Conversation
Bumps and [minimatch](https://github.com/isaacs/minimatch). These dependencies needed to be updated together. Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `minimatch` from 9.0.5 to 9.0.9 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) --- updated-dependencies: - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect - dependency-name: minimatch dependency-version: 9.0.9 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…fcd984 Bump minimatch
There was a problem hiding this comment.
Pull request overview
March dependency refresh for create-next2d-app, along with CI workflow updates to make installs reproducible and to gate publishing on lint.
Changes:
- Bump package version to
2.2.1and update dependency/devDependency versions (notably ESLint/tooling). - Regenerate
package-lock.jsonto reflect updated dependency graph. - Update GitHub Actions workflows: switch installs to
npm ci, makelint.ymlreusable viaworkflow_call, and require lint before publish.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| package.json | Version bump + dependency/devDependency updates. |
| package-lock.json | Lockfile updated for the new dependency set. |
| .github/workflows/publish.yml | Add lint gate before publishing; switch to npm ci; adjust job permissions. |
| .github/workflows/lint.yml | Enable workflow_call; switch to npm ci; adjust triggers/permissions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
| id-token: write |
There was a problem hiding this comment.
The publish job now requests pull-requests: write, but this workflow only runs on push to main and the steps shown don’t interact with PRs. This is broader than necessary and increases the blast radius if a dependency/script is compromised; consider removing pull-requests: write (and keep only the minimum permissions required for publishing, e.g. contents: read plus id-token: write only if you’re using OIDC/provenance).
| permissions: | |
| contents: read | |
| pull-requests: write | |
| id-token: write |
|
|
||
| jobs: | ||
| lint: | ||
| uses: ./.github/workflows/lint.yml |
There was a problem hiding this comment.
publish now waits on the reusable lint workflow, which runs on macOS and Windows. This will significantly increase release latency and runner cost for every push to main; if the goal is only a pre-publish sanity check, consider calling a lighter-weight lint job (e.g., Ubuntu-only) or splitting the workflow so cross-OS lint remains on PRs while publish gates on a faster check.
| uses: ./.github/workflows/lint.yml | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: actions/setup-node@v6 | |
| with: | |
| node-version: 24 | |
| - run: npm ci | |
| - run: npm run lint |
No description provided.