v2.2.2#53
Merged
Merged
Conversation
* Add package-lock.json to the repo * Use `npm ci` for the CI
Add .npmrc with min-release-age=2 to enforce a 2-day cooldown period on npm package releases before they can be installed. This protects against supply chain attacks by ensuring newly published (or compromised) package versions are not immediately consumed. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adding a lockfile ensures that dependency resolution is reproducible and prevents newly-published malicious package versions from being silently resolved during install. This is part of the incident #51987 response to harden our npm supply chain. Also removes lockfile entries from .gitignore so the lockfile is tracked in version control. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Attila Szegedi <szegedi@users.noreply.github.com>
* Executing automated changes * Update package-lock.json --------- Co-authored-by: gh-worker-campaigns-3e9aa4[bot] <244854796+gh-worker-campaigns-3e9aa4[bot]@users.noreply.github.com> Co-authored-by: Attila Szegedi <attila.szegedi@datadoghq.com>
* feat: add Dependabot config grouping patch and minor updates * feat: add release skill for Claude Code
…48) Bumps the patch-updates group with 1 update: [@eslint/eslintrc](https://github.com/eslint/eslintrc). Updates `@eslint/eslintrc` from 3.3.1 to 3.3.5 - [Release notes](https://github.com/eslint/eslintrc/releases) - [Changelog](https://github.com/eslint/eslintrc/blob/main/CHANGELOG.md) - [Commits](eslint/eslintrc@v3.3.1...eslintrc-v3.3.5) --- updated-dependencies: - dependency-name: "@eslint/eslintrc" dependency-version: 3.3.5 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: patch-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Bump the minor-updates group across 1 directory with 3 updates Bumps the minor-updates group with 2 updates in the / directory: [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) and [tap](https://github.com/tapjs/tapjs). Updates `@typescript-eslint/eslint-plugin` from 8.41.0 to 8.60.1 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.60.1/packages/eslint-plugin) Updates `@typescript-eslint/parser` from 8.41.0 to 8.60.1 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.60.1/packages/parser) Updates `tap` from 21.6.3 to 21.7.4 - [Release notes](https://github.com/tapjs/tapjs/releases) - [Commits](https://github.com/tapjs/tapjs/compare/tap@21.6.3...tap@21.7.4) --- updated-dependencies: - dependency-name: "@typescript-eslint/eslint-plugin" dependency-version: 8.60.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: minor-updates - dependency-name: "@typescript-eslint/parser" dependency-version: 8.60.1 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: minor-updates - dependency-name: tap dependency-version: 21.7.4 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: minor-updates ... Signed-off-by: dependabot[bot] <support@github.com> * ci: drop EOL Node 18 from test matrix, add Node 26 Node 18 reached end-of-life on 2025-04-30. The tap 21.7.4 bump pulls in uuid@14 (via @tapjs/processinfo), whose node build references the global `crypto`, which is unavailable unflagged on Node 18 and breaks the test loader. Drop 18 and add 26. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Attila Szegedi <attila.szegedi@datadoghq.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 24.3.0 to 25.9.2. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-version: 25.9.2 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [eslint](https://github.com/eslint/eslint) from 9.34.0 to 10.4.1. - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](eslint/eslint@v9.34.0...v10.4.1) --- updated-dependencies: - dependency-name: eslint dependency-version: 10.4.1 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
ESLint 10 and @eslint/js 10 use util.styleText which requires Node >= 20. The test matrix already dropped Node 18 so this brings lint in line. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
…#60) These two packages must be upgraded together: protobufjs-cli@2.x requires protobufjs@^8.6.0 as a peer dependency, and protobufjs@8.x requires protobufjs-cli@2.x. Upgrading independently causes an ERESOLVE conflict. Closes #54, Closes #56 Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Having both package-lock.json and yarn.lock creates maintenance burden without adding security value: CI already uses `npm ci` with package-lock.json for reproducible installs (the actual supply chain protection). yarn.lock was added alongside package-lock.json in #39/#40 but since nothing automated consumes it, it just drifts and causes merge conflicts in Dependabot PRs. - Remove yarn.lock and add it to .gitignore - Change prepublishOnly and pretest scripts from `yarn build` to `npm run build` Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
TypeScript 6 has three breaking changes affecting this codebase:
1. Node.js globals (Buffer) are no longer auto-included. Fix: add
"types": ["node"] to tsconfig.json.
2. Map.get() return type (T | undefined) is no longer assignable to T
without an assertion. Fix: add ! to the known-present lookup.
3. DeepPartial<T> of primitive types (number|bigint) is incompatible
with the original type due to stricter narrowing. Fix: change the
internal decode() helper to use `any` for the accumulator object,
which is the correct type since it starts as {} and gets mutated.
Closes #50
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Bumps [tshy](https://github.com/isaacs/tshy) from 3.3.2 to 4.1.2. - [Changelog](https://github.com/isaacs/tshy/blob/main/CHANGELOG.md) - [Commits](isaacs/tshy@v3.3.2...v4.1.2) --- updated-dependencies: - dependency-name: tshy dependency-version: 4.1.2 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
tap (via @tapjs/processinfo) pulled in uuid@14, whose node build
references the global `crypto`; that is unavailable unflagged on Node 18
and unreliable in processinfo's loader hook, which broke CI. Drop the tap
dependency entirely in favor of Node's built-in test runner.
- Rewrite src/index.test.ts against node:test + node:assert. tap's loose
assertions are mapped as: equal -> strictEqual, same -> deepEqual
(loose), and has -> a small recursive loose-subset helper (assertHas).
- Compile the tests with tsc (tsconfig.test.json) to dist-test/ and run
them with `node --test`, so they work on every supported Node version
including 18 (which cannot strip types natively).
- Fix testing/proto/package.json to {"type":"commonjs"} so the generated
CJS protobuf module resolves under Node's native ESM loader.
- Re-add Node 18 and add Node 26 to the test matrix.
Verified 72/72 passing on Node 18, 20, 22, 24, and 26.
offset is incremented after buffer.set() but never read again — the function returns buffer immediately after. Caught by the no-useless-assignment rule added in @eslint/js 10. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Bumps [@eslint/js](https://github.com/eslint/eslint/tree/HEAD/packages/js) from 9.34.0 to 10.0.1. - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](https://github.com/eslint/eslint/commits/v10.0.1/packages/js) --- updated-dependencies: - dependency-name: "@eslint/js" dependency-version: 10.0.1 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
IlyasShabi
previously approved these changes
Jun 11, 2026
The release workflow's tag push was rejected by the tag ruleset because actions/checkout persisted GITHUB_TOKEN credentials, which took precedence over the dd-octo-sts token in the explicit push URL. Drop the persisted credentials and downgrade contents permission to read. Also add the dd-octo-sts policy file and fix the deprecated ::set-output syntax to use GITHUB_OUTPUT.
Contributor
Author
|
Added #65 so our tagging on release will work as expected |
IlyasShabi
approved these changes
Jun 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bug fixes
Other (build, dev)