Skip to content

[Deps] Safe dependency updates (2026-07-01) #5741

Description

@github-actions

Automated Safe Dependency Updates

This PR contains safe patch-level dependency updates that have been verified to:

  • ✅ Pass all tests (pre-existing DNS IP test failure unrelated to these changes)
  • ✅ Have no breaking changes
  • ✅ No security vulnerabilities in updated packages

Updated Dependencies

Package Previous Updated Type
@typescript-eslint/eslint-plugin 8.62.0 8.62.1 patch
@typescript-eslint/parser 8.62.0 8.62.1 patch
typescript-eslint 8.62.0 8.62.1 patch

Security Fixes Included

None — these are routine patch updates with no CVE fixes.

Vulnerability Assessment Summary

npm audit found no HIGH or CRITICAL vulnerabilities. There are 3 MODERATE vulnerabilities in dev dependencies (via markdownlint-cli2js-yaml and markdown-it). These are tracked below but not addressed in this PR as the fix requires a pre-1.0 minor bump (0.21.00.23.0) that may introduce breaking changes to linting rules.

Severity Count Action
CRITICAL 0
HIGH 0
MODERATE 3 Tracked (dev-only, no production impact)
LOW 0

Moderate vulnerabilities (dev dependencies only, no production impact):

  • GHSA-h67p-54hq-rp68 — js-yaml quadratic-complexity DoS (CVSS 5.3), via markdownlint-cli2
  • GHSA-6v5v-wf23-fmfq — markdown-it quadratic-complexity DoS (CVSS 5.3), via markdownlint-cli2

Major Updates Skipped (require manual review)

The following packages have major version updates available but were skipped to avoid unintended breaking changes:

Package Current Latest Reason Skipped
@babel/core 7.29.7 8.0.1 Major version
@commitlint/cli 20.5.3 21.2.0 Major version
chalk 4.1.2 5.6.2 Major version (ESM only)
commander 12.1.0 15.0.0 Major version
execa 5.1.1 9.6.1 Major version (ESM only)
typescript 5.9.3 6.0.3 Major version
markdownlint-cli2 0.21.0 0.23.0 Pre-1.0 minor (breaking)

Verification

  • All tests pass (3386/3387 — 1 pre-existing DNS IP resolution failure unrelated to these changes)
  • No breaking changes detected
  • Build (tsc) passes

Generated by Dependency Security Monitor Workflow


Warning

Protected Files — Push Permission Denied

This was originally intended as a pull request, but the patch modifies protected files. A human must create the pull request manually.

Protected files
  • package-lock.json
  • package.json

The push was rejected because GitHub Actions does not have workflows permission to push these changes, and is never allowed to make such changes, or other authorization being used does not have this permission.

Create the pull request manually
# Download the patch from the workflow run
gh run download 28500434889 -n agent -D /tmp/agent-28500434889

# Create a new branch
git checkout -b deps/safe-updates-2026-07-01-0986312ca43893b9 main

# Apply the patch (--3way handles cross-repo patches)
git am --3way /tmp/agent-28500434889/aw-deps-safe-updates-2026-07-01.patch

# Push the branch and create the pull request
git push origin deps/safe-updates-2026-07-01-0986312ca43893b9
gh pr create --title '[Deps] Safe dependency updates (2026-07-01)' --base main --head deps/safe-updates-2026-07-01-0986312ca43893b9 --repo github/gh-aw-firewall

Generated by Dependency Security Monitor · 49.9 AIC · ⊞ 8.4K ·

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions