Skip to content

deps: upgrade all dependencies to latest#71

Merged
jongio merged 2 commits into
mainfrom
deps/upgrade-all
Jul 9, 2026
Merged

deps: upgrade all dependencies to latest#71
jongio merged 2 commits into
mainfrom
deps/upgrade-all

Conversation

@jongio

@jongio jongio commented Jul 8, 2026

Copy link
Copy Markdown
Owner

Summary

Autonomous dependency-upgrade run: upgrades all dependencies (Go modules + npm + pnpm) to their latest allowed versions and fixes forward.

Changes

Go

  • cli: bump go directive 1.26.41.26.5 to remediate GO-2026-5856 (crypto/tls stdlib vulnerability fixed in go1.26.5, flagged by govulncheck)
  • cli: golang.org/x/crypto 0.53.0→0.54.0, sync 0.21.0→0.22.0, sys 0.46.0→0.47.0, term 0.44.0→0.45.0, text 0.39.0→0.40.0 (indirect)
  • tools/scenario: golang.org/x/sys 0.46.0→0.47.0, modernc.org/libc 1.74.0→1.74.1 (indirect)
  • workflows: GO_VERSION 1.26.41.26.5 in ci, pr-build, release, release-only, update-azd-core

npm (cli)

  • Refresh 11 transitive @azure/msal-* deps in package-lock.json (0 vulnerabilities; package.json unchanged — all direct deps already latest)

pnpm (web)

  • astro 7.0.6 → 7.0.7
  • @types/node 26.1.0 → 26.1.1
  • overrides: tinyglobby>picomatch 4.0.4→4.0.5, yaml-language-server>yaml 2.8.3→2.9.0

Validation (all green locally, go1.26.5)

  • go build, go vet, gofmt -l, golangci-lint run, gosec, govulncheck — clean (both modules)
  • go test -short ./src/... — pass
  • Cross-platform builds (win/linux/darwin amd64+arm64) — pass
  • npm — 0 vulnerabilities
  • web pnpm build + pnpm install --frozen-lockfile — pass

Co-authored-by: Copilot App 223556219+Copilot@users.noreply.github.com

Go:
- cli: bump go directive 1.26.4 -> 1.26.5 to remediate GO-2026-5856
  (crypto/tls stdlib vuln fixed in go1.26.5)
- cli: golang.org/x/crypto 0.53.0->0.54.0, sync 0.21.0->0.22.0,
  sys 0.46.0->0.47.0, term 0.44.0->0.45.0, text 0.39.0->0.40.0
- tools/scenario: golang.org/x/sys 0.46.0->0.47.0,
  modernc.org/libc 1.74.0->1.74.1
- workflows: GO_VERSION 1.26.4 -> 1.26.5 (ci, pr-build, release,
  release-only, update-azd-core)

npm (cli):
- refresh 11 transitive @azure/msal-* deps in package-lock.json (0 vulns)

pnpm (web):
- astro 7.0.6 -> 7.0.7
- @types/node 26.1.0 -> 26.1.1
- overrides: tinyglobby>picomatch 4.0.4->4.0.5,
  yaml-language-server>yaml 2.8.3->2.9.0

All builds, vet, gofmt, golangci-lint, gosec, govulncheck, and test
suites pass locally under go1.26.5; web build + frozen-lockfile install
verified.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@jongio jongio self-assigned this Jul 8, 2026
@jongio jongio added the deps Dependency updates label Jul 8, 2026
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🚀 Website Preview

Your PR preview was available here.

Preview has been cleaned up as the PR was closed.

github-actions Bot added a commit that referenced this pull request Jul 8, 2026
- github.com/mark3labs/mcp-go: v0.55.1 -> v0.56.0

- golang.org/x/net: v0.56.0 -> v0.57.0 (indirect)

- golang.org/x/exp: bump (indirect)

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
github-actions Bot added a commit that referenced this pull request Jul 9, 2026
@jongio
jongio merged commit 789f462 into main Jul 9, 2026
11 checks passed
github-actions Bot added a commit that referenced this pull request Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

deps Dependency updates

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant