Skip to content

v2.2.2#53

Merged
szegedi merged 25 commits into
v2.xfrom
v2.2.2-proposal
Jun 16, 2026
Merged

v2.2.2#53
szegedi merged 25 commits into
v2.xfrom
v2.2.2-proposal

Conversation

@szegedi

@szegedi szegedi commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Bug fixes

Other (build, dev)

nsavoire and others added 23 commits June 8, 2026 17:13
* Add package-lock.json to the repo

* Use `npm ci` for the CI
Add .npmrc with min-release-age=2 to enforce a 2-day cooldown period
on npm package releases before they can be installed. This protects
against supply chain attacks by ensuring newly published (or
compromised) package versions are not immediately consumed.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adding a lockfile ensures that dependency resolution is reproducible
and prevents newly-published malicious package versions from being
silently resolved during install. This is part of the incident #51987
response to harden our npm supply chain.

Also removes lockfile entries from .gitignore so the lockfile is
tracked in version control.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Attila Szegedi <szegedi@users.noreply.github.com>
* Executing automated changes

* Update package-lock.json

---------

Co-authored-by: gh-worker-campaigns-3e9aa4[bot] <244854796+gh-worker-campaigns-3e9aa4[bot]@users.noreply.github.com>
Co-authored-by: Attila Szegedi <attila.szegedi@datadoghq.com>
* feat: add Dependabot config grouping patch and minor updates

* feat: add release skill for Claude Code
…48)

Bumps the patch-updates group with 1 update: [@eslint/eslintrc](https://github.com/eslint/eslintrc).


Updates `@eslint/eslintrc` from 3.3.1 to 3.3.5
- [Release notes](https://github.com/eslint/eslintrc/releases)
- [Changelog](https://github.com/eslint/eslintrc/blob/main/CHANGELOG.md)
- [Commits](eslint/eslintrc@v3.3.1...eslintrc-v3.3.5)

---
updated-dependencies:
- dependency-name: "@eslint/eslintrc"
  dependency-version: 3.3.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: patch-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Bump the minor-updates group across 1 directory with 3 updates

Bumps the minor-updates group with 2 updates in the / directory: [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) and [tap](https://github.com/tapjs/tapjs).


Updates `@typescript-eslint/eslint-plugin` from 8.41.0 to 8.60.1
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.60.1/packages/eslint-plugin)

Updates `@typescript-eslint/parser` from 8.41.0 to 8.60.1
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.60.1/packages/parser)

Updates `tap` from 21.6.3 to 21.7.4
- [Release notes](https://github.com/tapjs/tapjs/releases)
- [Commits](https://github.com/tapjs/tapjs/compare/tap@21.6.3...tap@21.7.4)

---
updated-dependencies:
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-version: 8.60.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: "@typescript-eslint/parser"
  dependency-version: 8.60.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: tap
  dependency-version: 21.7.4
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
...

Signed-off-by: dependabot[bot] <support@github.com>

* ci: drop EOL Node 18 from test matrix, add Node 26

Node 18 reached end-of-life on 2025-04-30. The tap 21.7.4 bump pulls in
uuid@14 (via @tapjs/processinfo), whose node build references the global
`crypto`, which is unavailable unflagged on Node 18 and breaks the test
loader. Drop 18 and add 26.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Attila Szegedi <attila.szegedi@datadoghq.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 24.3.0 to 25.9.2.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 25.9.2
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [eslint](https://github.com/eslint/eslint) from 9.34.0 to 10.4.1.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](eslint/eslint@v9.34.0...v10.4.1)

---
updated-dependencies:
- dependency-name: eslint
  dependency-version: 10.4.1
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
ESLint 10 and @eslint/js 10 use util.styleText which requires Node >= 20.
The test matrix already dropped Node 18 so this brings lint in line.

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
…#60)

These two packages must be upgraded together: protobufjs-cli@2.x requires
protobufjs@^8.6.0 as a peer dependency, and protobufjs@8.x requires
protobufjs-cli@2.x. Upgrading independently causes an ERESOLVE conflict.

Closes #54, Closes #56

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Having both package-lock.json and yarn.lock creates maintenance burden
without adding security value: CI already uses `npm ci` with
package-lock.json for reproducible installs (the actual supply chain
protection). yarn.lock was added alongside package-lock.json in #39/#40
but since nothing automated consumes it, it just drifts and causes
merge conflicts in Dependabot PRs.

- Remove yarn.lock and add it to .gitignore
- Change prepublishOnly and pretest scripts from `yarn build` to `npm run build`

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
TypeScript 6 has three breaking changes affecting this codebase:

1. Node.js globals (Buffer) are no longer auto-included. Fix: add
   "types": ["node"] to tsconfig.json.

2. Map.get() return type (T | undefined) is no longer assignable to T
   without an assertion. Fix: add ! to the known-present lookup.

3. DeepPartial<T> of primitive types (number|bigint) is incompatible
   with the original type due to stricter narrowing. Fix: change the
   internal decode() helper to use `any` for the accumulator object,
   which is the correct type since it starts as {} and gets mutated.

Closes #50

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Bumps [tshy](https://github.com/isaacs/tshy) from 3.3.2 to 4.1.2.
- [Changelog](https://github.com/isaacs/tshy/blob/main/CHANGELOG.md)
- [Commits](isaacs/tshy@v3.3.2...v4.1.2)

---
updated-dependencies:
- dependency-name: tshy
  dependency-version: 4.1.2
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
tap (via @tapjs/processinfo) pulled in uuid@14, whose node build
references the global `crypto`; that is unavailable unflagged on Node 18
and unreliable in processinfo's loader hook, which broke CI. Drop the tap
dependency entirely in favor of Node's built-in test runner.

- Rewrite src/index.test.ts against node:test + node:assert. tap's loose
  assertions are mapped as: equal -> strictEqual, same -> deepEqual
  (loose), and has -> a small recursive loose-subset helper (assertHas).
- Compile the tests with tsc (tsconfig.test.json) to dist-test/ and run
  them with `node --test`, so they work on every supported Node version
  including 18 (which cannot strip types natively).
- Fix testing/proto/package.json to {"type":"commonjs"} so the generated
  CJS protobuf module resolves under Node's native ESM loader.
- Re-add Node 18 and add Node 26 to the test matrix.

Verified 72/72 passing on Node 18, 20, 22, 24, and 26.
offset is incremented after buffer.set() but never read again —
the function returns buffer immediately after. Caught by the
no-useless-assignment rule added in @eslint/js 10.

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
PR #45 added these tests after PR #58 switched from tap to node:test,
using the old tap.test/t.same style. Convert to test/assert.deepEqual.

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Bumps [@eslint/js](https://github.com/eslint/eslint/tree/HEAD/packages/js) from 9.34.0 to 10.0.1.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](https://github.com/eslint/eslint/commits/v10.0.1/packages/js)

---
updated-dependencies:
- dependency-name: "@eslint/js"
  dependency-version: 10.0.1
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
IlyasShabi
IlyasShabi previously approved these changes Jun 11, 2026
szegedi and others added 2 commits June 15, 2026 12:41
The release workflow's tag push was rejected by the tag ruleset because
actions/checkout persisted GITHUB_TOKEN credentials, which took precedence
over the dd-octo-sts token in the explicit push URL. Drop the persisted
credentials and downgrade contents permission to read.

Also add the dd-octo-sts policy file and fix the deprecated ::set-output
syntax to use GITHUB_OUTPUT.
@szegedi

szegedi commented Jun 15, 2026

Copy link
Copy Markdown
Contributor Author

Added #65 so our tagging on release will work as expected

@szegedi szegedi merged commit 122e645 into v2.x Jun 16, 2026
14 checks passed
@szegedi szegedi deleted the v2.2.2-proposal branch June 16, 2026 09:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants