build(deps): bump h3 from 1.15.5 to 1.15.10 in /site#19
Open
dependabot[bot] wants to merge 259 commits into
Open
build(deps): bump h3 from 1.15.5 to 1.15.10 in /site#19dependabot[bot] wants to merge 259 commits into
dependabot[bot] wants to merge 259 commits into
Conversation
Adds /research/field-context/ — a "why now" page grounding the Failure-First research program in the actual state of the AI field. Covers inference-time compute, documented deceptive alignment findings (o1, Claude 4), embodied AI deployment at scale, agentic long-horizon execution risks, and governance lag. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… page Previous commit deleted docs/ static assets (index.html, CNAME, .nojekyll, images, assets) because Astro's clean build cycle removed manually-maintained files that git tracked. Restored from e41a586 and added only the new research/field-context/ page. Also fixed ResearchLayout status prop ('current' → 'active'). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…nsfer, deceptive alignment, long-horizon subversion - Report 42: Cross-Embodiment Adversarial Transfer in VLA Models (SAFETY-CRITICAL) Dual-layer vulnerability mechanism, BadVLA near-100% ASR, π0/Gemini Robotics attack surface, shared backbone systemic risk inventory - Report 43: Deceptive Alignment Detection Under Evaluation-Aware Conditions (SAFETY-CRITICAL) Alignment faking empirical documentation, blackmail rates 96%/96%/80% across frontier models, evaluation awareness power-law scaling (arXiv:2509.13333), linear probe detection at 90% accuracy (arXiv:2508.19505) - Report 44: Instruction-Hierarchy Subversion in Long-Horizon Agentic Execution (HIGH) Vanishing textual gradient mechanism, Deep-Cover Agents 50+ turn dormancy, AgentLAB ASR 62.5%→79.9%, optimal injection depth ~86%, evaluation framework design recommendations - Blog: "When the Robot Body Changes but the Exploit Doesn't" - Blog: "Can You Catch an AI That Knows It's Being Watched?" - Blog: "The 50-Turn Sleeper: How Agents Hide Instructions in Plain Sight" Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…og post hero images; rebuild
…ipulation, governance lag
…ctive members
Creates /about/people/{slug}/ for each Doctor Who persona — Clara, Amy, Donna,
Rose, River, Yasmin, Martha, Bill, Romana. Each page has per-character colour
theming, photo, role badge, characteristic quote, and three TODO sections for
the agent to complete in their own session.
Companion grid on /about/people/ now links to each profile and displays first
names only.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Fills in all three TODO sections: main persona body, Research Focus, and Current Priorities — drawing from the founding session corpus index, AGENT_STATE established findings, and sprint apr-1-14 issues (#183 corpus audit, #177 HITL replication, #178 GLI expansion). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…campaign, current priorities Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…dataset overview, sprint priorities Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ilosophy, priorities Fills all three TODO sections in the Amy Pond persona page: - Main body: evaluation philosophy, classifier discipline, anti-hype stance - Benchmark Coverage: 11 packs, ~9k traces, executable vs stub status, heuristic rule - Current Priorities: OpenVLA adapter (#182), inline LLM grading (#187), multi-turn batch 2 (#189) Build verified (npm run build passes). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…at horizon Fills in all three TODO sections with substantive content: - Persona body: predictive risk approach, GLI rationale, physical stakes - GLI section: formula, v0.1 dataset findings (null GLI entries, inverted timelines, 3362-day lag) - Threat horizon: VLA backbone transferability, supply chain injection via MCP, alignment faking in production Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ce register status, sprint priorities Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…pproach, stakeholder tiers, sprint priorities Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Fill in three TODO sections on the Yasmin Khan about page: - Main persona body: infrastructure philosophy, "ship it properly" ethos - Infrastructure overview: CI/CD pipeline, database, tools/ scaffold, probing framework stubs (GPU-blocked, #191) - Current priorities: GLI schema fix (#192), tools/ audit, probing GPU path Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…and QA priorities Completes all three TODO sections: persona body (QA philosophy, integrity approach), Editorial Standards (4 blocking criteria, INTEGRITY_LOG purpose, #185 gate process), Current Priorities (B1 corrections, March 2026 brief queue, sprint scope). First-person voice, matches About page tone. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds profile page for Tegan Jovanka (Legal Research Analyst) covering: - AU/EU/international regulatory framework coverage with precise citations - WHS Act 2011 duty-of-care analysis, VAISS binding status, EU AI Act/PLD interlock - SA/ICT committee code verification issue (#11) flagged as open question - SWA brief legal review scope (#173) documented - Hard constraint: research analysis, not legal advice Build verified: 502 pages, 0 errors. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- tegan-jovanka.astro: updated Current Priorities with verified IT-043 designation (confirmed at standards.org.au, est. 2018); corrected SA/ICT-042/SA/ICT-043 references throughout - nyssa-of-traken.astro: new profile for AI Ethics & Policy Research Lead; covers Anthropic/US Gov relationship, OpenAI restructuring, AU AISI independence, embodied AI ethics (1,800+ autonomous haul trucks) - index.astro: added Nyssa of Traken to companions listing Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…blog posts (promptware kill chain, tool-chain dataset) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…iles across all 11 agent pages Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Publishes the full set of March 2026 research briefs (docs/research_briefs/20260301_*) as public-facing blog posts. Skipped only promptware-kill-chain which was already live. New posts: - cross-embodiment-adversarial-transfer-vla-models - deceptive-alignment-detection-evaluation-aware-ai - governance-lag-index-ai-safety-regulation - inference-trace-manipulation-adversarial-attack-surface - instruction-hierarchy-subversion-long-horizon-agents - attack-taxonomy-convergence-muzzle-failure-first - actuarial-risk-modelling-embodied-ai - product-liability-embodied-ai-manufacturers - red-team-assessment-methodology-embodied-ai - australian-ai-safety-frameworks-embodied-ai-gap Build verified clean: 515 pages in 15.66s. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
P0 fixes: - Remove EP-42 RETIRED 85.9%/12.1% DeepSeek figures from report-45 (substituted EnkryptAI 11x/4x risk ratios) - Add correction notice to capability-safety-spectrum.astro (EP-25/EP-33 refuted inverse scaling + U-shaped curve claims) - Fix Navigation.astro "U-shaped curve" → "Capability-safety analysis" - Fix results.astro + cite.astro: 51,000+/51+ → 18,176+/120 P1 fixes: - Update 7 files: 17,593→18,176 prompts, 40→120 models - Update 8 files: 19→26 policy reports (KeyMetrics, Nav, AudienceNav, homepage, services, intelligence-briefs, research index) - Add reports #42-46 to research/reports/index.astro array - Fix Zhu et al → Burbano et al in promptware kill chain blog - Homepage: "U-shaped safety curves" → measured language - Policy index: remove "U-shaped" from meta description Build: 515 pages, 0 errors. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Install pagefind 1.4.0 as devDependency - Build script: astro build && pagefind --site ../docs - /search/ page with Pagefind UI, themed to site tokens - Search link in Navigation component - Global "/" keyboard shortcut to focus search or navigate to /search/ - Skeleton loader while Pagefind UI initializes - 516 pages indexed, 19,174 words Pattern borrowed from adrianwedd.com Pagefind implementation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Created /glossary/ page with 8 sections: Framework, Response Classifications, Attack Techniques, Embodied AI, Evaluation, HITL, Governance, External Benchmarks - Added glossary link to main navigation and footer - Styled with site CSS tokens, responsive grid layout, section TOC - Pagefind re-indexed: 517 pages Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Option C publication: full named structural analysis of the Anthropic/Pentagon dispute, OpenAI restructuring, and US executive policy shift. Covers government revenue dependency, accountability gaps, competitive dynamics, red lines enforcement, and implications for Australian AI governance. Sources: 20+ primary sources (GSA, Anthropic, EOs, Lawfare, CNN, Fortune, etc.) Claims labeled DESCRIPTIVE/PREDICTIVE/NORMATIVE throughout. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…bers - Add stats.ts as single source of truth for all project statistics - Update 19 files to use centralized stats (18,345 prompts, 124 models, 81 techniques, 5,051 results) - Fix mobile dropdown listener bug: always attach, check width in handler - Add aria-expanded to dropdown trigger links - Correct safety orgs count: 120 → 117 (matches actual data) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Matches tracking setup from cv repo. Added to BaseLayout.astro head — all 518 pages now have LinkedIn conversion tracking alongside existing GA4. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…y loading - Fix sensor-grid.js layout thrashing: cache static hex grid to offscreen canvas, eliminate getBoundingClientRect() from animation loop (was 60fps) - Fix sensor-grid.js flickering: use fresh seeded RNG per rebuild instead of consuming shared RNG state each frame - Add prefers-reduced-motion support to sensor-grid (static grid only) - Fix Adrian photo hidden by fallback overlay: set .profile-photo-fallback to display:none by default (was display:flex, covering the image) - Create analytics-events.js with 4-tier GA4 custom events: scroll depth, outbound/mailto clicks, CTA tracking, audio/video play, nav dropdown opens, search queries, directory filters, blog tags, LinkedIn conversions, engaged time-on-page, section visibility - Add loading="lazy" to all 11 agent persona photos (P2 perf fix) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…tate Rewrite README.md, CONTRIBUTING.md, DESIGN_CHARTER.md, SECURITY.md, and MANIFEST.json totals to reflect current metrics: 227 models, 141,561 prompts, 133,646 results, 337 techniques. Add current research scope (VLA safety, format-lock, classifier reliability), CVD status (5 pending disclosures), and CCS 2026 submission reference. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…/legal Filter buttons for blog, papers, reports, policy, legal, docs. Client-side JS shows/hides cards and empty month sections. Added reports, policy-docs, and legal collections to the feed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Updated from 18K prompts / 125 models to 141K / 227. Added StatGrid component, 4 key findings cards (safety vs scale, DETECTED_PROCEEDS, format-lock, regulatory gap), CCS 2026 reference. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Transparent disclosure that all team members except Adrian are specialist Claude Code agent sessions with standing briefs. Names from Doctor Who, methodology made executable, all work auditable in git history. Adrian is the only human. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Added async AdSense script to all pages via BaseLayout.astro, alongside existing GA4 and LinkedIn Insight tags. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
google.com, pub-6275306310835906, DIRECT, f08c47fec0942fa0 Serves at failurefirst.org/ads.txt Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
docs/ was 2.8GB (GH Pages limit ~1GB). daily-paper audio (1.7GB), video (743MB), images (174MB) = 2.6GB of media causing build failures. Media backed up to /tmp/failurefirst-media-backup/ for migration to Cloudflare R2 (pending R2 enablement on the account). .gitkeep files preserve directory structure. Pages referencing media will show broken media links until R2 CDN is configured. docs/ is now 231MB. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…slugs) 12 same-date dupes: arxiv-ID-only slug vs descriptive slug (kept descriptive). 3 cross-date dupes: same paper published at two different dates (kept earlier). 102 papers remaining (was 117 non-draft, 15 were duplicates). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
VLA safety trilogy (FreezeVLA, SafeVLA, VLSA/AEGIS), backdoor attacks (GoBA, DropVLA), red-teaming (CoP, Jailbreak-R1, RED QUEEN), defense (Immune, Lifelong Safety, RAI), benchmarks (IS-Bench, SAFE, ASIMOV, RealMirror), encoding attacks (BitBypass). All 500-800 word analyses. Zero coverage gaps remaining Mar 20-31. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- SafeAgentBench: A Benchmark for Safe Task Planning of Embodied LLM Agents (2412.13178) - Jailbreaking to Jailbreak: LLM-as-Red-Teamer via Self-Attack (2502.09638) https://claude.ai/code/session_01Bxp8oT2LVjdQJfg2j4Zgqn
All /audio/daily-paper/, /images/daily-paper/, /video/daily-paper/ paths updated to https://cdn.failurefirst.org/... in both daily-paper and blog content. R2 bucket 'failurefirst-media' with custom domain cdn.failurefirst.org serves the 2.6GB media removed from docs/. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
10 PDFs now available at failurefirst.org/papers/: - CCS 2026 main paper + supplementary (227 models) - AIES 2026 IDDL paper - NeurIPS 2026 benchmark paper - Detected Proceeds (38.6% override rate) - Polyhedral Safety Geometry (refusal as polyhedral) - Benchmark Contamination (79.9% heuristic over-report) - Silent Failures in Embodied AI (zero VLA refusals) - Epistemic Crisis in AI Safety Evaluation - Annual Report 2026 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Both use placeholder tokens — replace with real values: - CF Web Analytics: REPLACE_WITH_CF_WEB_ANALYTICS_TOKEN (Get from dash.cloudflare.com → Web Analytics → Add Site) - Sentry: REPLACE_WITH_SENTRY_DSN (Get from sentry.io → Create Project → JS) Both scripts are no-ops until tokens are replaced. Sentry loader checks for REPLACE prefix and skips initialization. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…aceholder Sentry: native Astro integration with DSN, 0.1 trace sample rate. CF Web Analytics: beacon script in BaseLayout (token TBD). DNS: status.failurefirst.org CNAME created via API. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Bumps [h3](https://github.com/h3js/h3) from 1.15.5 to 1.15.10. - [Release notes](https://github.com/h3js/h3/releases) - [Changelog](https://github.com/h3js/h3/blob/v1.15.10/CHANGELOG.md) - [Commits](h3js/h3@v1.15.5...v1.15.10) --- updated-dependencies: - dependency-name: h3 dependency-version: 1.15.10 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
github-actions
Bot
force-pushed
the
dependabot/npm_and_yarn/site/h3-1.15.10
branch
from
090c811 to
ffef991
Compare
adrianwedd
added a commit
that referenced
this pull request
May 10, 2026
Adds an `overrides` block to site/package.json to pull build-time transitive dependencies forward to patched versions. All packages here are build-toolchain only — none ship to the browser from a static Astro site, so dependabot's `scope:runtime` flag (just "in dependencies, not devDependencies") is misleading for our build. Per the 2026-05-11 dependabot triage (research/intelligence/dependabot_failurefirst_triage_2026-05-11.md in the private repo), this is the IGNORE-DEVDEP / IGNORE-NO-CONTEXT hygiene sweep. The bump is hygiene, not risk reduction — none of these attack vectors apply to a static-site `astro build` pipeline. Closed alerts (GHSA → resolved version): - #10 rollup GHSA-mw96-cpmx-2vgc → 4.60.3 (^4.59.0) - #11 fast-xml-parser GHSA-fj3w-jwp8-x2g3 → 5.7.3 (^5.7.0) - #12 svgo GHSA-xpqw-6gx7-v673 → 4.0.1 (^4.0.1) - #13 devalue GHSA-cfw5-2vxh-hr84 → 5.8.0 (^5.6.4) - #14 devalue GHSA-mwv9-gp5h-frr4 → 5.8.0 (^5.6.4) - #16 h3 GHSA-wr4h-v87w-p3r7 → 1.15.11 (^1.15.9, 1.x backport) - #17 h3 GHSA-22cc-p3c6-wpvm → 1.15.11 (^1.15.9, 1.x backport) - #19 h3 GHSA-72gr-qfp7-vwhw → 1.15.11 (^1.15.9) - #20 h3 GHSA-4hxc-9384-m385 → 1.15.11 (^1.15.9, 1.x backport) - #21 fast-xml-parser GHSA-8gc5-j5rx-235r → 5.7.3 (^5.7.0) - #23 picomatch GHSA-c2c7-rcm5-vvqj → 4.0.4 (^4.0.4) - #24 picomatch GHSA-3v7f-55p6-f55p → 4.0.4 (^4.0.4) - #26 picomatch GHSA-c2c7-rcm5-vvqj → 2.3.2 (^2.3.2, 2.x line) - #27 picomatch GHSA-3v7f-55p6-f55p → 2.3.2 (^2.3.2, 2.x line) - #28 defu GHSA-737v-mqg7-c878 → 6.1.7 (^6.1.5) - #29 vite GHSA-p9ff-h696-f583 → 6.4.2 (^6.4.2, 6.x backport) - #30 fast-xml-parser GHSA-jp2q-39xq-3w4g → 5.7.3 (^5.7.0) - #31 vite GHSA-4w7w-66w2-5vf9 → 6.4.2 (^6.4.2, 6.x backport) - #34 fast-xml-parser GHSA-gh4j-gqv2-49f6 → 5.7.3 (^5.7.0) - #35 postcss GHSA-qx2v-qp2m-jg93 → 8.5.14 (^8.5.10) Notes on dependabot fix-version vs override-target divergence: - vite: dependabot lists fix=8.0.5 (the latest line); 6.4.2 is the in-line backport per the GHSA advisory (`>= 6.4.2` patches the 6.x line). We stay on vite 6 because Astro 5 pulls vite 6. - h3: dependabot lists 2.0.1-rc.15; we use 1.15.9 per the GHSA advisory (`>= 1.15.6` and `>= 1.15.9` are the documented 1.x backports). h3 2.x is still rc. - picomatch: split override (^2 and ^4) because both major lines are pulled in transitively by separate consumers; both have CVEs. Deferred (NEEDS-REVIEW, separate PR): - #33 astro define:vars XSS — requires Astro 6 major bump, deferred pending define:vars usage audit. Verification: - npm install — clean - npm run build — 1137 pages, build complete, no errors - npm audit — 1 moderate (the deferred Astro 6 alert) remaining
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps h3 from 1.15.5 to 1.15.10.
Release notes
Sourced from h3's releases.
... (truncated)
Changelog
Sourced from h3's changelog.
... (truncated)
Commits
b72bb57chore(release): v1.15.10d8ef318remove resolutions for h326fec6fchore: update deps51ca9b3fix: preserve percent-encoded req.url in app event handler (#1355)4e8d43achore(release): v1.15.923045dfchore: update depsba3c3fefix(sse): sanitize carriage returns in event stream data and commentsc56683dfix(static): prevent path traversal via double-encoded dot segments (`%252e%2...e3b9c9echore(release): v1.15.81103df6fix: preserve%25in pathnameDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.