Skip to content

Limit automatic caching to npm, update workflows and documentation#1374

Merged
HarithaVattikuti merged 10 commits into
actions:mainfrom
priyagupta108:enable-npm-cache-default
Oct 14, 2025
Merged

Limit automatic caching to npm, update workflows and documentation#1374
HarithaVattikuti merged 10 commits into
actions:mainfrom
priyagupta108:enable-npm-cache-default

Conversation

@priyagupta108

@priyagupta108 priyagupta108 commented Sep 22, 2025

Copy link
Copy Markdown
Contributor

Description:
This PR updates the caching logic to refine the automatic caching feature added in response to Feature Request #686 and implemented in #1348. In addition, it updates workflow configurations and documentation for improved clarity and compatibility.

Key Changes:

  • Automatic Caching Logic:
    • npm: Caching is now automatically enabled by default if package.json contains either a devEngines.packageManager field or a top-level packageManager field set to npm, and no explicit cache input is provided.
    • pnpm & yarn: Caching is disabled by default to avoid compatibility issues. Users who wish to enable caching for pnpm or yarn can do so manually via the cache input.
  • Workflow Updates:
    • Updated Node.js version specifications in workflow YAML files.
    • Replaced macos-13 with macos-latest-large in workflows, following actions/runner-images#13046.
  • Documentation:
    • Revised documentation to reflect the updated default caching behavior for npm.
    • Updated example workflows to use the latest versions and recommended configurations.

Related issues:

Check list:

  • Mark if documentation changes are required.
  • Mark if tests were added or updated to cover the changes.

Copilot AI review requested due to automatic review settings September 22, 2025 10:03
@priyagupta108 priyagupta108 requested a review from a team as a code owner September 22, 2025 10:03
@priyagupta108 priyagupta108 self-assigned this Sep 22, 2025

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates the caching behavior to enable automatic caching only for npm by default, while removing auto-caching support for pnpm and yarn to avoid compatibility issues. The changes also update documentation examples to use Node.js version 24.

  • Restricts automatic caching to npm only when detected from package.json's packageManager field
  • Updates documentation examples from older Node.js versions (14, 16, 18, 20) to version 24
  • Improves error messaging to be more specific about npm auto-caching

Reviewed Changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
src/main.ts Restricts auto-caching logic to npm only and updates related comments
docs/advanced-usage.md Updates Node.js version examples from legacy versions to v24
action.yml Updates package-manager-cache input description to clarify npm-only behavior
tests/main.test.ts Updates test to use npm instead of yarn for package manager detection
README.md Updates documentation to reflect npm-only auto-caching and Node.js v24 examples

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Comment thread src/main.ts
@priyagupta108 priyagupta108 changed the title Update caching defaults for npm and documentation update Limit automatic caching to npm and update documentation Sep 22, 2025
@kachkaev

kachkaev commented Sep 22, 2025

Copy link
Copy Markdown

I believe this change needs to be released as v6. I have already removed explicit caching option for a few projects and they work well because actions/setup-node@v5 follows pnpm/action-setup@v4. If cache: pnpm becomes a requirement again in v5, existing workflows will end up burning more CI minutes.

@voxpelli

Copy link
Copy Markdown

I would really love if something like my PR can get in as well, been sitting there for 3 years with very little attention: #702

@scottohara

Copy link
Copy Markdown

In the context of npm only, I'm interested in whether packageManager is the right field to use for this.

My concern stems from the fact that there are multiple ways to specify a package manager and version, and they all slightly differ in their intended purpose:

engines.<npm|pnpm|yarn>

According to npm's documentation, the engines field in package.json is described as follows:

You can specify the version of node that your stuff works on.
You can also use the "engines" field to specify which versions of npm are capable of properly installing your program.

The key phrasing here seems to be "....capable of properly installing your program".

devEngines.packageManager

According to npm's documentation, the devEngines field in package.json is described as follows:

The devEngines field aids engineers working on a codebase to all be using the same tooling.
Note: engines and devEngines differ in object shape. They also function very differently. engines is designed to alert the user when a dependency uses a differening npm or node version that the project it's being used in, whereas devEngines is used to alert people interacting with the source code of a project.

The key phrasing here seems to be "...people interacting with the source code of a project".

packageManager

This field is not defined or documented by npm, but is rather a nodejs concept introduced in v16.16.0 alongside Corepack.

As with Corepack, it is still marked as experimental, and from Node v25, Corepack is expected to stop being distributed by Node.

Summary

Given all of the above, my take on this is:

devEngines.packageManager would be inappropriate to use in this context, as setup-node does not exactly fit the definition of "...people interacting with the source code of a project"

packageManager is an experimental field used to support Corepack, and indeed the docs specifically state that:

While npm is a valid option in the packageManager property, the lack of shim will cause the global npm to be used.

(so it could be argued that packageManager: npm is not really intended for use? It is certainly not listed in supported package managers.)

engines.npm is npm's official way of specifying the version of npm supported, and setup-node does seem to fit more with the definition of "...capable of properly installing your program".

Anecdotally, Heroku notes in their documentation:

  • For specifying npm, use engines.npm (they don't support packageManager: npm@<version>)
  • For specifying pnpm, use either packageManager: pnpm@<version> or engines.pnpm
  • For specifying yarn, use either packageManager: yarn@<version> or engines.yarn

My view is that setup-node should look in the engines field first to determine which package manager is used (based on the presence of engines.<npm|pnpm|yarn>), and then fallback to packageManager.

I don't think packageManager: npm is the right long term choice here, given the fact that Corepack (and by extension, the packageManager field itself) is likely to be split out from Node in the future.

That is my 2c.

@MikeMcC399

Copy link
Copy Markdown
Contributor

@priyagupta108

Copy link
Copy Markdown
Contributor Author

Hello,

As part of this PR, we introduce detection support for devEngines.packageManager, enabling automatic caching for npm dependencies. This improvement will be included in the upcoming v5 patch release. We believe this enhancement will help streamline workflows and improve consistency across your projects.

@scottohara 👋 , thank you for your thoughtful and detailed feedback. Your explanation of the differences between the engines, devEngines, and packageManager fields has been extremely helpful.

Based on community feedback, we started support for devEngines.packageManager and packageManager to address the needs of teams relying on these fields.

We recognize that engines.npm is the officially recommended way to specify the required npm version, and your insights underscore the importance of aligning with community best practices. In response to ongoing feedback and broader requirements, we will plan to add detection for engines.npm in a future update.

Your feedback and suggestions are always appreciated. Thank you!

@mrgrain

mrgrain commented Sep 26, 2025

Copy link
Copy Markdown
  • npm: Caching is now automatically enabled by default if package.json contains a packageManager field set to npm and no explicit cache input is provided.
  • pnpm & yarn: Caching is disabled by default to avoid compatibility issues. Users who wish to enable caching for pnpm or yarn can do so manually via the cache input.

This inconsistency between package managers just seems not worth it to me. 🤷🏻 Together with the concerns raised in #1358 I still suggest to just go back on automatic cache enablement.

@kleinfreund

Copy link
Copy Markdown

@scottohara While I agree that pkg.packageManager is the wrong thing to use to infer whether npm is used (the field doesn't mean anything to npm), I disagree with your analysis on why pkg.devEngines shouldn't be used as part of the inference logic that's being discussed here.

The key phrasing here seems to be "...people interacting with the source code of a project".

❌ devEngines.packageManager would be inappropriate to use in this context, as setup-node does not exactly fit the definition of "...people interacting with the source code of a project"

That is actually what GitHub Actions workflows almost categorically do when we're talking about projects based on Node.js. A workflow typically checks out a GitHub repository (that's what source code means here) to perform some tasks (e.g. run the project's linters or test suite(s)). To optimize for runner storage and workflow execution time, caching node_modules/ and package manager things is useful. And that generally happens in the context of a project's source code. I'm not saying a workflow never npm installs a package that is being published through that repository (in which case you do look at pkg.engines and not pkg.devEngines, but that shouldn't be the common case. In fact, I'd argue that is so rare as to not consider it here.

So, pkg.devEngines is in my opinion definitely the more appropriate field to look at. More reliable still is whether package-lock.json exists next to package.json. pkg.engines is fine as a fallback, but for operations dealing with source code, pkg.devEngines should be considered the correct modern replacement.

setup-node does seem to fit more with the definition of "...capable of properly installing your program".

In that documentation, installing your program refers to running npm install your-program or running npm install on a project that already contains your-program as a dependency. In other words, pkg.engines is about what Node.js version is supported when executing/running the program and as such is checked during installation of it as a dependency in another project.

@alexaka1

Copy link
Copy Markdown

@scottohara

That is not how I interpret the engines field. The details are lost in the fine print.

Unless the user has set the engine-strict config flag, this field is advisory only and will only produce warnings when your package is installed as a dependency.

This field is primarily used for consuming packages. Ie. I distribute a package called foobar on NPM, and anyone who wants to install it must conform to MY engines property. I can give suggestions to downstream consumers on what version of node my package runs on. I have never seen this used for standardizing tool version in a dev team. This has always been used as a lower and upper bound for packages. But this hasn't been too relevant since TypeScript went viral.

packageManager is a Corepack feature. To me, this is the standardized tool versioning property. It can define the package manager version and automatically install if it is not installed.

devEngines was supposed to be the replacement for Corepack after Node decided to kill it.

So if you're gonna look at any property, it should be devEngines as that is what is supposed to control tools versioning (such as in CI). engines should NOT be used at all.

@Julusian

Julusian commented Sep 26, 2025

Copy link
Copy Markdown

^ Adding some examples to this, in most of my yarn based projects, the engines is either not set or only includes node version ranges.

The only one of the 3 properties that is set is packageManager, but as that is a corepack property, once/if yarn makes their own entrypoint for yarn, I would expect to see that property disappear. Maybe they will use devEngines instead, or maybe they will add something to their .yarnrc.yml file.
So to be futureproof, any deetection should not be trying to rule out other package managers and assuming npm, but instead confirm that the project is npm

I also have an unusual case to consider, in one project I have:

"engines": {
    "npm": "please-use-yarn",
    "yarn": "^4.5",
    "node": ">=22.19.0 <23"
  },

because inexperienced users kept not reading the docs and trying to use npm then ask for help with the confusing output. It wouldnt be terrible if this was misclassified, but it would be nice to not have to fight the action on this

@kachkaev

kachkaev commented Sep 26, 2025

Copy link
Copy Markdown

This improvement will be included in the upcoming v5 patch release.
from #1374 (comment)

Please release it as a new major (v6). See #1374 (comment) for details.

@scottohara

Copy link
Copy Markdown

This inconsistency between package managers just seems not worth it to me. 🤷🏻 Together with the concerns raised in #1358 I still suggest to just go back on automatic cache enablement.

Given the general disagreement above on the purpose and intent of the various different fields and ways a package manager might be specified (by the author) or inferred (by this action), I tend to agree that this seems to be causing more issues than it solves.

Unless automatic cache enablement could be made to work flawlessly with any package manager, and without requiring specific fields in the manifest, then a return to manual cache enablement seems like the best path forward here (that is, return to v4 behaviour).

@MikeMcC399

Copy link
Copy Markdown
Contributor

@priyagupta108 / @scottohara

Unless automatic cache enablement could be made to work flawlessly with any package manager, and without requiring specific fields in the manifest, then a return to manual cache enablement seems like the best path forward here (that is, return to v4 behaviour).

Perhaps this needs to be a separate issue / proposal? It seems that this PR is going ahead with enabling caching for npm by default, despite the arguments against this.

Comment thread README.md Outdated
@futursolo

Copy link
Copy Markdown

In my opinion, since both yarn and pnpm essentially recommend corepack as the recommended way to install them,
it would make sense to simply honour the packageManager field via corepack even after Node 25 removes it by default.

This is regardless of whether caching behaviour is automatic or manual.

The last couple comments in #1357 summarised this issue quite well.

Without built in corepack support (or package manager versioning support), workflows with yarn / pnpm basically becomes:

setup-node -> corepack / manually install package manager -> setup-node (cache)

This is a highly undesirable approach for anyone using yarn or pnpm.
Hence, setup-node should manage this internally if it tries to interact with yarn or pnpm.

As for how to check what package manager is used, the action can simply let corepack decide what is the package manager with corepack install.

If the caching is manual, then package managers is already specified and this action can simply call corepack yarn/pnpm.

renovate Bot added a commit to andrei-picus-tink/auto-renovate that referenced this pull request Apr 30, 2026
| datasource  | package            | from   | to     |
| ----------- | ------------------ | ------ | ------ |
| github-tags | actions/setup-node | v4.0.3 | v6.4.0 |


## [vv6.4.0](actions/setup-node@v6.3.0...v6.4.0)



## [vv6.3.0](https://github.com/actions/setup-node/releases/tag/v6.3.0)

#### What's Changed

##### Enhancements:

- Support parsing `devEngines` field by [@susnux](https://github.com/susnux) in [#1283](actions/setup-node#1283)

> When using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node.

##### Dependency updates:

- Fix npm audit issues by [@gowridurgad](https://github.com/gowridurgad) in [#1491](actions/setup-node#1491)
- Replace uuid with crypto.randomUUID() by [@trivikr](https://github.com/trivikr) in [#1378](actions/setup-node#1378)
- Upgrade minimatch from 3.1.2 to 3.1.5 by [@dependabot](https://github.com/dependabot) in [#1498](actions/setup-node#1498)

##### Bug fixes:

- Remove hardcoded bearer for mirror-url [@marco-ippolito](https://github.com/marco-ippolito) in [#1467](actions/setup-node#1467)
- Scope test lockfiles by package manager and update cache tests by [@gowridurgad](https://github.com/gowridurgad) in [#1495](actions/setup-node#1495)

#### New Contributors

- [@susnux](https://github.com/susnux) made their first contribution in [#1283](actions/setup-node#1283)

**Full Changelog**: <actions/setup-node@v6...v6.3.0>


## [vv6.2.0](actions/setup-node@v6.1.0...v6.2.0)



## [vv6.1.0](https://github.com/actions/setup-node/releases/tag/v6.1.0)

#### What's Changed

##### Enhancement:

- Remove always-auth configuration handling by [@priyagupta108](https://github.com/priyagupta108) in [#1436](actions/setup-node#1436)

##### Dependency updates:

- Upgrade [@actions/cache](https://github.com/actions/cache) from 4.0.3 to 4.1.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#1384](actions/setup-node#1384)
- Upgrade actions/checkout from 5 to 6 by [@dependabot](https://github.com/dependabot)\[bot] in [#1439](actions/setup-node#1439)
- Upgrade js-yaml from 3.14.1 to 3.14.2 by [@dependabot](https://github.com/dependabot)\[bot] in [#1435](actions/setup-node#1435)

##### Documentation update:

- Add example for restore-only cache in documentation by [@aparnajyothi-y](https://github.com/aparnajyothi-y) in [#1419](actions/setup-node#1419)

**Full Changelog**: <actions/setup-node@v6...v6.1.0>


## [vv6.0.0](https://github.com/actions/setup-node/releases/tag/v6.0.0)

##### What's Changed

**Breaking Changes**

- Limit automatic caching to npm, update workflows and documentation by [@priyagupta108](https://github.com/priyagupta108) in [#1374](actions/setup-node#1374)

**Dependency Upgrades**

- Upgrade ts-jest from 29.1.2 to 29.4.1 and document breaking changes in v5 by [@dependabot](https://github.com/dependabot)\[bot] in [#1336](actions/setup-node#1336)
- Upgrade prettier from 2.8.8 to 3.6.2 by [@dependabot](https://github.com/dependabot)\[bot] in [#1334](actions/setup-node#1334)
- Upgrade actions/publish-action from 0.3.0 to 0.4.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#1362](actions/setup-node#1362)

**Full Changelog**: <actions/setup-node@v5...v6.0.0>


## [vv6](actions/setup-node@v5...v6)



## [vv5](actions/setup-node@v4...v5)



## [vv5.0.0](https://github.com/actions/setup-node/releases/tag/v5.0.0)

##### What's Changed

##### Breaking Changes

- Enhance caching in setup-node with automatic package manager detection by [@priya-kinthali](https://github.com/priya-kinthali) in [#1348](actions/setup-node#1348)

This update, introduces automatic caching when a valid `packageManager` field is present in your `package.json`. This aims to improve workflow performance and make dependency management more seamless.
To disable this automatic caching, set `package-manager-cache: false`

```yaml
steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
  with:
    package-manager-cache: false
```

- Upgrade action to use node24 by [@salmanmkc](https://github.com/salmanmkc) in [#1325](actions/setup-node#1325)

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. [See Release Notes](https://github.com/actions/runner/releases/tag/v2.327.1)

##### Dependency Upgrades

- Upgrade [@octokit/request-error](https://github.com/octokit/request-error) and [@actions/github](https://github.com/actions/github) by [@dependabot](https://github.com/dependabot)\[bot] in [#1227](actions/setup-node#1227)
- Upgrade uuid from 9.0.1 to 11.1.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#1273](actions/setup-node#1273)
- Upgrade undici from 5.28.5 to 5.29.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#1295](actions/setup-node#1295)
- Upgrade form-data to bring in fix for critical vulnerability by [@gowridurgad](https://github.com/gowridurgad) in [#1332](actions/setup-node#1332)
- Upgrade actions/checkout from 4 to 5 by [@dependabot](https://github.com/dependabot)\[bot] in [#1345](actions/setup-node#1345)

##### New Contributors

- [@priya-kinthali](https://github.com/priya-kinthali) made their first contribution in [#1348](actions/setup-node#1348)
- [@salmanmkc](https://github.com/salmanmkc) made their first contribution in [#1325](actions/setup-node#1325)

**Full Changelog**: <actions/setup-node@v4...v5.0.0>


## [vv4.4.0](https://github.com/actions/setup-node/releases/tag/v4.4.0)

##### What's Changed

##### Bug fixes:

- Make eslint-compact matcher compatible with Stylelint by [@FloEdelmann](https://github.com/FloEdelmann) in [#98](actions/setup-node#98)
- Add support for indented eslint output by [@fregante](https://github.com/fregante) in [#1245](actions/setup-node#1245)

##### Enhancement:

- Support private mirrors by [@marco-ippolito](https://github.com/marco-ippolito) in [#1240](actions/setup-node#1240)

##### Dependency update:

- Upgrade [@action/cache](https://github.com/action/cache) from 4.0.2 to 4.0.3 by [@aparnajyothi-y](https://github.com/aparnajyothi-y) in [#1262](actions/setup-node#1262)

##### New Contributors

- [@FloEdelmann](https://github.com/FloEdelmann) made their first contribution in [#98](actions/setup-node#98)
- [@fregante](https://github.com/fregante) made their first contribution in [#1245](actions/setup-node#1245)
- [@marco-ippolito](https://github.com/marco-ippolito) made their first contribution in [#1240](actions/setup-node#1240)

**Full Changelog**: <actions/setup-node@v4...v4.4.0>


## [vv4.3.0](https://github.com/actions/setup-node/releases/tag/v4.3.0)

##### What's Changed

##### Dependency updates

- Upgrade [@actions/glob](https://github.com/actions/glob) from 0.4.0 to 0.5.0 by [@dependabot](https://github.com/dependabot) in [#1200](actions/setup-node#1200)
- Upgrade [@action/cache](https://github.com/action/cache) from 4.0.0 to 4.0.2 by [@gowridurgad](https://github.com/gowridurgad) in [#1251](actions/setup-node#1251)
- Upgrade [@vercel/ncc](https://github.com/vercel/ncc) from 0.38.1 to 0.38.3 by [@dependabot](https://github.com/dependabot) in [#1203](actions/setup-node#1203)
- Upgrade [@actions/tool-cache](https://github.com/actions/tool-cache) from 2.0.1 to 2.0.2 by [@dependabot](https://github.com/dependabot) in [#1220](actions/setup-node#1220)

##### New Contributors

- [@gowridurgad](https://github.com/gowridurgad) made their first contribution in [#1251](actions/setup-node#1251)

**Full Changelog**: <actions/setup-node@v4...v4.3.0>


## [vv4.2.0](https://github.com/actions/setup-node/releases/tag/v4.2.0)

##### What's Changed

- Enhance workflows and upgrade publish-actions from 0.2.2 to 0.3.0 by [@aparnajyothi-y](https://github.com/aparnajyothi-y) in [#1174](actions/setup-node#1174)
- Add recommended permissions section to readme by [@benwells](https://github.com/benwells) in [#1193](actions/setup-node#1193)
- Configure Dependabot settings by [@HarithaVattikuti](https://github.com/HarithaVattikuti) in [#1192](actions/setup-node#1192)
- Upgrade `@actions/cache` to `^4.0.0` by [@priyagupta108](https://github.com/priyagupta108) in [#1191](actions/setup-node#1191)
- Upgrade pnpm/action-setup from 2 to 4 by [@dependabot](https://github.com/dependabot) in [#1194](actions/setup-node#1194)
- Upgrade actions/publish-immutable-action from 0.0.3 to 0.0.4 by [@dependabot](https://github.com/dependabot) in [#1195](actions/setup-node#1195)
- Upgrade semver from 7.6.0 to 7.6.3 by [@dependabot](https://github.com/dependabot) in [#1196](actions/setup-node#1196)
- Upgrade [@types/jest](https://github.com/types/jest) from 29.5.12 to 29.5.14 by [@dependabot](https://github.com/dependabot) in [#1201](actions/setup-node#1201)
- Upgrade undici from 5.28.4 to 5.28.5 by [@dependabot](https://github.com/dependabot) in [#1205](actions/setup-node#1205)

##### New Contributors

- [@benwells](https://github.com/benwells) made their first contribution in [#1193](actions/setup-node#1193)

**Full Changelog**: <actions/setup-node@v4...v4.2.0>


## [vv4.1.0](https://github.com/actions/setup-node/releases/tag/v4.1.0)

##### What's Changed

- Resolve High Security Alerts by upgrading Dependencies by [@aparnajyothi-y](https://github.com/aparnajyothi-y) in [#1132](actions/setup-node#1132)
- Upgrade IA Publish by [@Jcambass](https://github.com/Jcambass) in [#1134](actions/setup-node#1134)
- Revise `isGhes` logic by [@jww3](https://github.com/jww3) in [#1148](actions/setup-node#1148)
- Add architecture to cache key by [@pengx17](https://github.com/pengx17) in [#843](actions/setup-node#843)
  This addresses issues with caching by adding the architecture (arch) to the cache key, ensuring that cache keys are accurate to prevent conflicts.
  Note: This change may break previous cache keys as they will no longer be compatible with the new format.

##### New Contributors

- [@jww3](https://github.com/jww3) made their first contribution in [#1148](actions/setup-node#1148)
- [@pengx17](https://github.com/pengx17) made their first contribution in [#843](actions/setup-node#843)

**Full Changelog**: <actions/setup-node@v4...v4.1.0>


## [vv4.0.4](https://github.com/actions/setup-node/releases/tag/v4.0.4)

##### What's Changed

- Add workflow file for publishing releases to immutable action package by [@Jcambass](https://github.com/Jcambass) in [#1125](actions/setup-node#1125)
- Enhance Windows ARM64 Setup and Update micromatch Dependency by [@priyagupta108](https://github.com/priyagupta108) in [#1126](actions/setup-node#1126)

##### Documentation changes:

- Documentation update in the README file by [@suyashgaonkar](https://github.com/suyashgaonkar) in [#1106](actions/setup-node#1106)
- Correct invalid 'lts' version string reference by [@fulldecent](https://github.com/fulldecent) in [#1124](actions/setup-node#1124)

##### New Contributors

- [@suyashgaonkar](https://github.com/suyashgaonkar) made their first contribution in [#1106](actions/setup-node#1106)
- [@priyagupta108](https://github.com/priyagupta108) made their first contribution in [#1126](actions/setup-node#1126)
- [@Jcambass](https://github.com/Jcambass) made their first contribution in [#1125](actions/setup-node#1125)
- [@fulldecent](https://github.com/fulldecent) made their first contribution in [#1124](actions/setup-node#1124)

**Full Changelog**: <actions/setup-node@v4...v4.0.4>
mohandast52 added a commit to valory-xyz/autonolas-subgraph-studio that referenced this pull request May 8, 2026
…both workflows

Addresses two new line-level review comments on PR #119 from @Tanya-atatakai:

1. test.yaml:61 / deploy-subgraph.yaml:46,141 — pinned to v5.0.1 SHA which
   was latest stable at PR open but is now 4 months stale. Bumped to
   v6.0.2 (released 2026-01-09).

   actions/setup-node@v5.0.0 was likewise stale (8 months); bumped to
   v6.4.0 (released 2026-04-20). My original PR rationale for staying on
   v5 ("setup-node v6 limited automatic caching to npm") was wrong on
   re-read of actions/setup-node#1374: v6 only changed the default for
   pnpm/yarn (auto OFF unless explicitly enabled). Our workflow already
   sets `cache: yarn` explicitly in `with:`, so the explicit caching path
   is unaffected by the v6 default change.

   SHAs cross-verified via two GitHub API endpoints (refs/tags + commits):
   - actions/checkout@de0fac2  # v6.0.2
   - actions/setup-node@48b55a0  # v6.4.0

2. deploy-subgraph.yaml:146 — Node 20 was an interim alignment to match
   test.yaml after the previous review. Tanya clarified that infra runs
   on Node 24 and asked for both workflows to align on 24, not 20.
   Bumped both to "24".

Local Node 24 smoke test (Node v24.4.1) across the three subgraph
patterns covered by CI:

  - legacy-mech-fees (single-network):       15/15 tests passed
  - subgraphs/predict/predict-omen (nested): 19/19 tests passed
  - subgraphs/staking (template + symlink):  18/18 tests passed
                                  total:     52/52 tests passed

Each ran the full sequence `yarn install --frozen-lockfile`, `yarn graph
codegen`, `yarn graph build` (where applicable), and `yarn graph test` —
the same steps CI exercises. graph-cli, matchstick-as, and the AssemblyScript
toolchain are all happy on Node 24.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
mohandast52 added a commit to valory-xyz/autonolas-subgraph-studio that referenced this pull request May 8, 2026
* Refactor code structure for improved readability and maintainability

* chore: clean up empty code change sections in the changes log

* chore(ci): address PR #119 review — env-var inputs, regex tightening, node alignment

Addresses three items from Tanya's PR review on deploy-subgraph.yaml:

1. Node version mismatch (test.yaml=20 vs deploy-subgraph.yaml=24) was a
   pre-existing condition on main. Aligned deploy to "20" so CI exercises
   the same Node version that production uses. PR3 normalizes both to
   22.18.0 via .nvmrc.

2. Defense-in-depth: every run: block that previously interpolated
   \${{ inputs.X }} or \${{ secrets.SUBGRAPH_STUDIO_KEY }} into the
   rendered shell script source now binds the value via env: and
   references it as "\$VAR". Covers plan summary, all four regex
   validators, both folder/manifest existence checks, auth, codegen,
   build, deploy, and post-deploy summary. The regex gates remain the
   primary protection, but a future input added without a regex no
   longer regresses the safety property.

3. Folder regex tightened: second segment must now start with [a-z0-9]
   (rejects predict/-foo, predict/_foo). All 12 subgraph paths in the
   CI matrix still match.

Local verification:
- python3 yaml.safe_load parses the workflow cleanly.
- 32/32 regex cases (legitimate inputs + shell-injection attempts)
  behave as expected against version, folder, name, and manifest
  patterns.
- All 12 paths in test.yaml's matrix accepted by the new folder regex.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(ci): bump actions to v6.0.2 / v6.4.0 + align Node to 24 across both workflows

Addresses two new line-level review comments on PR #119 from @Tanya-atatakai:

1. test.yaml:61 / deploy-subgraph.yaml:46,141 — pinned to v5.0.1 SHA which
   was latest stable at PR open but is now 4 months stale. Bumped to
   v6.0.2 (released 2026-01-09).

   actions/setup-node@v5.0.0 was likewise stale (8 months); bumped to
   v6.4.0 (released 2026-04-20). My original PR rationale for staying on
   v5 ("setup-node v6 limited automatic caching to npm") was wrong on
   re-read of actions/setup-node#1374: v6 only changed the default for
   pnpm/yarn (auto OFF unless explicitly enabled). Our workflow already
   sets `cache: yarn` explicitly in `with:`, so the explicit caching path
   is unaffected by the v6 default change.

   SHAs cross-verified via two GitHub API endpoints (refs/tags + commits):
   - actions/checkout@de0fac2  # v6.0.2
   - actions/setup-node@48b55a0  # v6.4.0

2. deploy-subgraph.yaml:146 — Node 20 was an interim alignment to match
   test.yaml after the previous review. Tanya clarified that infra runs
   on Node 24 and asked for both workflows to align on 24, not 20.
   Bumped both to "24".

Local Node 24 smoke test (Node v24.4.1) across the three subgraph
patterns covered by CI:

  - legacy-mech-fees (single-network):       15/15 tests passed
  - subgraphs/predict/predict-omen (nested): 19/19 tests passed
  - subgraphs/staking (template + symlink):  18/18 tests passed
                                  total:     52/52 tests passed

Each ran the full sequence `yarn install --frozen-lockfile`, `yarn graph
codegen`, `yarn graph build` (where applicable), and `yarn graph test` —
the same steps CI exercises. graph-cli, matchstick-as, and the AssemblyScript
toolchain are all happy on Node 24.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
mergify Bot added a commit to robfrank/amphora that referenced this pull request May 21, 2026
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4 to 6.
Release notes

*Sourced from [actions/setup-node's releases](https://github.com/actions/setup-node/releases).*

> v6.0.0
> ------
>
> What's Changed
> --------------
>
> **Breaking Changes**
>
> * Limit automatic caching to npm, update workflows and documentation by [`@​priyagupta108`](https://github.com/priyagupta108) in [actions/setup-node#1374](https://redirect.github.com/actions/setup-node/pull/1374)
>
> **Dependency Upgrades**
>
> * Upgrade ts-jest from 29.1.2 to 29.4.1 and document breaking changes in v5 by [`@​dependabot`](https://github.com/dependabot)[bot] in [#1336](https://redirect.github.com/actions/setup-node/pull/1336)
> * Upgrade prettier from 2.8.8 to 3.6.2 by [`@​dependabot`](https://github.com/dependabot)[bot] in [#1334](https://redirect.github.com/actions/setup-node/pull/1334)
> * Upgrade actions/publish-action from 0.3.0 to 0.4.0 by [`@​dependabot`](https://github.com/dependabot)[bot] in [#1362](https://redirect.github.com/actions/setup-node/pull/1362)
>
> **Full Changelog**: <actions/setup-node@v5...v6.0.0>
>
> v5.0.0
> ------
>
> What's Changed
> --------------
>
> ### Breaking Changes
>
> * Enhance caching in setup-node with automatic package manager detection by [`@​priya-kinthali`](https://github.com/priya-kinthali) in [actions/setup-node#1348](https://redirect.github.com/actions/setup-node/pull/1348)
>
> This update, introduces automatic caching when a valid `packageManager` field is present in your `package.json`. This aims to improve workflow performance and make dependency management more seamless.
> To disable this automatic caching, set `package-manager-cache: false`
>
> ```
> steps:
> - uses: actions/checkout@v5
> - uses: actions/setup-node@v5
>   with:
>     package-manager-cache: false
> ```
>
> * Upgrade action to use node24 by [`@​salmanmkc`](https://github.com/salmanmkc) in [actions/setup-node#1325](https://redirect.github.com/actions/setup-node/pull/1325)
>
> Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. [See Release Notes](https://github.com/actions/runner/releases/tag/v2.327.1)
>
> ### Dependency Upgrades
>
> * Upgrade `@​octokit/request-error` and `@​actions/github` by [`@​dependabot`](https://github.com/dependabot)[bot] in [actions/setup-node#1227](https://redirect.github.com/actions/setup-node/pull/1227)
> * Upgrade uuid from 9.0.1 to 11.1.0 by [`@​dependabot`](https://github.com/dependabot)[bot] in [actions/setup-node#1273](https://redirect.github.com/actions/setup-node/pull/1273)
> * Upgrade undici from 5.28.5 to 5.29.0 by [`@​dependabot`](https://github.com/dependabot)[bot] in [actions/setup-node#1295](https://redirect.github.com/actions/setup-node/pull/1295)
> * Upgrade form-data to bring in fix for critical vulnerability by [`@​gowridurgad`](https://github.com/gowridurgad) in [actions/setup-node#1332](https://redirect.github.com/actions/setup-node/pull/1332)
> * Upgrade actions/checkout from 4 to 5 by [`@​dependabot`](https://github.com/dependabot)[bot] in [actions/setup-node#1345](https://redirect.github.com/actions/setup-node/pull/1345)
>
> New Contributors
> ----------------
>
> * [`@​priya-kinthali`](https://github.com/priya-kinthali) made their first contribution in [actions/setup-node#1348](https://redirect.github.com/actions/setup-node/pull/1348)
> * [`@​salmanmkc`](https://github.com/salmanmkc) made their first contribution in [actions/setup-node#1325](https://redirect.github.com/actions/setup-node/pull/1325)
>
> **Full Changelog**: <actions/setup-node@v4...v5.0.0>
>
> v4.4.0
> ------

... (truncated)


Commits

* [`53b8394`](actions/setup-node@53b8394) Bump minimatch from 3.1.2 to 3.1.5 ([#1498](https://redirect.github.com/actions/setup-node/issues/1498))
* [`54045ab`](actions/setup-node@54045ab) Scope test lockfiles by package manager and update cache tests ([#1495](https://redirect.github.com/actions/setup-node/issues/1495))
* [`c882bff`](actions/setup-node@c882bff) Replace uuid with crypto.randomUUID() ([#1378](https://redirect.github.com/actions/setup-node/issues/1378))
* [`774c1d6`](actions/setup-node@774c1d6) feat(node-version-file): support parsing `devEngines` field ([#1283](https://redirect.github.com/actions/setup-node/issues/1283))
* [`efcb663`](actions/setup-node@efcb663) fix: remove hardcoded bearer ([#1467](https://redirect.github.com/actions/setup-node/issues/1467))
* [`d02c89d`](actions/setup-node@d02c89d) Fix npm audit issues ([#1491](https://redirect.github.com/actions/setup-node/issues/1491))
* [`6044e13`](actions/setup-node@6044e13) Docs: bump actions/checkout from v5 to v6 ([#1468](https://redirect.github.com/actions/setup-node/issues/1468))
* [`8e49463`](actions/setup-node@8e49463) Fix README typo ([#1226](https://redirect.github.com/actions/setup-node/issues/1226))
* [`621ac41`](actions/setup-node@621ac41) README.md: bump to latest released checkout version v6 ([#1446](https://redirect.github.com/actions/setup-node/issues/1446))
* [`2951748`](actions/setup-node@2951748) Bump `@​actions/cache` to v5.0.1 ([#1449](https://redirect.github.com/actions/setup-node/issues/1449))
* Additional commits viewable in [compare view](actions/setup-node@v4...v6)
  
[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility\_score?dependency-name=actions/setup-node&package-manager=github\_actions&previous-version=4&new-version=6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
  
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot show  ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
chhe pushed a commit to chhe/act_runner that referenced this pull request May 22, 2026
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/setup-node](https://github.com/actions/setup-node) | action | major | `v4` → `v6` |

---

### Release Notes

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

### [`v6.4.0`](https://github.com/actions/setup-node/releases/tag/v6.4.0)

[Compare Source](actions/setup-node@v6.3.0...v6.4.0)

#### What's Changed

##### Dependency updates:

- Upgrade [@&#8203;actions](https://github.com/actions) dependencies by [@&#8203;Copilot](https://github.com/Copilot) in [#&#8203;1525](actions/setup-node#1525)
- Update Node.js versions in versions.yml and bump package to v6.4.0  by [@&#8203;priya-kinthali](https://github.com/priya-kinthali) in [#&#8203;1533](actions/setup-node#1533)

#### New Contributors

- [@&#8203;Copilot](https://github.com/Copilot) made their first contribution in [#&#8203;1525](actions/setup-node#1525)

**Full Changelog**: <actions/setup-node@v6...v6.4.0>

### [`v6.3.0`](https://github.com/actions/setup-node/releases/tag/v6.3.0)

[Compare Source](actions/setup-node@v6.2.0...v6.3.0)

#### What's Changed

##### Enhancements:

- Support parsing `devEngines` field by [@&#8203;susnux](https://github.com/susnux) in [#&#8203;1283](actions/setup-node#1283)

> When using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node.

##### Dependency updates:

- Fix npm audit issues by [@&#8203;gowridurgad](https://github.com/gowridurgad) in [#&#8203;1491](actions/setup-node#1491)
- Replace uuid with crypto.randomUUID() by [@&#8203;trivikr](https://github.com/trivikr) in [#&#8203;1378](actions/setup-node#1378)
- Upgrade minimatch from 3.1.2 to 3.1.5 by [@&#8203;dependabot](https://github.com/dependabot) in [#&#8203;1498](actions/setup-node#1498)

##### Bug fixes:

- Remove hardcoded bearer for mirror-url [@&#8203;marco-ippolito](https://github.com/marco-ippolito) in [#&#8203;1467](actions/setup-node#1467)
- Scope test lockfiles by package manager and update cache tests by [@&#8203;gowridurgad](https://github.com/gowridurgad) in [#&#8203;1495](actions/setup-node#1495)

#### New Contributors

- [@&#8203;susnux](https://github.com/susnux) made their first contribution in [#&#8203;1283](actions/setup-node#1283)

**Full Changelog**: <actions/setup-node@v6...v6.3.0>

### [`v6.2.0`](https://github.com/actions/setup-node/releases/tag/v6.2.0)

[Compare Source](actions/setup-node@v6.1.0...v6.2.0)

#### What's Changed

##### Documentation

- Documentation update related to absence of Lockfile by [@&#8203;mahabaleshwars](https://github.com/mahabaleshwars) in [#&#8203;1454](actions/setup-node#1454)
- Correct mirror option typos by [@&#8203;MikeMcC399](https://github.com/MikeMcC399) in [#&#8203;1442](actions/setup-node#1442)
- Readme update on checkout version v6 by [@&#8203;deining](https://github.com/deining) in [#&#8203;1446](actions/setup-node#1446)
- Readme typo fixes [@&#8203;munyari](https://github.com/munyari) in [#&#8203;1226](actions/setup-node#1226)
- Advanced document update on checkout version v6 by [@&#8203;aparnajyothi-y](https://github.com/aparnajyothi-y)  in [#&#8203;1468](actions/setup-node#1468)

##### Dependency updates:

- Upgrade [@&#8203;actions/cache](https://github.com/actions/cache) to v5.0.1 by [@&#8203;salmanmkc](https://github.com/salmanmkc) in [#&#8203;1449](actions/setup-node#1449)

#### New Contributors

- [@&#8203;mahabaleshwars](https://github.com/mahabaleshwars) made their first contribution in [#&#8203;1454](actions/setup-node#1454)
- [@&#8203;MikeMcC399](https://github.com/MikeMcC399) made their first contribution in [#&#8203;1442](actions/setup-node#1442)
- [@&#8203;deining](https://github.com/deining) made their first contribution in [#&#8203;1446](actions/setup-node#1446)
- [@&#8203;munyari](https://github.com/munyari) made their first contribution in [#&#8203;1226](actions/setup-node#1226)

**Full Changelog**: <actions/setup-node@v6...v6.2.0>

### [`v6.1.0`](https://github.com/actions/setup-node/releases/tag/v6.1.0)

[Compare Source](actions/setup-node@v6...v6.1.0)

#### What's Changed

##### Enhancement:

- Remove always-auth configuration handling by [@&#8203;priyagupta108](https://github.com/priyagupta108) in [#&#8203;1436](actions/setup-node#1436)

##### Dependency updates:

- Upgrade [@&#8203;actions/cache](https://github.com/actions/cache) from 4.0.3 to 4.1.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;1384](actions/setup-node#1384)
- Upgrade actions/checkout from 5 to 6 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;1439](actions/setup-node#1439)
- Upgrade js-yaml from 3.14.1 to 3.14.2 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;1435](actions/setup-node#1435)

##### Documentation update:

- Add example for restore-only cache in documentation by [@&#8203;aparnajyothi-y](https://github.com/aparnajyothi-y) in [#&#8203;1419](actions/setup-node#1419)

**Full Changelog**: <actions/setup-node@v6...v6.1.0>

### [`v6.0.0`](https://github.com/actions/setup-node/releases/tag/v6.0.0)

[Compare Source](actions/setup-node@v6...v6)

#### What's Changed

**Breaking Changes**

- Limit automatic caching to npm, update workflows and documentation by [@&#8203;priyagupta108](https://github.com/priyagupta108) in [#&#8203;1374](actions/setup-node#1374)

**Dependency Upgrades**

- Upgrade ts-jest from 29.1.2 to 29.4.1 and document breaking changes in v5 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;1336](actions/setup-node#1336)
- Upgrade prettier from 2.8.8 to 3.6.2 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;1334](actions/setup-node#1334)
- Upgrade actions/publish-action from 0.3.0 to 0.4.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;1362](actions/setup-node#1362)

**Full Changelog**: <actions/setup-node@v5...v6.0.0>

### [`v6`](actions/setup-node@v5.0.0...v6)

[Compare Source](actions/setup-node@v5.0.0...v6)

### [`v5.0.0`](https://github.com/actions/setup-node/releases/tag/v5.0.0)

[Compare Source](actions/setup-node@v5.0.0...v5.0.0)

#### What's Changed

##### Breaking Changes

- Enhance caching in setup-node with automatic package manager detection by [@&#8203;priya-kinthali](https://github.com/priya-kinthali) in [#&#8203;1348](actions/setup-node#1348)

This update, introduces automatic caching when a valid `packageManager` field is present in your `package.json`. This aims to improve workflow performance and make dependency management more seamless.
To disable this automatic caching, set `package-manager-cache: false`

```yaml
steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
  with:
    package-manager-cache: false
```

- Upgrade action to use node24 by [@&#8203;salmanmkc](https://github.com/salmanmkc) in [#&#8203;1325](actions/setup-node#1325)

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. [See Release Notes](https://github.com/actions/runner/releases/tag/v2.327.1)

##### Dependency Upgrades

- Upgrade [@&#8203;octokit/request-error](https://github.com/octokit/request-error) and [@&#8203;actions/github](https://github.com/actions/github) by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;1227](actions/setup-node#1227)
- Upgrade uuid from 9.0.1 to 11.1.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;1273](actions/setup-node#1273)
- Upgrade undici from 5.28.5 to 5.29.0 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;1295](actions/setup-node#1295)
- Upgrade form-data to bring in fix for critical vulnerability by [@&#8203;gowridurgad](https://github.com/gowridurgad) in [#&#8203;1332](actions/setup-node#1332)
- Upgrade actions/checkout from 4 to 5 by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;1345](actions/setup-node#1345)

#### New Contributors

- [@&#8203;priya-kinthali](https://github.com/priya-kinthali) made their first contribution in [#&#8203;1348](actions/setup-node#1348)
- [@&#8203;salmanmkc](https://github.com/salmanmkc) made their first contribution in [#&#8203;1325](actions/setup-node#1325)

**Full Changelog**: <actions/setup-node@v4...v5.0.0>

### [`v5`](actions/setup-node@v4.4.0...v5.0.0)

[Compare Source](actions/setup-node@v4.4.0...v5.0.0)

### [`v4.4.0`](https://github.com/actions/setup-node/releases/tag/v4.4.0)

[Compare Source](actions/setup-node@v4.3.0...v4.4.0)

#### What's Changed

##### Bug fixes:

- Make eslint-compact matcher compatible with Stylelint by [@&#8203;FloEdelmann](https://github.com/FloEdelmann) in [#&#8203;98](actions/setup-node#98)
- Add support for indented eslint output by [@&#8203;fregante](https://github.com/fregante) in [#&#8203;1245](actions/setup-node#1245)

##### Enhancement:

- Support private mirrors by [@&#8203;marco-ippolito](https://github.com/marco-ippolito) in [#&#8203;1240](actions/setup-node#1240)

##### Dependency update:

- Upgrade [@&#8203;action/cache](https://github.com/action/cache) from 4.0.2 to 4.0.3 by [@&#8203;aparnajyothi-y](https://github.com/aparnajyothi-y) in [#&#8203;1262](actions/setup-node#1262)

#### New Contributors

- [@&#8203;FloEdelmann](https://github.com/FloEdelmann) made their first contribution in [#&#8203;98](actions/setup-node#98)
- [@&#8203;fregante](https://github.com/fregante) made their first contribution in [#&#8203;1245](actions/setup-node#1245)
- [@&#8203;marco-ippolito](https://github.com/marco-ippolito) made their first contribution in [#&#8203;1240](actions/setup-node#1240)

**Full Changelog**: <actions/setup-node@v4...v4.4.0>

### [`v4.3.0`](https://github.com/actions/setup-node/releases/tag/v4.3.0)

[Compare Source](actions/setup-node@v4.2.0...v4.3.0)

#### What's Changed

##### Dependency updates

- Upgrade [@&#8203;actions/glob](https://github.com/actions/glob) from 0.4.0 to 0.5.0 by [@&#8203;dependabot](https://github.com/dependabot) in [#&#8203;1200](actions/setup-node#1200)
- Upgrade [@&#8203;action/cache](https://github.com/action/cache) from 4.0.0 to 4.0.2 by [@&#8203;gowridurgad](https://github.com/gowridurgad) in [#&#8203;1251](actions/setup-node#1251)
- Upgrade [@&#8203;vercel/ncc](https://github.com/vercel/ncc) from 0.38.1 to 0.38.3 by [@&#8203;dependabot](https://github.com/dependabot) in [#&#8203;1203](actions/setup-node#1203)
- Upgrade [@&#8203;actions/tool-cache](https://github.com/actions/tool-cache) from 2.0.1 to 2.0.2 by [@&#8203;dependabot](https://github.com/dependabot) in [#&#8203;1220](actions/setup-node#1220)

#### New Contributors

- [@&#8203;gowridurgad](https://github.com/gowridurgad) made their first contribution in [#&#8203;1251](actions/setup-node#1251)

**Full Changelog**: <actions/setup-node@v4...v4.3.0>

### [`v4.2.0`](https://github.com/actions/setup-node/releases/tag/v4.2.0)

[Compare Source](actions/setup-node@v4.1.0...v4.2.0)

#### What's Changed

- Enhance workflows and upgrade publish-actions from 0.2.2 to 0.3.0 by [@&#8203;aparnajyothi-y](https://github.com/aparnajyothi-y) in [#&#8203;1174](actions/setup-node#1174)
- Add recommended permissions section to readme by [@&#8203;benwells](https://github.com/benwells) in [#&#8203;1193](actions/setup-node#1193)
- Configure Dependabot settings by [@&#8203;HarithaVattikuti](https://github.com/HarithaVattikuti) in [#&#8203;1192](actions/setup-node#1192)
- Upgrade `@actions/cache` to `^4.0.0` by [@&#8203;priyagupta108](https://github.com/priyagupta108) in [#&#8203;1191](actions/setup-node#1191)
- Upgrade pnpm/action-setup from 2 to 4 by [@&#8203;dependabot](https://github.com/dependabot) in [#&#8203;1194](actions/setup-node#1194)
- Upgrade actions/publish-immutable-action from 0.0.3 to 0.0.4 by [@&#8203;dependabot](https://github.com/dependabot) in [#&#8203;1195](actions/setup-node#1195)
- Upgrade semver from 7.6.0 to 7.6.3 by [@&#8203;dependabot](https://github.com/dependabot) in [#&#8203;1196](actions/setup-node#1196)
- Upgrade [@&#8203;types/jest](https://github.com/types/jest) from 29.5.12 to 29.5.14 by [@&#8203;dependabot](https://github.com/dependabot) in [#&#8203;1201](actions/setup-node#1201)
- Upgrade undici from 5.28.4 to 5.28.5 by [@&#8203;dependabot](https://github.com/dependabot) in [#&#8203;1205](actions/setup-node#1205)

#### New Contributors

- [@&#8203;benwells](https://github.com/benwells) made their first contribution in [#&#8203;1193](actions/setup-node#1193)

**Full Changelog**: <actions/setup-node@v4...v4.2.0>

### [`v4.1.0`](https://github.com/actions/setup-node/releases/tag/v4.1.0)

[Compare Source](actions/setup-node@v4.0.4...v4.1.0)

#### What's Changed

- Resolve High Security Alerts by upgrading Dependencies by [@&#8203;aparnajyothi-y](https://github.com/aparnajyothi-y) in [#&#8203;1132](actions/setup-node#1132)
- Upgrade IA Publish by [@&#8203;Jcambass](https://github.com/Jcambass) in [#&#8203;1134](actions/setup-node#1134)
- Revise `isGhes` logic by [@&#8203;jww3](https://github.com/jww3) in [#&#8203;1148](actions/setup-node#1148)
- Add architecture to cache key by [@&#8203;pengx17](https://github.com/pengx17) in [#&#8203;843](actions/setup-node#843)
  This addresses issues with caching by adding the architecture (arch) to the cache key, ensuring that cache keys are accurate to prevent conflicts.
  Note: This change may break previous cache keys as they will no longer be compatible with the new format.

#### New Contributors

- [@&#8203;jww3](https://github.com/jww3) made their first contribution in [#&#8203;1148](actions/setup-node#1148)
- [@&#8203;pengx17](https://github.com/pengx17) made their first contribution in [#&#8203;843](actions/setup-node#843)

**Full Changelog**: <actions/setup-node@v4...v4.1.0>

### [`v4.0.4`](https://github.com/actions/setup-node/releases/tag/v4.0.4)

[Compare Source](actions/setup-node@v4.0.3...v4.0.4)

#### What's Changed

- Add workflow file for publishing releases to immutable action package by [@&#8203;Jcambass](https://github.com/Jcambass) in [#&#8203;1125](actions/setup-node#1125)
- Enhance Windows ARM64 Setup and Update micromatch Dependency by [@&#8203;priyagupta108](https://github.com/priyagupta108) in [#&#8203;1126](actions/setup-node#1126)

##### Documentation changes:

- Documentation update in the README file by [@&#8203;suyashgaonkar](https://github.com/suyashgaonkar) in [#&#8203;1106](actions/setup-node#1106)
- Correct invalid 'lts' version string reference by [@&#8203;fulldecent](https://github.com/fulldecent) in [#&#8203;1124](actions/setup-node#1124)

#### New Contributors

- [@&#8203;suyashgaonkar](https://github.com/suyashgaonkar) made their first contribution in [#&#8203;1106](actions/setup-node#1106)
- [@&#8203;priyagupta108](https://github.com/priyagupta108) made their first contribution in [#&#8203;1126](actions/setup-node#1126)
- [@&#8203;Jcambass](https://github.com/Jcambass) made their first contribution in [#&#8203;1125](actions/setup-node#1125)
- [@&#8203;fulldecent](https://github.com/fulldecent) made their first contribution in [#&#8203;1124](actions/setup-node#1124)

**Full Changelog**: <actions/setup-node@v4...v4.0.4>

### [`v4.0.3`](https://github.com/actions/setup-node/releases/tag/v4.0.3)

[Compare Source](actions/setup-node@v4.0.2...v4.0.3)

#### What's Changed

##### Bug fixes:

- Fix macos latest check failures by [@&#8203;HarithaVattikuti](https://github.com/HarithaVattikuti) in [#&#8203;1041](actions/setup-node#1041)

##### Documentation changes:

- Documentation update to update default Node version to 20 by [@&#8203;bengreeley](https://github.com/bengreeley) in [#&#8203;949](actions/setup-node#949)

##### Dependency  updates:

- Bump undici from 5.26.5 to 5.28.3 by [@&#8203;dependabot](https://github.com/dependabot) in [#&#8203;965](actions/setup-node#965)
- Bump braces from 3.0.2 to 3.0.3 and other dependency updates by [@&#8203;dependabot](https://github.com/dependabot) in [#&#8203;1087](actions/setup-node#1087)

#### New Contributors

- [@&#8203;bengreeley](https://github.com/bengreeley) made their first contribution in [#&#8203;949](actions/setup-node#949)
- [@&#8203;HarithaVattikuti](https://github.com/HarithaVattikuti) made their first contribution in [#&#8203;1041](actions/setup-node#1041)

**Full Changelog**: <actions/setup-node@v4...v4.0.3>

### [`v4.0.2`](https://github.com/actions/setup-node/releases/tag/v4.0.2)

[Compare Source](actions/setup-node@v4.0.1...v4.0.2)

#### What's Changed

- Add support for `volta.extends` by [@&#8203;ThisIsManta](https://github.com/ThisIsManta) in [#&#8203;921](actions/setup-node#921)
- Add support for arm64 Windows by [@&#8203;dmitry-shibanov](https://github.com/dmitry-shibanov) in [#&#8203;927](actions/setup-node#927)

#### New Contributors

- [@&#8203;ThisIsManta](https://github.com/ThisIsManta) made their first contribution in [#&#8203;921](actions/setup-node#921)

**Full Changelog**: <actions/setup-node@v4.0.1...v4.0.2>

### [`v4.0.1`](https://github.com/actions/setup-node/releases/tag/v4.0.1)

[Compare Source](actions/setup-node@v4...v4.0.1)

#### What's Changed

- Ignore engines in Yarn 1 e2e-cache tests by [@&#8203;trivikr](https://github.com/trivikr) in [#&#8203;882](actions/setup-node#882)
- Update setup-node references in the README.md file to setup-node\@&#8203;v4 by [@&#8203;jwetzell](https://github.com/jwetzell) in [#&#8203;884](actions/setup-node#884)
- Update reusable workflows to use Node.js v20 by [@&#8203;MaksimZhukov](https://github.com/MaksimZhukov) in [#&#8203;889](actions/setup-node#889)
- Add fix for cache to resolve slow post action step by [@&#8203;aparnajyothi-y](https://github.com/aparnajyothi-y) in [#&#8203;917](actions/setup-node#917)
- Fix README.md by [@&#8203;takayamaki](https://github.com/takayamaki) in [#&#8203;898](actions/setup-node#898)
- Add `package.json` to `node-version-file` list of examples. by [@&#8203;TWiStErRob](https://github.com/TWiStErRob) in [#&#8203;879](actions/setup-node#879)
- Fix node-version-file interprets entire package.json as a version by [@&#8203;NullVoxPopuli](https://github.com/NullVoxPopuli) in [#&#8203;865](actions/setup-node#865)

#### New Contributors

- [@&#8203;trivikr](https://github.com/trivikr) made their first contribution in [#&#8203;882](actions/setup-node#882)
- [@&#8203;jwetzell](https://github.com/jwetzell) made their first contribution in [#&#8203;884](actions/setup-node#884)
- [@&#8203;aparnajyothi-y](https://github.com/aparnajyothi-y) made their first contribution in [#&#8203;917](actions/setup-node#917)
- [@&#8203;takayamaki](https://github.com/takayamaki) made their first contribution in [#&#8203;898](actions/setup-node#898)
- [@&#8203;TWiStErRob](https://github.com/TWiStErRob) made their first contribution in [#&#8203;879](actions/setup-node#879)
- [@&#8203;NullVoxPopuli](https://github.com/NullVoxPopuli) made their first contribution in [#&#8203;865](actions/setup-node#865)

**Full Changelog**: <actions/setup-node@v4...v4.0.1>

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTAuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE5MC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Reviewed-on: https://gitea.com/gitea/runner/pulls/991
Reviewed-by: silverwind <2021+silverwind@noreply.gitea.com>
Co-authored-by: Renovate Bot <renovate-bot@gitea.com>
Co-committed-by: Renovate Bot <renovate-bot@gitea.com>
argocd-diff-action-bot Bot pushed a commit to argocd-diff-action/argocd-diff-action that referenced this pull request May 23, 2026
## [0.6.10](0.6.9...0.6.10) (2026-05-23)

### Build & Dependencies

* **deps:** bump actions/setup-node from 4 to 6 ([#186](#186)) ([95e22f8](95e22f8)), closes [actions/setup-node#1374](actions/setup-node#1374) [#1336](https://github.com/argocd-diff-action/argocd-diff-action/issues/1336) [#1334](https://github.com/argocd-diff-action/argocd-diff-action/issues/1334) [#1362](https://github.com/argocd-diff-action/argocd-diff-action/issues/1362) [actions/setup-node#1348](actions/setup-node#1348) [actions/setup-node#1325](actions/setup-node#1325) [actions/setup-node#1227](actions/setup-node#1227) [actions/setup-node#1273](actions/setup-node#1273) [actions/setup-node#1295](actions/setup-node#1295) [actions/setup-node#1332](actions/setup-node#1332) [actions/setup-node#1345](actions/setup-node#1345) [actions/setup-node#1348](actions/setup-node#1348) [actions/setup-node#1325](actions/setup-node#1325) [#1533](https://github.com/argocd-diff-action/argocd-diff-action/issues/1533) [#1525](https://github.com/argocd-diff-action/argocd-diff-action/issues/1525) [#1498](https://github.com/argocd-diff-action/argocd-diff-action/issues/1498) [#1495](https://github.com/argocd-diff-action/argocd-diff-action/issues/1495) [#1378](https://github.com/argocd-diff-action/argocd-diff-action/issues/1378) [#1283](https://github.com/argocd-diff-action/argocd-diff-action/issues/1283) [#1467](https://github.com/argocd-diff-action/argocd-diff-action/issues/1467) [#1491](https://github.com/argocd-diff-action/argocd-diff-action/issues/1491) [#1468](https://github.com/argocd-diff-action/argocd-diff-action/issues/1468) [#1226](https://github.com/argocd-diff-action/argocd-diff-action/issues/1226)

[skip release]
tae898 pushed a commit to humemai/arcadedb-embedded-python that referenced this pull request Jun 28, 2026
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 5.0.0 to 6.0.0.
Release notes

*Sourced from [actions/setup-node's releases](https://github.com/actions/setup-node/releases).*

> v6.0.0
> ------
>
> What's Changed
> --------------
>
> **Breaking Changes**
>
> * Limit automatic caching to npm, update workflows and documentation by [`@​priyagupta108`](https://github.com/priyagupta108) in [actions/setup-node#1374](https://redirect.github.com/actions/setup-node/pull/1374)
>
> **Dependency Upgrades**
>
> * Upgrade ts-jest from 29.1.2 to 29.4.1 and document breaking changes in v5 by [`@​dependabot`](https://github.com/dependabot)[bot] in [ArcadeData#1336](https://redirect.github.com/actions/setup-node/pull/1336)
> * Upgrade prettier from 2.8.8 to 3.6.2 by [`@​dependabot`](https://github.com/dependabot)[bot] in [ArcadeData#1334](https://redirect.github.com/actions/setup-node/pull/1334)
> * Upgrade actions/publish-action from 0.3.0 to 0.4.0 by [`@​dependabot`](https://github.com/dependabot)[bot] in [ArcadeData#1362](https://redirect.github.com/actions/setup-node/pull/1362)
>
> **Full Changelog**: <actions/setup-node@v5...v6.0.0>


Commits

* [`2028fbc`](actions/setup-node@2028fbc) Limit automatic caching to npm, update workflows and documentation ([ArcadeData#1374](https://redirect.github.com/actions/setup-node/issues/1374))
* [`1342781`](actions/setup-node@1342781) Bump actions/publish-action from 0.3.0 to 0.4.0 ([ArcadeData#1362](https://redirect.github.com/actions/setup-node/issues/1362))
* [`89d709d`](actions/setup-node@89d709d) Bump prettier from 2.8.8 to 3.6.2 ([ArcadeData#1334](https://redirect.github.com/actions/setup-node/issues/1334))
* [`cd2651c`](actions/setup-node@cd2651c) Bump ts-jest from 29.1.2 to 29.4.1 ([ArcadeData#1336](https://redirect.github.com/actions/setup-node/issues/1336))
* See full diff in [compare view](actions/setup-node@a0853c2...2028fbc)
  
[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility\_score?dependency-name=actions/setup-node&package-manager=github\_actions&previous-version=5.0.0&new-version=6.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
  
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show  ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
cloudURBANE added a commit to cloudURBANE/sCAST that referenced this pull request Jul 10, 2026
* ci: bump actions/setup-node v4 -> v6 (keep pnpm caching)

setup-node v6's breaking change ("Limit automatic caching to npm",
actions/setup-node#1374) only narrows the NO-input auto-detection path so
it auto-enables caching for npm projects. An explicit `cache: pnpm` input is
still honored: v6 src/main.ts passes the input value straight to
restoreCache('pnpm', ...) without overriding it, and the v6 README still lists
pnpm (>=6.10) as a supported cache value.

All three setup-node steps in this repo already set `cache: pnpm` explicitly,
with pnpm/action-setup@v4 running first so the store path resolves. They are
therefore unaffected by the breaking change; only the action version needed to
move. No caching pattern change was required and caching is preserved.

Steps bumped:
- tests.yml (node 22)
- deploy-frontend.yml test job (node 24)
- deploy-frontend.yml deploy job (node 24)

Co-Authored-By: Claude <noreply@anthropic.com>

* build(deps): bump pnpm/action-setup from 4 to 6

Bumps [pnpm/action-setup](https://github.com/pnpm/action-setup) from 4 to 6.
- [Release notes](https://github.com/pnpm/action-setup/releases)
- [Commits](pnpm/action-setup@v4...v6)

---
updated-dependencies:
- dependency-name: pnpm/action-setup
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* test: discover tests by glob so new test files can't be silently skipped

The api-server and scent-cast `test` scripts hand-enumerated every test
file; six api-server tests (including corsOrigins.test.ts, the test for
the CORS allowlist) existed on disk but never ran. Quote the glob so the
runner expands it (same pattern @workspace/db already uses).

Re-including the orphans surfaced one drifted assertion:
orientationEngine.test.ts expected the visible base exactly at
baselineOffset, but the 2px anti-clip bbox margin scales with the bottle
and intentionally seats the base a few px above — the same accepted
drift the "~88% height" test documents. Bound the assertion to that
documented behavior instead of changing live render geometry (which
would bump ORIENTATION_VERSION and invalidate cached packshots).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_014cEQ87SG31DEkaacGtGtH6

* ci: lint gate, dependency scanning, Docker build check, Node 22 parity

Production-readiness F2:
- ESLint flat config scoped to api-server runtime sources with two rules
  at error: @typescript-eslint/no-floating-promises (dropped promises in
  handlers/workers are silent failures) and no-console (post-A6 pino
  regression stop). CLI/MCP entrypoints and offline verification scripts
  keep stdout deliberately. Baseline is clean — the gate starts green.
- `pnpm run lint` root script + CI step.
- CI Node 24 → 22 in tests.yml and deploy-frontend.yml to match the
  node:22-bookworm-slim runtime image and the engines field.
- Dependabot (npm weekly grouped minor/patch + github-actions) and a
  report-only `pnpm audit --prod` step; flip to blocking after triage.
- docker-build PR job (push:false, gha layer cache) gated on image-input
  paths, so Dockerfile/lockfile breakage fails at PR time, not deploy.
- PR guard requiring a lib/db/migrations/ file whenever
  lib/db/src/schema/** changes (E1 enforcement half).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_014cEQ87SG31DEkaacGtGtH6

* feat(build): stamp SPA builds with VITE_GIT_SHA (web-vitals build tag)

The webVitalsTelemetry build tag lost its source when Vercel's injected
VITE_VERCEL_GIT_COMMIT_SHA went away with the CloudFront cutover; main
already reads VITE_GIT_SHA as the fallback but nothing set it. Inject
github.sha in deploy-frontend.yml builds and accept an optional ARG in
the Dockerfile (empty default keeps Railway builds unchanged).

Adapted from PR #539 (claude/production-critical-impl-odvdqt); its ECR/
App Runner deploy job was NOT carried over — docs/aws-migration/ records
the accepted architecture as S3+CloudFront for the SPA with backends
staying on Railway.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01L112eiWss3qDdppZUJrAw7

* build(deps): bump the minor-and-patch group across 1 directory with 48 updates

---
updated-dependencies:
- dependency-name: prettier
  dependency-version: 3.9.5
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: axios
  dependency-version: 1.18.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: sharp
  dependency-version: 0.35.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: esbuild
  dependency-version: 0.28.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-accordion"
  dependency-version: 1.2.16
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-alert-dialog"
  dependency-version: 1.1.19
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-aspect-ratio"
  dependency-version: 1.1.11
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-avatar"
  dependency-version: 1.2.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-checkbox"
  dependency-version: 1.3.7
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-collapsible"
  dependency-version: 1.1.16
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-context-menu"
  dependency-version: 2.3.3
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-dialog"
  dependency-version: 1.1.19
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-dropdown-menu"
  dependency-version: 2.1.20
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-hover-card"
  dependency-version: 1.1.19
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-label"
  dependency-version: 2.1.11
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-menubar"
  dependency-version: 1.1.20
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-navigation-menu"
  dependency-version: 1.2.18
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-popover"
  dependency-version: 1.1.19
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-progress"
  dependency-version: 1.1.12
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-radio-group"
  dependency-version: 1.4.3
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-scroll-area"
  dependency-version: 1.2.14
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-select"
  dependency-version: 2.3.3
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-separator"
  dependency-version: 1.1.11
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-slider"
  dependency-version: 1.4.3
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-slot"
  dependency-version: 1.3.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-switch"
  dependency-version: 1.3.3
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-tabs"
  dependency-version: 1.1.17
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-toast"
  dependency-version: 1.2.19
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-toggle"
  dependency-version: 1.1.14
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-toggle-group"
  dependency-version: 1.1.15
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-tooltip"
  dependency-version: 1.2.12
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: react-hook-form
  dependency-version: 7.81.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: react-router-dom
  dependency-version: 7.18.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@tailwindcss/typography"
  dependency-version: 0.5.20
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: orval
  dependency-version: 8.20.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: pg
  dependency-version: 8.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@types/pg"
  dependency-version: 8.20.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@types/pg"
  dependency-version: 8.20.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: drizzle-kit
  dependency-version: 0.31.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@replit/vite-plugin-cartographer"
  dependency-version: 0.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@tailwindcss/vite"
  dependency-version: 4.3.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@tanstack/react-query"
  dependency-version: 5.101.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: framer-motion
  dependency-version: 12.42.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: react-dom
  dependency-version: 19.2.7
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: react
  dependency-version: 19.2.7
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@types/react"
  dependency-version: 19.2.17
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: tailwind-merge
  dependency-version: 3.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: tailwindcss
  dependency-version: 4.3.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: tsx
  dependency-version: 4.23.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* fix: adapt to sharp 0.35 types and esbuild 0.28 PWA target

The minor-and-patch group surfaces two breaking changes:

1. sharp 0.35 no longer exposes its namespace via a default import, so
   `sharp.Metadata` fails (TS2503). Import the Metadata type by name in
   adminBottleImageUpload.ts and packshotTrimCore.ts.

2. esbuild 0.28 (pulled in via the tsx/esbuild bumps) now refuses to
   transform the PWA service worker's destructuring for the Safari 14.0
   target — Safari 14.0 has a destructuring bug that 14.1 fixed. Bump the
   scent-cast build target safari14 -> safari14.1 (still es2020 + iOS 14).

Verified: full typecheck + both frontend builds (incl. PWA SW) pass.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* build(deps): bump @vitejs/plugin-react from 5.1.4 to 6.0.3

Bumps [@vitejs/plugin-react](https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react) from 5.1.4 to 6.0.3.
- [Release notes](https://github.com/vitejs/vite-plugin-react/releases)
- [Changelog](https://github.com/vitejs/vite-plugin-react/blob/main/packages/plugin-react/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite-plugin-react/commits/plugin-react@6.0.3/packages/plugin-react)

---
updated-dependencies:
- dependency-name: "@vitejs/plugin-react"
  dependency-version: 6.0.3
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps): migrate to vite 8 to satisfy @vitejs/plugin-react 6 peer

plugin-react 6.0.3 imports vite/internal and requires vite ^8.0.0; on
vite 7 the build fails with ERR_PACKAGE_PATH_NOT_EXPORTED. Bump the catalog
vite to ^8.1.4. Verified: scent-cast + mockup-sandbox both build and the
full typecheck passes; @tailwindcss/vite and vite-plugin-pwa already
support vite 8, and tests use node --test (not vite).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* build(deps-dev): bump recharts from 2.15.4 to 3.9.2

Bumps [recharts](https://github.com/recharts/recharts) from 2.15.4 to 3.9.2.
- [Release notes](https://github.com/recharts/recharts/releases)
- [Changelog](https://github.com/recharts/recharts/blob/main/CHANGELOG.md)
- [Commits](recharts/recharts@v2.15.4...v3.9.2)

---
updated-dependencies:
- dependency-name: recharts
  dependency-version: 3.9.2
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* fix(chart): adapt shadcn chart.tsx to recharts v3 API

recharts v3 moved active/payload/label onto TooltipContentProps and legend
payload/verticalAlign onto DefaultLegendContentProps; retype
ChartTooltipContent/ChartLegendContent and coerce the DataKey<any> React key.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* build(deps): bump pino-http from 10.5.0 to 11.0.0

Bumps [pino-http](https://github.com/pinojs/pino-http) from 10.5.0 to 11.0.0.
- [Release notes](https://github.com/pinojs/pino-http/releases)
- [Commits](pinojs/pino-http@v10.5.0...v11.0.0)

---
updated-dependencies:
- dependency-name: pino-http
  dependency-version: 11.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* fix(api): satisfy pino-http v11 generics in app.ts

pino-http v11 tightened its call generics so CustomLevels infers as
string, rejecting our default pino.Logger<never>. Pin the
Request/Response generics (keeps the req.id serializer valid) and let
CustomLevels fall back to its never default.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* build(deps): regenerate lockfile for combined bumps; declare react-is peer

The four dependency PRs (#579, #571, #565, #572) each carried a lockfile
generated against main in isolation; combining them needs one consistent
resolve. Also declare react-is in mockup-sandbox — recharts 3 requires it
as a peer and autoInstallPeers is off.

Verified: pnpm install clean, full typecheck, workspace build, 981-test
API suite green, eslint 0 errors, pnpm audit --prod has no high findings.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01L112eiWss3qDdppZUJrAw7

* ci: drop docker-build job duplicated by the standalone docker-build.yml workflow

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01L112eiWss3qDdppZUJrAw7

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
cloudURBANE added a commit to cloudURBANE/sCAST that referenced this pull request Jul 10, 2026
setup-node v6's breaking change ("Limit automatic caching to npm",
actions/setup-node#1374) only narrows the NO-input auto-detection path so
it auto-enables caching for npm projects. An explicit `cache: pnpm` input is
still honored: v6 src/main.ts passes the input value straight to
restoreCache('pnpm', ...) without overriding it, and the v6 README still lists
pnpm (>=6.10) as a supported cache value.

All three setup-node steps in this repo already set `cache: pnpm` explicitly,
with pnpm/action-setup@v4 running first so the store path resolves. They are
therefore unaffected by the breaking change; only the action version needed to
move. No caching pattern change was required and caching is preserved.

Steps bumped:
- tests.yml (node 22)
- deploy-frontend.yml test job (node 24)
- deploy-frontend.yml deploy job (node 24)

Co-authored-by: Claude <noreply@anthropic.com>
cloudURBANE added a commit to cloudURBANE/sCAST that referenced this pull request Jul 10, 2026
* ci: bump actions/setup-node v4 -> v6 (keep pnpm caching)

setup-node v6's breaking change ("Limit automatic caching to npm",
actions/setup-node#1374) only narrows the NO-input auto-detection path so
it auto-enables caching for npm projects. An explicit `cache: pnpm` input is
still honored: v6 src/main.ts passes the input value straight to
restoreCache('pnpm', ...) without overriding it, and the v6 README still lists
pnpm (>=6.10) as a supported cache value.

All three setup-node steps in this repo already set `cache: pnpm` explicitly,
with pnpm/action-setup@v4 running first so the store path resolves. They are
therefore unaffected by the breaking change; only the action version needed to
move. No caching pattern change was required and caching is preserved.

Steps bumped:
- tests.yml (node 22)
- deploy-frontend.yml test job (node 24)
- deploy-frontend.yml deploy job (node 24)

Co-Authored-By: Claude <noreply@anthropic.com>

* build(deps): bump pnpm/action-setup from 4 to 6

Bumps [pnpm/action-setup](https://github.com/pnpm/action-setup) from 4 to 6.
- [Release notes](https://github.com/pnpm/action-setup/releases)
- [Commits](pnpm/action-setup@v4...v6)

---
updated-dependencies:
- dependency-name: pnpm/action-setup
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* test: discover tests by glob so new test files can't be silently skipped

The api-server and scent-cast `test` scripts hand-enumerated every test
file; six api-server tests (including corsOrigins.test.ts, the test for
the CORS allowlist) existed on disk but never ran. Quote the glob so the
runner expands it (same pattern @workspace/db already uses).

Re-including the orphans surfaced one drifted assertion:
orientationEngine.test.ts expected the visible base exactly at
baselineOffset, but the 2px anti-clip bbox margin scales with the bottle
and intentionally seats the base a few px above — the same accepted
drift the "~88% height" test documents. Bound the assertion to that
documented behavior instead of changing live render geometry (which
would bump ORIENTATION_VERSION and invalidate cached packshots).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_014cEQ87SG31DEkaacGtGtH6

* ci: lint gate, dependency scanning, Docker build check, Node 22 parity

Production-readiness F2:
- ESLint flat config scoped to api-server runtime sources with two rules
  at error: @typescript-eslint/no-floating-promises (dropped promises in
  handlers/workers are silent failures) and no-console (post-A6 pino
  regression stop). CLI/MCP entrypoints and offline verification scripts
  keep stdout deliberately. Baseline is clean — the gate starts green.
- `pnpm run lint` root script + CI step.
- CI Node 24 → 22 in tests.yml and deploy-frontend.yml to match the
  node:22-bookworm-slim runtime image and the engines field.
- Dependabot (npm weekly grouped minor/patch + github-actions) and a
  report-only `pnpm audit --prod` step; flip to blocking after triage.
- docker-build PR job (push:false, gha layer cache) gated on image-input
  paths, so Dockerfile/lockfile breakage fails at PR time, not deploy.
- PR guard requiring a lib/db/migrations/ file whenever
  lib/db/src/schema/** changes (E1 enforcement half).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_014cEQ87SG31DEkaacGtGtH6

* feat(build): stamp SPA builds with VITE_GIT_SHA (web-vitals build tag)

The webVitalsTelemetry build tag lost its source when Vercel's injected
VITE_VERCEL_GIT_COMMIT_SHA went away with the CloudFront cutover; main
already reads VITE_GIT_SHA as the fallback but nothing set it. Inject
github.sha in deploy-frontend.yml builds and accept an optional ARG in
the Dockerfile (empty default keeps Railway builds unchanged).

Adapted from PR #539 (claude/production-critical-impl-odvdqt); its ECR/
App Runner deploy job was NOT carried over — docs/aws-migration/ records
the accepted architecture as S3+CloudFront for the SPA with backends
staying on Railway.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01L112eiWss3qDdppZUJrAw7

* build(deps): bump the minor-and-patch group across 1 directory with 48 updates

---
updated-dependencies:
- dependency-name: prettier
  dependency-version: 3.9.5
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: axios
  dependency-version: 1.18.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: sharp
  dependency-version: 0.35.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: esbuild
  dependency-version: 0.28.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-accordion"
  dependency-version: 1.2.16
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-alert-dialog"
  dependency-version: 1.1.19
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-aspect-ratio"
  dependency-version: 1.1.11
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-avatar"
  dependency-version: 1.2.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-checkbox"
  dependency-version: 1.3.7
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-collapsible"
  dependency-version: 1.1.16
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-context-menu"
  dependency-version: 2.3.3
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-dialog"
  dependency-version: 1.1.19
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-dropdown-menu"
  dependency-version: 2.1.20
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-hover-card"
  dependency-version: 1.1.19
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-label"
  dependency-version: 2.1.11
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-menubar"
  dependency-version: 1.1.20
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-navigation-menu"
  dependency-version: 1.2.18
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-popover"
  dependency-version: 1.1.19
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-progress"
  dependency-version: 1.1.12
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-radio-group"
  dependency-version: 1.4.3
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-scroll-area"
  dependency-version: 1.2.14
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-select"
  dependency-version: 2.3.3
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-separator"
  dependency-version: 1.1.11
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-slider"
  dependency-version: 1.4.3
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-slot"
  dependency-version: 1.3.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-switch"
  dependency-version: 1.3.3
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-tabs"
  dependency-version: 1.1.17
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-toast"
  dependency-version: 1.2.19
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-toggle"
  dependency-version: 1.1.14
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-toggle-group"
  dependency-version: 1.1.15
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@radix-ui/react-tooltip"
  dependency-version: 1.2.12
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: react-hook-form
  dependency-version: 7.81.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: react-router-dom
  dependency-version: 7.18.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@tailwindcss/typography"
  dependency-version: 0.5.20
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: orval
  dependency-version: 8.20.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: pg
  dependency-version: 8.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@types/pg"
  dependency-version: 8.20.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@types/pg"
  dependency-version: 8.20.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: drizzle-kit
  dependency-version: 0.31.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: "@replit/vite-plugin-cartographer"
  dependency-version: 0.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@tailwindcss/vite"
  dependency-version: 4.3.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@tanstack/react-query"
  dependency-version: 5.101.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: framer-motion
  dependency-version: 12.42.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: react-dom
  dependency-version: 19.2.7
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: react
  dependency-version: 19.2.7
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: "@types/react"
  dependency-version: 19.2.17
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: tailwind-merge
  dependency-version: 3.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: tailwindcss
  dependency-version: 4.3.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: tsx
  dependency-version: 4.23.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* fix: adapt to sharp 0.35 types and esbuild 0.28 PWA target

The minor-and-patch group surfaces two breaking changes:

1. sharp 0.35 no longer exposes its namespace via a default import, so
   `sharp.Metadata` fails (TS2503). Import the Metadata type by name in
   adminBottleImageUpload.ts and packshotTrimCore.ts.

2. esbuild 0.28 (pulled in via the tsx/esbuild bumps) now refuses to
   transform the PWA service worker's destructuring for the Safari 14.0
   target — Safari 14.0 has a destructuring bug that 14.1 fixed. Bump the
   scent-cast build target safari14 -> safari14.1 (still es2020 + iOS 14).

Verified: full typecheck + both frontend builds (incl. PWA SW) pass.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* build(deps): bump @vitejs/plugin-react from 5.1.4 to 6.0.3

Bumps [@vitejs/plugin-react](https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react) from 5.1.4 to 6.0.3.
- [Release notes](https://github.com/vitejs/vite-plugin-react/releases)
- [Changelog](https://github.com/vitejs/vite-plugin-react/blob/main/packages/plugin-react/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite-plugin-react/commits/plugin-react@6.0.3/packages/plugin-react)

---
updated-dependencies:
- dependency-name: "@vitejs/plugin-react"
  dependency-version: 6.0.3
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps): migrate to vite 8 to satisfy @vitejs/plugin-react 6 peer

plugin-react 6.0.3 imports vite/internal and requires vite ^8.0.0; on
vite 7 the build fails with ERR_PACKAGE_PATH_NOT_EXPORTED. Bump the catalog
vite to ^8.1.4. Verified: scent-cast + mockup-sandbox both build and the
full typecheck passes; @tailwindcss/vite and vite-plugin-pwa already
support vite 8, and tests use node --test (not vite).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* build(deps-dev): bump recharts from 2.15.4 to 3.9.2

Bumps [recharts](https://github.com/recharts/recharts) from 2.15.4 to 3.9.2.
- [Release notes](https://github.com/recharts/recharts/releases)
- [Changelog](https://github.com/recharts/recharts/blob/main/CHANGELOG.md)
- [Commits](recharts/recharts@v2.15.4...v3.9.2)

---
updated-dependencies:
- dependency-name: recharts
  dependency-version: 3.9.2
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* fix(chart): adapt shadcn chart.tsx to recharts v3 API

recharts v3 moved active/payload/label onto TooltipContentProps and legend
payload/verticalAlign onto DefaultLegendContentProps; retype
ChartTooltipContent/ChartLegendContent and coerce the DataKey<any> React key.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* build(deps): bump pino-http from 10.5.0 to 11.0.0

Bumps [pino-http](https://github.com/pinojs/pino-http) from 10.5.0 to 11.0.0.
- [Release notes](https://github.com/pinojs/pino-http/releases)
- [Commits](pinojs/pino-http@v10.5.0...v11.0.0)

---
updated-dependencies:
- dependency-name: pino-http
  dependency-version: 11.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* fix(api): satisfy pino-http v11 generics in app.ts

pino-http v11 tightened its call generics so CustomLevels infers as
string, rejecting our default pino.Logger<never>. Pin the
Request/Response generics (keeps the req.id serializer valid) and let
CustomLevels fall back to its never default.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* build(deps): regenerate lockfile for combined bumps; declare react-is peer

The four dependency PRs (#579, #571, #565, #572) each carried a lockfile
generated against main in isolation; combining them needs one consistent
resolve. Also declare react-is in mockup-sandbox — recharts 3 requires it
as a peer and autoInstallPeers is off.

Verified: pnpm install clean, full typecheck, workspace build, 981-test
API suite green, eslint 0 errors, pnpm audit --prod has no high findings.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01L112eiWss3qDdppZUJrAw7

* ci: drop docker-build job duplicated by the standalone docker-build.yml workflow

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01L112eiWss3qDdppZUJrAw7

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.