chore(deps): aggregate weekly Dependabot batch (api, ui, docs, ci)#247
Merged
Conversation
Consolidates 21 open Dependabot PRs (#226–#246) into one. All bumps are minor/patch; lockfiles regenerated and full verification run. apps/api: - @anthropic-ai/sdk 0.104.1 → 0.105.0, openai 6.42.0 → 6.44.0 (ai group) - @opentelemetry/sdk-node 0.218.0 → 0.219.0 - @sentry/bun 10.57.0 → 10.59.0 - bullmq 5.78.1 → 5.79.1 (still pins ioredis 5.10.1; ioredis override holds) - elysia 1.4.28 → 1.4.29 - resend 6.12.4 → 6.14.0, stripe 22.2.1 → 22.2.2 - eslint-plugin-sonarjs 4.0.3 → 4.1.0, eslint-plugin-unicorn 67 → 68 apps/ui: - react-hook-form 7.79.0 → 7.80.0, react-router-dom 7.17.0 → 7.18.0 - zustand 5.0.13 → 5.0.14, @sentry/react 10.57.0 → 10.59.0 - lucide-react 1.20.0 → 1.21.0 - storybook + addon-a11y/addon-themes/react-vite 10.4.4 → 10.4.6 - @playwright/test 1.60.0 → 1.61.0, vitest + coverage-v8 4.1.8 → 4.1.9 - eslint-plugin-sonarjs 4.0.3 → 4.1.0, eslint-plugin-unicorn 67 → 68 apps/docs: - astro 6.4.6 → 6.4.8 (markdown-remark 7.2.0 override comment refreshed) - astro-mermaid 2.0.1 → 2.0.4, sharp 0.35.1 → 0.35.2 - wrangler 4.100.0 → 4.103.0 ci: - actions/cache 5.0.5 → 6.1.0 (8 workflows) Verified: api check + 1188 tests, ui check + 656 tests, docs build:ci, frozen-lockfile install clean.
.tsforge/scaffold-manifest.json (added in #224) declares which env-var names each AI provider requires (OPENAI_API_KEY, ANTHROPIC_API_KEY) plus non-secret defaults. gitleaks' generic-api-key rule flags the provider/secret-keyword proximity, but the manifest holds only key names and placeholder config — no secret values. Narrow path allowlist, mirroring the existing deny-list/config entries. Pre-existing finding; surfaced on the first local push since #224 merged.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Consolidates the 21 open Dependabot PRs (#226–#246) into a single PR. All bumps are minor/patch. Lockfiles regenerated in all three workspaces; full verification run locally.
Bumps
apps/api
@anthropic-ai/sdk0.104.1 → 0.105.0,openai6.42.0 → 6.44.0 (ai group, chore(deps)(deps): bump the ai group in /apps/api with 2 updates #241)@opentelemetry/sdk-node0.218.0 → 0.219.0 (chore(deps)(deps): bump @opentelemetry/sdk-node from 0.218.0 to 0.219.0 in /apps/api #243)@sentry/bun10.57.0 → 10.59.0 (chore(deps)(deps): bump @sentry/bun from 10.57.0 to 10.59.0 in /apps/api in the observability group #240)bullmq5.78.1 → 5.79.1 (chore(deps)(deps): bump bullmq from 5.78.1 to 5.79.1 in /apps/api in the bullmq group #231) — still pins ioredis 5.10.1; theioredis: 5.11.1override collapses it (single copy verified, no nested 5.10.1)elysia1.4.28 → 1.4.29 (chore(deps)(deps): bump elysia from 1.4.28 to 1.4.29 in /apps/api in the elysia group #228)resend6.12.4 → 6.14.0 (chore(deps)(deps): bump resend from 6.12.4 to 6.14.0 in /apps/api in the email group #236),stripe22.2.1 → 22.2.2 (chore(deps)(deps): bump stripe from 22.2.1 to 22.2.2 in /apps/api in the stripe group #235)eslint-plugin-sonarjs4.0.3 → 4.1.0,eslint-plugin-unicorn67 → 68 (lint group, chore(deps)(deps-dev): bump the lint group in /apps/api with 2 updates #238)apps/ui
react-hook-form7.79.0 → 7.80.0 (chore(deps)(deps): bump react-hook-form from 7.79.0 to 7.80.0 in /apps/ui #246),react-router-dom7.17.0 → 7.18.0 (chore(deps)(deps): bump react-router-dom from 7.17.0 to 7.18.0 in /apps/ui in the react group #227)zustand5.0.13 → 5.0.14 (chore(deps)(deps): bump zustand from 5.0.13 to 5.0.14 in /apps/ui #245),@sentry/react10.57.0 → 10.59.0 (chore(deps)(deps): bump @sentry/react from 10.57.0 to 10.59.0 in /apps/ui in the observability group #244)lucide-react1.20.0 → 1.21.0 (chore(deps)(deps): bump lucide-react from 1.20.0 to 1.21.0 in /apps/ui in the tailwind-shadcn group #239)storybook+ addon-a11y / addon-themes / react-vite 10.4.4 → 10.4.6 (storybook group, chore(deps)(deps-dev): bump the storybook group in /apps/ui with 4 updates #237)@playwright/test1.60.0 → 1.61.0,vitest+@vitest/coverage-v84.1.8 → 4.1.9 (testing group, chore(deps)(deps-dev): bump the testing group in /apps/ui with 3 updates #233)eslint-plugin-sonarjs4.0.3 → 4.1.0,eslint-plugin-unicorn67 → 68 (lint group, chore(deps)(deps-dev): bump the lint group in /apps/ui with 2 updates #242)apps/docs
astro6.4.6 → 6.4.8 (chore(deps)(deps): bump astro from 6.4.8 to 7.0.0 in /apps/docs #230) — still pins@astrojs/markdown-remark7.2.0; override comment refreshedastro-mermaid2.0.1 → 2.0.4 (chore(deps)(deps): bump astro-mermaid from 2.0.1 to 2.0.4 in /apps/docs #234),sharp0.35.1 → 0.35.2 (chore(deps)(deps): bump sharp from 0.35.1 to 0.35.2 in /apps/docs #232)wrangler4.100.0 → 4.103.0 (chore(deps)(deps-dev): bump wrangler from 4.100.0 to 4.103.0 in /apps/docs #226)ci
actions/cache5.0.5 → 6.1.0 across 8 workflows (chore(ci): bump actions/cache from 5.0.5 to 6.1.0 #229)Verification
apps/api:bun run checkclean, 1188 tests pass (1 skip, 0 fail) incl. Redis/BullMQ/valkey integrationapps/ui:bun run checkclean, 656 tests passapps/docs:build:ciclean (astro 6.4.8 builds, markdown-remark override holds, fragments + rendered-markdown checks pass)bun install --frozen-lockfileclean (CI condition)Note
Second commit adds a narrow gitleaks path allowlist for
.tsforge/scaffold-manifest.json(added in #224) — a config manifest declaring required env-var names with no secret values. Pre-existinggeneric-api-keyfalse positive; this is the first local push since #224 merged, so it surfaced on the push gate.Closes #226, #227, #228, #229, #230, #231, #232, #233, #234, #235, #236, #237, #238, #239, #240, #241, #242, #243, #244, #245, #246