Skip to content

build(deps): clear all Dependabot advisories + harden CI security #1331

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
chhoumann merged 5 commits into from
Jun 13, 2026
Merged

build(deps): clear all Dependabot advisories + harden CI security #1331

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
d7f7b31
build(deps): pin svelte/joi/uuid overrides to patched versions
chhoumann Jun 13, 2026
fdde72d
ci: tighten dependency-review and scan Actions with CodeQL
chhoumann Jun 13, 2026
b9cfb25
build(deps): roll in routine Dependabot bumps (consolidate #1323, #1324)
chhoumann Jun 13, 2026
f1fca37
ci: release via QuickAdd Release Bot app token; run CI on every PR
chhoumann Jun 13, 2026
82bf126
build(deps): use caret range for @types/node devDependency
chhoumann Jun 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 0 additions & 18 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,21 +72,3 @@ jobs:
run: pnpm run build-with-lint
- name: Svelte check
run: pnpm run check

dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
permissions:
contents: read
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- name: Dependency Review
uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
with:
comment-summary-in-pr: on-failure
fail-on-severity: high
2 changes: 1 addition & 1 deletion .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ jobs:
strategy:
fail-fast: false
matrix:
language: [javascript-typescript]
language: [javascript-typescript, actions]
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
Expand Down
40 changes: 40 additions & 0 deletions .github/workflows/dependency-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
name: Dependency Review

# Runs on every PR (no paths-ignore) so changes to docs/pnpm-lock.yaml are
# scanned too — the root CI workflow path-ignores docs/**, which previously
# left docs dependency bumps unreviewed.
on:
pull_request:
branches: [master]

concurrency:
group: dep-review-${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read

jobs:
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
with:
persist-credentials: false
- name: Dependency Review
uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
with:
comment-summary-in-pr: on-failure
# Block newly-introduced moderate+ advisories in both runtime
# AND development scopes (the default only fails on runtime/high).
fail-on-severity: moderate
fail-on-scopes: runtime, development
4 changes: 3 additions & 1 deletion docs/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,9 @@
"pnpm": {
"overrides": {
"webpackbar": "^7.0.0",
"serialize-javascript": "^7.0.3"
"serialize-javascript": "^7.0.3",
"joi": "^17.13.4",
"uuid": "^11.1.1"
}
},
"browserslist": {
Expand Down
21 changes: 11 additions & 10 deletions docs/pnpm-lock.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 4 additions & 4 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@
"@testing-library/jest-dom": "^6.9.1",
"@testing-library/svelte": "^5.3.1",
"@testing-library/user-event": "^14.6.1",
"@types/node": "25.9.2",
"@types/node": "25.9.3",
Comment thread
coderabbitai[bot] marked this conversation as resolved.
Outdated
"@typescript-eslint/eslint-plugin": "^8.60.1",
"@typescript-eslint/parser": "^8.60.1",
"@vitest/coverage-v8": "4.1.8",
Expand All @@ -33,7 +33,7 @@
"eslint-plugin-svelte": "^3.19.0",
"globals": "17",
"jsdom": "29",
"obsidian": "1.13.0",
"obsidian": "1.13.1",
"obsidian-e2e": "0.6.0",
"semantic-release": "^25.0.5",
"svelte": "^5",
Expand All @@ -50,7 +50,7 @@
"chrono-node": "^2.9.1",
"fuse.js": "7",
"obsidian-dataview": "^0.5.68",
"svelte-dnd-action": "0.9.69",
"svelte-dnd-action": "0.9.70",
"three-way-merge": "^0.1.0",
"uuid": "14",
"zustand": "^5.0.14"
Expand All @@ -66,7 +66,7 @@
"esbuild"
],
"overrides": {
"obsidian-calendar-ui>svelte": "^3.59.2"
"obsidian-calendar-ui>svelte": "^5.56.3"
}
},
"release": {
Expand Down
Loading
Loading