chore: dependabot npm/uv patch updates and tooling sync#320
Open
WhatIfWeDigDeeper wants to merge 8 commits into
Open
chore: dependabot npm/uv patch updates and tooling sync#320WhatIfWeDigDeeper wants to merge 8 commits into
WhatIfWeDigDeeper wants to merge 8 commits into
Conversation
- Configure dependabot for npm and uv ecosystems with weekly patch-only updates and 2-day cooldown - Add .worktreeinclude so .env files are available inside worktree copies - Set CLAUDE_CODE_SUBAGENT_MODEL=sonnet for subagent runs - Sync upstream skills (js-deps, learn, peer-review, pr-comments, pr-human-guide, ship-it, uv-deps) - Record CLAUDE.md learnings about settings.json stash behavior, zsh status readonly, and post-push /pr-comments - Add cooldown to cspell dictionary
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates repository automation and agent/tooling guidance for dependency maintenance, worktree environment handling, and Claude subagent behavior.
Changes:
- Adds patch-only weekly Dependabot entries for npm and uv with cooldowns.
- Adds
.worktreeincludefor.envpropagation into worktrees. - Updates Claude settings/guidance, cspell words, and synced skill lock hashes.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
.github/dependabot.yml |
Adds npm and uv Dependabot update configurations. |
.worktreeinclude |
Includes root and nested .env files for worktrees. |
.claude/settings.json |
Pins subagent model via environment setting. |
CLAUDE.md |
Records new operational learnings and PR follow-up workflow. |
cspell.config.yaml |
Adds cooldown to the accepted word list. |
skills-lock.json |
Updates synced upstream skill hashes. |
| semver-patch-days: 2 | ||
|
|
||
| - package-ecosystem: "uv" | ||
| directory: "/" |
- Add gomod ecosystem (go-api) with the same patch-only + cooldown policy - Repoint uv from / to /fastapi (where pyproject.toml lives) - Ignore .claude/worktrees/ (ephemeral worktree workspaces) - Add 'gomod' to cspell dictionary
CI surfaced GHSA-q3j6-qgpj-74h6 and GHSA-v39h-62p7-jpjc on fast-uri. - Add 'fast-uri': '3.1.2' override in api, yoga-api, nest-api, angular-ui, angular-spring-ui, lambda-api/cdk - Bump aws-cdk-lib 2.248.0 -> 2.254.0 in lambda-api/cdk to fix bundled fast-uri (overrides cannot reach bundleDependencies) - Run npm audit fix --package-lock-only across packages where pre-existing high advisories surfaced once the fast-uri block was removed (lambda-api, nest-api, nest-history-api, nuxt-api, svelte-ui, ui, angular-ui, angular-spring-ui) npx -y audit-ci --high passes for all 19 npm packages locally.
govulncheck flagged net@go1.26.2 — Panic in Dial and LookupPort when handling NUL byte on Windows. Fixed in net@go1.26.3. setup-go reads go-version-file: go-api/go.mod, so bumping the go directive forces CI onto 1.26.3.
…n aws-cdk-lib@2.254.0 npm install --package-lock-only missed a bundled nested dependency (@aws-cdk/cloud-assembly-api/jsonschema@1.4.1). A full npm install captured it, restoring lockfile/manifest parity so npm ci passes in CI.
…b 2.254.0 aws-cdk-lib 2.254.0 enforces entryPath must be under projectRoot (defaults to package-lock.json's directory). The handler lives in ../../src/handler.ts (lambda-api/src), outside lambda-api/cdk. Set projectRoot and depsLockFilePath to lambda-api/ so bundling resolves correctly. Local 'npm test' in lambda-api/cdk passes.
Add .claude/skills/dev to gitignore (externally-sourced symlink) and update skills-lock.json hashes after upstream skill sync.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 14 out of 26 changed files in this pull request and generated 1 comment.
Files not reviewed (11)
- angular-spring-ui/package-lock.json: Language not supported
- angular-ui/package-lock.json: Language not supported
- api/package-lock.json: Language not supported
- lambda-api/cdk/package-lock.json: Language not supported
- lambda-api/package-lock.json: Language not supported
- nest-api/package-lock.json: Language not supported
- nest-history-api/package-lock.json: Language not supported
- nuxt-api/package-lock.json: Language not supported
- svelte-ui/package-lock.json: Language not supported
- ui/package-lock.json: Language not supported
- yoga-api/package-lock.json: Language not supported
…nc requirement Add a parallel cross-cutting pattern entry describing the same post-push bot-review-feedback workflow recorded in CLAUDE.md, so the Copilot sync rule (CLAUDE.md:19) is satisfied without making the new rule Claude-only. Co-authored-by: Copilot <Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 15 out of 27 changed files in this pull request and generated no new comments.
Files not reviewed (11)
- angular-spring-ui/package-lock.json: Language not supported
- angular-ui/package-lock.json: Language not supported
- api/package-lock.json: Language not supported
- lambda-api/cdk/package-lock.json: Language not supported
- lambda-api/package-lock.json: Language not supported
- nest-api/package-lock.json: Language not supported
- nest-history-api/package-lock.json: Language not supported
- nuxt-api/package-lock.json: Language not supported
- svelte-ui/package-lock.json: Language not supported
- ui/package-lock.json: Language not supported
- yoga-api/package-lock.json: Language not supported
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
npm(root workspace),uv(/fastapi), andgomod(/go-api) with weekly patch-only updates and a 2-daysemver-patch-dayscooldown..worktreeincludeso.envfiles are copied into worktree workspaces..claude/worktrees/(ephemeral worktree workspaces).CLAUDE_CODE_SUBAGENT_MODEL=sonnetin.claude/settings.json.skills-lock.jsonhashes; addcooldownandgomodto the cspell dictionary..claude/settings.jsongit stash/checkout interaction,zsh statusbeing readonly (userc=$?), and running/pr-commentsafter every push to an open PR.Security fixes (unblocking CI)
The first CI run on this branch hit a fresh advisory:
fast-uriGHSA-q3j6-qgpj-74h6 and GHSA-v39h-62p7-jpjc. Removing that block also surfaced a cascade of pre-existing high advisories thataudit:ci:allhad been masking by halting at the first failure.fast-uri→3.1.2override inapi,yoga-api,nest-api,angular-ui,angular-spring-ui,lambda-api/cdk.aws-cdk-lib2.248.0→2.254.0inlambda-api/cdkto fix bundledfast-uri(overridescan't reachbundleDependencies).npm audit fix --package-lock-onlyacrosslambda-api,nest-api,nest-history-api,nuxt-api,svelte-ui,ui,angular-ui,angular-spring-uifor protobufjs / @babel / esbuild / hono advisories (no--force, so non-breaking only). Thenuxt-apilockfile diff is large because the patched chain pulled innitropack+esbuild@0.28.All 19 npm packages pass
npx -y audit-ci --highlocally.Test Plan
verify-pr(build → lint → test → audit across all stacks).nuxt-apidev/build still works after the nitropack bump.npm/uv/gomodconfigs on its next scheduled run.Shipped with
/ship-it.<!-- pr-human-guide -->
Review Guide
Security
.worktreeinclude— New file explicitly copies.envand**/.envinto worktree workspaces (../<name>-timestamp/); confirm the trust model matches how worktrees are used and that they don't outlive the host workspace's secret-handling boundaryConfig / Infrastructure
.github/dependabot.yml— Adds three new ecosystems (npmroot,uvat/fastapi,gomodat/go-api) with weekly patch-only updates + 2-daysemver-patch-dayscooldown; sets the steady-state Dependabot policy for all future bumpslambda-api/cdk/lib/lambda-api-stack.ts(L40-54) —NodejsFunctionnow sets explicitprojectRootanddepsLockFilePathpointing one level abovecdk/so bundling can reachlambda-api/src/handler.ts; affects what gets packaged into the deployed LambdaNew Dependencies
lambda-api/cdk/package.json—aws-cdk-lib2.248.0→2.254.0(six minor versions). Required to drop the bundled vulnerablefast-uri, but the newer version is what forced theprojectRootchange above — sanity-check synth output against last deploynuxt-api/package-lock.json—npm audit fixpulled innitropackandesbuild@0.28as new transitives (~580-line lockfile churn). Confirmnuxt-apidev/build/test still works before relying on this branchgo-api/go.mod—go 1.26.2→1.26.3patchesGO-2026-4971in thenetstdlib; CI installs the toolchain fromgo.modviasetup-go'sgo-version-file, so every contributor running locally also needs ≥1.26.3<!-- /pr-human-guide -->