chore: release main#97
Merged
Merged
Conversation
github-actions
Bot
force-pushed
the
release-please--branches--main
branch
2 times, most recently
from
5fa6f20 to
425e390
Compare
Owner
|
Closing to trigger required CI checks. release-please rewrote this branch via GITHUB_TOKEN, which suppresses downstream pull_request:synchronize events — branch protection's 8 required checks were never invoked on the current HEAD (425e390). Reopening immediately to fire pull_request:reopened, which triggers ci.yml + codeql.yml + commitlint.yml + pre-release-gate.yml + semgrep.yml + och-self-scan.yml. SHA is preserved. |
Owner
|
Reopening — pull_request:reopened fires every required check workflow. CI will populate on HEAD 425e390 within ~10 min. |
2 tasks
theagenticguy
added a commit
that referenced
this pull request
May 15, 2026
## Summary Pins \`devalue\` to 5.8.1+ via pnpm-workspace.yaml overrides. Versions 5.6.3..5.8.0 are vulnerable to **GHSA-77vg-94rm-hx3p** (HIGH, 7.5) — DoS via sparse-array deserialization. Advisory published 2026-05-14 20:23 UTC, ~3.5h after #103 (astro 6.3.1 → 6.3.3) merged. ## Impact path \`devalue\` is pulled in transitively by \`astro@6.3.3\` → consumed only by \`@opencodehub/docs\` (\`"private": true\`, builds the static docs site, never published). None of the 17 published \`@opencodehub/*\` tarballs depend on devalue. **Runtime exposure to the published artifacts is zero.** ## Why this PR exists The release pipeline (\`release.yml\`) does not run \`pnpm audit\`, so the CVE wouldn't actually break a release. But the **pre-release gate** on release-please PRs *does* run \`pnpm audit --audit-level=high --prod\`, and that's currently failing on #97 (the release PR for \`root-v0.4.0\` + \`cli-v0.3.0\`). Patching devalue cleanly is the defensible engineering move: 1. Eliminates the audit failure on #97 without bypassing branch protection. 2. Closes Dependabot alert #44. 3. Auto-reverts once astro ships a version that already pins \`devalue >= 5.8.1\` (the override is keyed on \`devalue@<5.8.1\`). ## Verified locally - \`pnpm install --frozen-lockfile\` → ok - \`pnpm audit --audit-level=high --prod\` → "No known vulnerabilities found" - \`pnpm typecheck\` → green across all 19 workspace projects - \`pnpm --filter @opencodehub/docs build\` → 63 pages, completes - \`pnpm why devalue\` → resolves to 5.8.1 (was 5.8.0) ## Test plan - [x] CI must surface \`pnpm audit (high+)\` and \`osv\` as PASSING on this branch (both are non-required but currently failing on #97; this PR is the fix). - [x] Typecheck and full test suite must remain green.
github-actions
Bot
force-pushed
the
release-please--branches--main
branch
from
536e35f to
2762d24
Compare
Owner
Owner
|
Reopened — pull_request:reopened will fire required check workflows on 2762d24. |
Contributor
Author
|
🤖 Created releases: 🌻 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated release via release-please
cli: 0.3.0
0.3.0 (2026-05-15)
⚠ BREAKING CHANGES
codehub analyzethe one-command index (fast + scan + sbom + coverage-auto; summaries opt-in) (#110)Features
codehub analyzethe one-command index (fast + scan + sbom + coverage-auto; summaries opt-in) (#110) (62bff2f)root: 0.4.0
0.4.0 (2026-05-15)
⚠ BREAKING CHANGES
codehub analyzethe one-command index (fast + scan + sbom + coverage-auto; summaries opt-in) (#110)Features
codehub analyzethe one-command index (fast + scan + sbom + coverage-auto; summaries opt-in) (#110) (62bff2f)This PR was generated with Release Please. See documentation.