Skip to content

chore(deps): update dependencies to latest versions #198

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
JoachimLK merged 1 commit into from
Jun 11, 2026
Merged

chore(deps): update dependencies to latest versions #198

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .github/workflows/dependabot-automerge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ jobs:
steps.metadata.outputs.update-type == 'version-update:semver-patch' ||
steps.metadata.outputs.update-type == 'version-update:semver-minor'
)
run: gh pr merge --auto --squash "$PR_URL"
run: gh pr merge --auto --merge "$PR_URL"

@coderabbitai coderabbitai Bot Jun 11, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check if there's a documented merge strategy preference in contributing docs or other workflows

# Search for merge strategy documentation
rg -i -C3 'merge.*strategy|squash.*merge|--squash|--merge|--rebase' \
  --glob '*.md' \
  --glob '.github/**/*.yml' \
  --glob 'CONTRIBUTING*' \
  --glob 'docs/**/*'

# Check other workflows for merge patterns
rg -n "gh pr merge" --glob '.github/workflows/*.yml'

Repository: reqcore-inc/reqcore

Length of output: 712

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Find any explicit guidance about squash vs merge (docs/contributing/README)
rg -n --hidden --no-ignore-vcs \
  '(--squash|--merge|squash-merge|merge strategy|pr merge)' \
  --glob '*.md' \
  --glob '.github/**/*.yml' \
  --glob 'CONTRIBUTING*' \
  --glob 'docs/**/*' || true

# 2) Find all usage of `gh pr merge` and see which flags are used elsewhere
rg -n --hidden --no-ignore-vcs \
  'gh pr merge' .github/workflows/*.yml || true

# 3) Specifically check dependabot-related workflows for merge/squash settings
rg -n --hidden --no-ignore-vcs \
  '(dependabot|automerge|merge strategy|--squash|--merge)' \
  .github/workflows/*.yml || true

Repository: reqcore-inc/reqcore

Length of output: 1474

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== .github/pull_request_template.md (around line 6) ==="
sed -n '1,40p' .github/pull_request_template.md

echo "=== .github/workflows/pr-title-lint.yml (around line 1-30) ==="
sed -n '1,120p' .github/workflows/pr-title-lint.yml

echo "=== Search for gh pr merge usage and flags across workflows ==="
rg -n --hidden --no-ignore-vcs 'gh pr merge' .github/workflows/*.yml || true

echo "=== Search for explicit --squash / squash-merge mentions across repo ==="
rg -n --hidden --no-ignore-vcs '(--squash|squash-merge|squash-merged)' \
  --glob '*.md' --glob '.github/**/*.yml' --glob 'docs/**/*' || true

Repository: reqcore-inc/reqcore

Length of output: 3230

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Search for any --squash usage in workflows ==="
rg -n --hidden --no-ignore-vcs '--squash|squash-merge' .github/workflows/*.yml || true

echo "=== List and inspect release-please configs (if present) ==="
ls -la .github 2>/dev/null || true
ls -la .github/workflows 2>/dev/null || true
fd -a 'release-please' .github -t f 2>/dev/null || true

# Print likely release-please config files if they exist
for f in .github/release-please-config.json .github/release-please-config.* .github/release-please*.json .github/*.json; do
  if [ -f "$f" ]; then
    echo "=== $f (first 200 lines) ==="
    sed -n '1,200p' "$f"
  fi
done

echo "=== Search for release-please workflow/config references ==="
rg -n --hidden --no-ignore-vcs 'release-please|squash-merged|merge-commit|target-branch|changelog' .github/workflows/**/*.yml .github/**/*.json .github/**/*.md || true

Repository: reqcore-inc/reqcore

Length of output: 6717

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== .github/workflows/dependabot-automerge.yml (full) ==="
sed -n '1,220p' .github/workflows/dependabot-automerge.yml

echo "=== .github/workflows/release-please.yml (first 220 lines) ==="
sed -n '1,220p' .github/workflows/release-please.yml

echo "=== .github/workflows/release-verification.yml (first 260 lines) ==="
sed -n '1,260p' .github/workflows/release-verification.yml

echo "=== Search for 'squash' and 'merge-commit' references in .github/workflows ==="
rg -n --hidden --no-ignore-vcs 'squash-merged|squash|merge-commit|--squash|--merge' .github/workflows/*.yml || true

Repository: reqcore-inc/reqcore

Length of output: 11265

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== .release-please-manifest.json (first 220 lines) ==="
sed -n '1,220p' .release-please-manifest.json

echo "=== Search for release-please merge-type / squash mention in repo ==="
rg -n --hidden --no-ignore-vcs '(release-please|squash-merged|squash-merge|merge-commit|merge commit|merge strategy)' \
  .github .release-please-manifest.json .  || true

echo "=== Check .github/dependabot.yml (first 220 lines) ==="
sed -n '1,220p' .github/dependabot.yml

Repository: reqcore-inc/reqcore

Length of output: 5576

Fix Dependabot automerge merge strategy to match release-please expectations

This repo explicitly relies on squash-merged commit/title semantics for release-please (see .github/pull_request_template.md and .github/workflows/pr-title-lint.yml), but .github/workflows/dependabot-automerge.yml now uses gh pr merge --auto --merge "$PR_URL" (lines 39/52/70), which creates merge commits instead.

  • Confirm --merge still produces the “squash-merged” conventional-commit signal that release-please expects; otherwise switch Dependabot automerge back to --squash (or adjust the release-please workflow/process accordingly).
  • Add a brief comment in the workflow explaining why --merge is chosen (and how it preserves the release-please behavior).
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependabot-automerge.yml at line 39, The Dependabot
automerge step currently uses the command invocation gh pr merge --auto --merge
"$PR_URL" which creates merge commits and may not produce the squash-style
commit/title semantics that release-please expects (see
.github/pull_request_template.md and .github/workflows/pr-title-lint.yml);
update the workflow to either (A) change the invocations of gh pr merge --auto
--merge "$PR_URL" (appearing in the dependabot-automerge workflow) to gh pr
merge --auto --squash "$PR_URL" to restore squash-merge semantics, or (B) if you
verify that --merge nevertheless produces the required squash-style
conventional-commit signals for release-please, add a concise inline comment
above the gh pr merge lines explaining why --merge is acceptable and how it
preserves release-please behavior; ensure the chosen approach is applied to all
occurrences of the command in the workflow.

env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Expand All @@ -49,7 +49,7 @@ jobs:
steps.metadata.outputs.update-type == 'version-update:semver-patch' ||
steps.metadata.outputs.update-type == 'version-update:semver-minor'
)
run: gh pr merge --auto --squash "$PR_URL"
run: gh pr merge --auto --merge "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Expand All @@ -67,7 +67,7 @@ jobs:
if: |
steps.metadata.outputs.dependency-type == 'direct:production' &&
steps.metadata.outputs.update-type == 'version-update:semver-patch'
run: gh pr merge --auto --squash "$PR_URL"
run: gh pr merge --auto --merge "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
2 changes: 1 addition & 1 deletion .github/workflows/e2e-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ jobs:
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: 20
node-version: 22.22

@coderabbitai coderabbitai Bot Jun 11, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What is the correct Node.js version format for actions/setup-node, and what are the latest available Node.js 22.x versions as of June 2026?

💡 Result:

In the actions/setup-node GitHub Action, the node-version input accepts values based on Semantic Versioning (SemVer) syntax, as well as specific aliases [1][2]. Supported formats include: - Major versions: e.g., 22, 24 [1] - Specific versions: e.g., 22.17.1, 24.8.0 [1] - NVM LTS syntax: e.g., lts/jod, lts/* [1] - Aliases: latest, current, node, or * [1] As of June 11, 2026, the latest available Node.js 22.x version is 22.22.3 [3][4]. This release, codenamed 'Jod', was published on May 13, 2026 [3][5]. Node.js 22.x is currently in the Maintenance LTS phase [6][7].

Citations:

🏁 Script executed:

#!/bin/bash
# Description: Verify Node.js 22.22 availability in Docker

curl -s "https://hub.docker.com/v2/repositories/library/node/tags?page_size=100&name=22" | \
  jq -r '.results[].name' | grep -E '^22\.[0-9]+' | sort -V | tail -10

Repository: reqcore-inc/reqcore

Length of output: 246

Align Node.js pin across CI and Docker: 22.22.3

  • actions/setup-node accepts SemVer values for node-version; the latest Node.js 22.x as of Jun 2026 is 22.22.3.
  • Docker Hub official node image tags available for this series are 22.22.3-* (e.g., 22.22.3-alpine3.22, 22.22.3-bookworm), so node:22.22-alpine is likely not a valid reference—pin the Docker stage to 22.22.3 (and the intended variant/distro) to keep CI + Docker consistent.
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/e2e-tests.yml at line 73, Update the Node.js pin so CI and
Docker use the exact same SemVer; change the actions/setup-node `node-version`
value from `22.22` to `22.22.3` and ensure the Docker build stage uses the
matching official image tag (e.g., replace `node:22.22-alpine` with
`node:22.22.3-alpine3.22` or the intended distro like `node:22.22.3-bookworm`)
so `actions/setup-node` and the Docker image are aligned.

cache: npm

- name: Install dependencies
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/pr-validation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: 20
node-version: 22.22
cache: npm

- name: Install dependencies
Expand Down
4 changes: 2 additions & 2 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# ─── Stage 1: Build ─────────────────────────────────────────────────────────
FROM node:20-alpine AS builder
FROM node:22.22-alpine AS builder
WORKDIR /app

# Install dependencies first (layer-cached unless package.json changes)
Expand All @@ -24,7 +24,7 @@ ENV POSTHOG_HOST=${POSTHOG_HOST}
RUN npm run build

# ─── Stage 2: Run ────────────────────────────────────────────────────────────
FROM node:20-alpine AS runner
FROM node:22.22-alpine AS runner
WORKDIR /app

ENV NODE_ENV=production
Expand Down
Loading
Loading