chore(deps): consolidated npm + cargo minor-patch bumps (supersedes #926, #927)#930
Merged
Merged
Conversation
Bumps the npm-minor-patch group with 12 updates: | Package | From | To | | --- | --- | --- | | [@sentry/browser](https://github.com/getsentry/sentry-javascript) | `10.56.0` | `10.57.0` | | [lucide-react](https://github.com/lucide-icons/lucide/tree/HEAD/packages/lucide-react) | `1.17.0` | `1.18.0` | | [@tailwindcss/postcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-postcss) | `4.3.0` | `4.3.1` | | [@tailwindcss/typography](https://github.com/tailwindlabs/tailwindcss-typography) | `0.5.19` | `0.5.20` | | [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) | `8.60.1` | `8.61.0` | | [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) | `8.60.1` | `8.61.0` | | [eslint](https://github.com/eslint/eslint) | `10.4.1` | `10.5.0` | | [eslint-plugin-react-refresh](https://github.com/ArnaudBarre/eslint-plugin-react-refresh) | `0.5.2` | `0.5.3` | | [prettier](https://github.com/prettier/prettier) | `3.8.3` | `3.8.4` | | [sharp](https://github.com/lovell/sharp) | `0.34.5` | `0.35.1` | | [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.3.0` | `4.3.1` | | [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.1.8` | `4.1.9` | Updates `@sentry/browser` from 10.56.0 to 10.57.0 - [Release notes](https://github.com/getsentry/sentry-javascript/releases) - [Changelog](https://github.com/getsentry/sentry-javascript/blob/develop/CHANGELOG.md) - [Commits](getsentry/sentry-javascript@10.56.0...10.57.0) Updates `lucide-react` from 1.17.0 to 1.18.0 - [Release notes](https://github.com/lucide-icons/lucide/releases) - [Commits](https://github.com/lucide-icons/lucide/commits/1.18.0/packages/lucide-react) Updates `@tailwindcss/postcss` from 4.3.0 to 4.3.1 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.1/packages/@tailwindcss-postcss) Updates `@tailwindcss/typography` from 0.5.19 to 0.5.20 - [Release notes](https://github.com/tailwindlabs/tailwindcss-typography/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss-typography/blob/main/CHANGELOG.md) - [Commits](tailwindlabs/tailwindcss-typography@v0.5.19...v0.5.20) Updates `@typescript-eslint/eslint-plugin` from 8.60.1 to 8.61.0 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.61.0/packages/eslint-plugin) Updates `@typescript-eslint/parser` from 8.60.1 to 8.61.0 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.61.0/packages/parser) Updates `eslint` from 10.4.1 to 10.5.0 - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](eslint/eslint@v10.4.1...v10.5.0) Updates `eslint-plugin-react-refresh` from 0.5.2 to 0.5.3 - [Release notes](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/releases) - [Changelog](https://github.com/ArnaudBarre/eslint-plugin-react-refresh/blob/main/CHANGELOG.md) - [Commits](ArnaudBarre/eslint-plugin-react-refresh@v0.5.2...v0.5.3) Updates `prettier` from 3.8.3 to 3.8.4 - [Release notes](https://github.com/prettier/prettier/releases) - [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md) - [Commits](prettier/prettier@3.8.3...3.8.4) Updates `sharp` from 0.34.5 to 0.35.1 - [Release notes](https://github.com/lovell/sharp/releases) - [Commits](lovell/sharp@v0.34.5...v0.35.1) Updates `tailwindcss` from 4.3.0 to 4.3.1 - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.1/packages/tailwindcss) Updates `vitest` from 4.1.8 to 4.1.9 - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Changelog](https://github.com/vitest-dev/vitest/blob/main/docs/releases.md) - [Commits](https://github.com/vitest-dev/vitest/commits/HEAD/packages/vitest) --- updated-dependencies: - dependency-name: "@sentry/browser" dependency-version: 10.57.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm-minor-patch - dependency-name: lucide-react dependency-version: 1.18.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm-minor-patch - dependency-name: "@tailwindcss/postcss" dependency-version: 4.3.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor-patch - dependency-name: "@tailwindcss/typography" dependency-version: 0.5.20 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor-patch - dependency-name: "@typescript-eslint/eslint-plugin" dependency-version: 8.61.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor-patch - dependency-name: "@typescript-eslint/parser" dependency-version: 8.61.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor-patch - dependency-name: eslint dependency-version: 10.5.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor-patch - dependency-name: eslint-plugin-react-refresh dependency-version: 0.5.3 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor-patch - dependency-name: prettier dependency-version: 3.8.4 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor-patch - dependency-name: sharp dependency-version: 0.35.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm-minor-patch - dependency-name: tailwindcss dependency-version: 4.3.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor-patch - dependency-name: vitest dependency-version: 4.1.9 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the cargo-minor-patch group in /src-tauri with 2 updates: [uuid](https://github.com/uuid-rs/uuid) and [regex](https://github.com/rust-lang/regex). Updates `uuid` from 1.23.2 to 1.23.3 - [Release notes](https://github.com/uuid-rs/uuid/releases) - [Commits](uuid-rs/uuid@v1.23.2...v1.23.3) Updates `regex` from 1.12.3 to 1.12.4 - [Release notes](https://github.com/rust-lang/regex/releases) - [Changelog](https://github.com/rust-lang/regex/blob/master/CHANGELOG.md) - [Commits](rust-lang/regex@1.12.3...1.12.4) --- updated-dependencies: - dependency-name: uuid dependency-version: 1.23.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: cargo-minor-patch - dependency-name: regex dependency-version: 1.12.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: cargo-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com>
This was referenced Jun 15, 2026
Contributor
PR Security Checks✅ No heuristic or consistency findings on this PR. |
2 tasks
…2xvq-fx4p) CI's `npm audit --audit-level=high` step failed on this branch because the consolidated dep bumps revealed a HIGH-severity vulnerability in the `ws` transitive dep (8.0.0 - 8.20.1 — memory exhaustion DoS from tiny fragments + data chunks). Three other lower-severity advisories cleared in the same fix pass: * @babel/core ≤7.29.0 — arbitrary file read via sourceMappingURL comment (GHSA-4x5r-pxfx-6jf8) — moderate * brace-expansion 5.0.2 - 5.0.5 — large numeric range defeats max DoS protection (GHSA-jxxr-4gwj-5jf2) — moderate * js-yaml ≤4.1.1 — quadratic-complexity DoS in merge key handling (GHSA-h67p-54hq-rp68) — moderate `npm audit fix` bumped 4 added / 9 removed / 45 changed packages, all transitive — no direct deps affected. `npm audit --audit-level=high` now exits 0.
Salem874
added a commit
that referenced
this pull request
Jun 15, 2026
Same fix as the mirror commit on PR #930 (5bffabd) — `npm audit fix` clears the same set of transitive advisories surfaced by the consolidated dep bumps: * ws 8.0.0 - 8.20.1 — memory exhaustion DoS (GHSA-96hv-2xvq-fx4p) — HIGH * @babel/core ≤7.29.0 — arbitrary file read (GHSA-4x5r-pxfx-6jf8) — moderate * brace-expansion 5.0.2 - 5.0.5 — DoS via numeric range (GHSA-jxxr-4gwj-5jf2) — moderate * js-yaml ≤4.1.1 — quadratic-complexity DoS (GHSA-h67p-54hq-rp68) — moderate `npm audit --audit-level=high` now exits 0.
5 tasks
Salem874
added a commit
that referenced
this pull request
Jun 15, 2026
…admission + dep bumps (supersedes #929, #931, closes #925) ## Summary Consolidates three pieces of work originally opened as separate PRs to avoid the release-pipeline race condition where multiple PRs landing on `alpha` close in time can both attempt to fire downstream workflows. Originally separate: [#929 GAMDL v3.7.4](#929) (closed) and [#931 alpha deps mirror](#931) (closed) — both bundled into this PR. ### 1 — Brand work (original scope) * New brand drop applied to `assets/brand/`, `public/`, and `src-tauri/icons/` — every favicon, app icon (ICO / ICNS / PNG), Liquid Glass variant, Windows tile / iOS AppIcon / Android adaptive-icon set, plus system tray icons. * `logotype` → `wordtype` rename across the codebase — 10 graphics files renamed via `git mv` (history preserved), 6 code files updated, SVG-internal `--logotype-*` CSS custom properties → `--wordtype-*`. Final repo scan → 0 refs outside intentional skip-lists. * `assets/logo/` orphan folder removed (6 unused earlier-version logos); permanent in-tree archive of the prior brand identity preserved at `assets/brand-old/` (72 files). ### 2 — GAMDL v3.7.4 audit admission (merged from #929, closes #925) Zero-code-change admission — same shape as v3.3 / v3.5 / v3.5.1 / v3.5.2 / v3.7.1. New audit doc at `.github/audits/gamdl-v3.7.4-audit.md`. `tool-versions.toml [gamdl]` bumped `maximum_tested_version` and `recommended_version` from 3.7.3 → 3.7.4. `.claude/CLAUDE.md` admission paragraph appended. ### 3 — Alpha mirror of #930 dep bumps (merged from #931) Mirrors PR #930's npm + cargo bumps to alpha. Required because main and alpha lockfile baselines differ. Applied via `npm update` / `cargo update` / explicit `sharp` caret bump. Plus `npm audit fix` to clear the `ws` HIGH severity DoS advisory (same fix as the parallel commit on #930). | npm | now | cargo | now | |---|---|---|---| | `@sentry/browser` | 10.58.0 | `uuid` | 1.23.3 | | `lucide-react` | 1.18.0 | `regex` | 1.12.4 | | `@tailwindcss/postcss` | 4.3.1 | | | | `@tailwindcss/typography` | 0.5.20 | | | | `@typescript-eslint/eslint-plugin` | 8.61.1 | | | | `@typescript-eslint/parser` | 8.61.1 | | | | `eslint` | 10.5.0 | | | | `eslint-plugin-react-refresh` | 0.5.3 | | | | `prettier` | 3.8.4 | | | | `sharp` | 0.35.1 *(caret bump)* | | | | `tailwindcss` | 4.3.1 | | | ## Verification * `tsc --noEmit` — clean * `npm run lint` — clean * `npm audit --audit-level=high` — 0 vulnerabilities * Vitest — 550 / 550 passed * `cargo check --lib` — clean * `cargo clippy --lib -- -D warnings` — clean * `cargo test --lib gamdl_capabilities` — 31 / 31 pass against the new 3.7.4 ceiling * Final repo scan for `logotype` outside intentional skips → **0** ## Test plan - [ ] CI green - [ ] Sidebar logo + wordmark render correctly in dev - [ ] Brandkit page loads without broken references - [ ] `node scripts/svg-to-apng.mjs` regenerates rasters without errors - [ ] Close #925, #929, #931 on merge
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Consolidates #926 (npm minor-patch, 12 updates) and #927 (cargo minor-patch, 2 updates) into a single PR to avoid the race condition where two dependabot PRs land on
mainclose in time and one triggers the release pipeline before the other settles.Dependency bumps
npm (12 updates, via PR #926)
@sentry/browserlucide-react@tailwindcss/postcss@tailwindcss/typography@typescript-eslint/eslint-plugin@typescript-eslint/parsereslinteslint-plugin-react-refreshprettiersharptailwindcsscargo (2 updates, via PR #927)
uuidregexVerification
npm install— cleancargo check --manifest-path src-tauri/Cargo.toml --lib— cleannpm run lint— cleanTest plan