220p'
echo
echo "== Search for app-token outputs usage =="
rg -n "app-token|create-github-app-token|steps\.app-token\.outputs|app_token|github-app-token" "$FILE" || true
echo
echo "== Search for GITHUB_TOKEN and job permissions blocks =="
rg -n "permissions:|GITHUB_TOKEN|token:" "$FILE" || true

Repository: chhoumann/quickadd

Length of output: 232

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/release.yml"
echo "== File =="
ls -la "$FILE"
echo

echo "== Lines 1-220 =="
awk '{printf "%5d\t%s\n", NR, $0}' "$FILE" | sed -n '1,220p'
echo

echo "== Matching create-github-app-token usage (context) =="
rg -n "actions/create-github-app-token" "$FILE" -C 5 || true
echo

echo "== app-token step output usage (context) =="
rg -n "app-token|steps\.app-token|permission-|permission-contents|permission-issues|permission-pull-requests" "$FILE" -C 2 || true
echo

echo "== Any token: assignments used for checkout/semantic-release (context) =="
rg -n "token:\s*\${{\s*steps\.(app-token|app_token)|token:\s*\${{\s*secrets|checkout|semantic-release|actions/checkout" "$FILE" -C 3 || true
echo

echo "== Job permissions blocks (context) =="
rg -n "^\\s*permissions\\s*:" "$FILE" -C 3 || true

Repository: chhoumann/quickadd

Length of output: 12118

---

🌐 Web query:

actions/create-github-app-token v3.2.0 permission-contents permission-issues input names

💡 Result:

In the actions/create-github-app-token action, permissions are configured by prefixing the relevant GitHub API permission name with permission- (e.g., permission-contents or permission-issues) [1][2]. The inputs for permission-contents and permission-issues function as follows: - permission-contents: Sets the level of permission granted to the access token for repository contents, including commits, branches, downloads, releases, and merges [2]. It can be set to either read or write [3][2]. - permission-issues: Sets the level of permission granted to the access token for issues, including related comments, assignees, labels, and milestones [2]. It can be set to either read or write [3][2]. By default, if no permission-* inputs are provided, the generated token inherits all permissions currently granted to the GitHub App installation [1][4]. It is recommended to explicitly list only the permissions required for your specific use case to follow security best practices [1][2]. The action validates these inputs against the allowed permissions schema [5][2].

Citations:

• 1: https://github.com/actions/create-github-app-token?tab=readme-ov-file
• 2: actions/create-github-app-token@0e0aa99
• 3: https://github.com/actions/create-github-app-token/blob/df432cee/action.yml
• 4: https://github.com/actions/create-github-app-token/blob/34c66235f6ccc38eb01b7aed860890bdf40db33c/README.md
• 5: https://deepwiki.com/actions/create-github-app-token/4.2-permission-system

---

🌐 Web query:

actions/create-github-app-token supported permission-* keys pull-requests releases

💡 Result:

The actions/create-github-app-token action supports all available GitHub App permission scopes by using inputs prefixed with permission- [1][2][3]. To specify a permission, you replace the underscores in the GitHub API permission name with dashes and prefix it with permission- (e.g., the pull_requests permission becomes permission-pull-requests and issues becomes permission-issues) [1][2]. Most permissions accept read or write as valid values, though specific permissions may have restricted options (e.g., workflows generally supports only write) [4][2][3]. Key points regarding these permissions include: - Default Behavior: If no permission-* inputs are provided, the generated token inherits all permissions currently granted to the GitHub App installation [1][2][3]. - Validation: Selected permissions must be granted to the GitHub App installation; requesting a permission the installation does not possess will result in an error [1][3]. - Mapping: The action internally maps the action input (e.g., permission-pull-requests) to the corresponding GitHub API scope (e.g., pull_requests) [2]. - Best Practice: It is recommended to explicitly list only the permissions required for your specific use case to follow the principle of least privilege [1]. For a complete list of all supported permission keys, you can refer to the action's official action.yml file, which defines these inputs dynamically [4][1][2].

Citations:

• 1: https://github.com/actions/create-github-app-token?tab=readme-ov-file
• 2: https://deepwiki.com/actions/create-github-app-token/4.2-permission-system
• 3: https://deepwiki.com/actions/create-github-app-token/4.1-action-inputs
• 4: https://github.com/actions/create-github-app-token/blob/df432cee/action.yml

---

Constrain the GitHub App token permissions (least privilege)

actions/create-github-app-token mints an installation token with the GitHub App’s granted permissions; if you omit permission-* inputs, it inherits the App installation’s full scope, and the job-level permissions: block doesn’t reduce that scope. This App token is used for actions/checkout and for semantic-release (via GITHUB_TOKEN), so request only the scopes you need.

Suggested change

             - name: Generate release-bot token
               id: app-token
               uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
               with:
                   app-id: ${{ secrets.RELEASE_APP_ID }}
                   private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
+                  permission-contents: write
+                  permission-issues: write
+                  permission-pull-requests: write

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
	with:
	app-id: ${{ secrets.RELEASE_APP_ID }}
	private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
	uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
	with:
	app-id: ${{ secrets.RELEASE_APP_ID }}
	private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
	permission-contents: write
	permission-issues: write
	permission-pull-requests: write

🧰 Tools

🪛 zizmor (1.25.2)

[error] 47-47: dangerous use of GitHub App tokens (github-app): app token inherits blanket installation permissions

(github-app)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 47 - 50, The GitHub App
installation token creation is granting the App's full installation scopes by
default; update the actions/create-github-app-token step to pass explicit
permission-* inputs limiting scopes to only what actions/checkout and
semantic-release require (for example add permission-contents: write,
permission-metadata: read, permission-actions: read — adjust to your repo’s
actual needs), so replace the current invocation with one that includes those
permission-* inputs to apply least-privilege.

Source: Linters/SAST tools