[Deps] Safe dependency updates (2026-02-26)

[github-actions]

Automated Safe Dependency Updates

This PR contains safe patch-level dependency updates that have been verified to:

• ✅ Pass all tests (817 passing, 3 pre-existing failures unrelated to these changes)
• ✅ Have no breaking changes
• ✅ Stay within existing semver ranges (with one explicit minimum version bump for glob)

Updated Dependencies

Package	Previous	Updated	Type
@commitlint/cli	20.4.1	20.4.2	patch
@commitlint/config-conventional	20.4.1	20.4.2	patch
@types/node	25.2.3	25.3.0	minor
@typescript-eslint/eslint-plugin	8.55.0	8.56.1	patch
@typescript-eslint/parser	8.55.0	8.56.1	patch
eslint	10.0.0	10.0.2	patch
glob	13.0.1	13.0.6	patch
typescript-eslint	8.55.0	8.56.1	patch

Security Status

No HIGH or CRITICAL vulnerabilities found in npm audit. One pre-existing moderate severity vulnerability in ajv (transitive dependency via @commitlint) remains — it is not directly exploitable in this project's context.

Skipped Updates (major version bumps / breaking changes)

• chalk: 4.x → 5.x (ESM-only in v5, breaking change)
• commander: 12.x → 14.x (major, needs API review)
• execa: 5.x → 9.x (ESM-only in v6+, breaking change)
• eslint-plugin-security: 3.x → 4.x (major, needs review)

---

Generated by Dependency Security Monitor Workflow

AI generated by Dependency Security Monitor

[github-actions]

PR titles reviewed:
feat(proxy): add observability and rate limiting to API proxy
refactor: remove --allow-full-filesystem-access flag
GitHub MCP (last 2 merged PRs): ✅
safeinputs-gh PR list: ✅
Playwright title check: ✅
Tavily search: ❌
File write + cat: ✅
Discussion comment: ✅
Build (npm ci && npm run build): ✅
Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	82.37%	82.51%	📈 +0.14%
Statements	82.27%	82.41%	📈 +0.14%
Functions	82.60%	82.60%	➡️ +0.00%
Branches	74.21%	74.30%	📈 +0.09%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	83.4% → 84.0% (+0.54%)	82.8% → 83.3% (+0.52%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

This PR contains automated safe patch-level dependency updates that maintain compatibility with the existing codebase. The updates include security and bug fixes for development dependencies, with all changes passing the test suite (817 tests passing). The only change to package.json is an explicit minimum version bump for the glob package from ^13.0.1 to ^13.0.6, while other packages were updated in package-lock.json within their existing caret ranges.

Changes:

• Updated 8 development dependencies with patch-level and one minor version bump
• Explicit minimum version bump for glob to address compatibility improvements
• Updated transitive dependencies including eslint tooling, TypeScript type definitions, and commitlint packages

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
package.json	Explicit minimum version bump for glob from ^13.0.1 to ^13.0.6 to support broader Node.js compatibility
package-lock.json	Patch/minor updates for 8 direct devDependencies and their transitive dependencies, including commitlint, typescript-eslint, eslint, and @types/node packages; structural change moving fdir to top-level (npm deduplication)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Node.js Build Test Results

Project	Install	Tests	Status
clsx	✅	All passed	✅ PASS
execa	✅	All passed	✅ PASS
p-limit	✅	All passed	✅ PASS

Overall: ✅ PASS

Generated by Build Test Node.js for issue #1059

[github-actions]

C++ Build Test Results

Project	CMake	Build	Status
fmt	✅	✅	PASS
json	✅	✅	PASS

Overall: PASS

Generated by Build Test C++ for issue #1059

[github-actions]

.NET Build Test Results

Project	Restore	Build	Run	Status
hello-world	✅	✅	✅	PASS
json-parse	✅	✅	✅	PASS

Overall: PASS

Run output

hello-world:

Hello, World!
```

**json-parse:**
```
{
  "Name": "AWF Test",
  "Version": 1,
  "Success": true
}
Name: AWF Test, Success: True

Generated by Build Test .NET for issue #1059

[github-actions]

🧪 Build Test: Bun Results

Project	Install	Tests	Status
elysia	✅	1/1	PASS
hono	✅	1/1	PASS

Overall: ✅ PASS

Bun v1.3.10 — all tests passed successfully.

Generated by Build Test Bun for issue #1059

[github-actions]

🦀 Rust Build Test Results

Project	Build	Tests	Status
fd	✅	1/1	PASS
zoxide	✅	1/1	PASS

Overall: ✅ PASS

All projects built and tested successfully.

Generated by Build Test Rust for issue #1059

[github-actions]

Deno Build Test Results

Project	Tests	Status
oak	1/1	✅ PASS
std	1/1	✅ PASS

Overall: ✅ PASS

Generated by Build Test Deno for issue #1059

[github-actions]

Smoke Test Results

✅ GitHub MCP: #1049 test: fix docker-warning tests and fragile timing dependencies; #1054 test: add DNS restriction enforcement tests
✅ Playwright: github.com title contains "GitHub"
✅ File Write: /tmp/gh-aw/agent/smoke-test-claude-22458943574.txt created
✅ Bash: File contents verified

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude for issue #1059

[github-actions]

Go Build Test Results ✅

Project	Download	Tests	Status
color	✅	PASS	PASS
env	✅	PASS	PASS
uuid	✅	PASS	PASS

Overall: PASS

Generated by Build Test Go for issue #1059

[github-actions]

Merged PRs reviewed: test: fix docker-warning tests and fragile timing dependencies; test: add DNS restriction enforcement tests
GitHub MCP merged PRs ✅
safeinputs-gh PR list ✅
Playwright title check ✅
Tavily web search ❌ (tool unavailable)
File write ✅
Bash cat ✅
Discussion comment ✅
Build npm ci && npm run build ✅
Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex for issue #1059

[github-actions]

Smoke Test Results (run 22458943544)

Test	Result
GitHub MCP (last 2 merged PRs)	✅ #1063 "feat(proxy): make copilot api target configurable for enterprise environments" by @lpcox · #1056 "refactor: remove --allow-full-filesystem-access flag" by @Mossaka
Playwright (github.com title check)	✅
File writing (smoke-test-copilot-22458943544.txt)	✅
Bash verification (cat file)	✅

Overall: PASS

📰 BREAKING: Report filed by Smoke Copilot for issue #1059

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.12	Python 3.12.3	❌ No
Node.js	v24.13.1	v20.20.0	❌ No
Go	go1.22.12	go1.22.12	✅ Yes

Result: ⚠️ Not all versions match. Go matches, but Python and Node.js differ between host and chroot environments.

Tested by Smoke Chroot for issue #1059

[github-actions]

☕ Java Build Test Results

Project	Compile	Tests	Status
gson	✅	1/1	PASS
caffeine	✅	1/1	PASS

Overall: ✅ PASS

All projects compiled and all tests passed successfully.

Generated by Build Test Java for issue #1059

[github-actions]

🧪 Build Test: Bun

Project	Install	Tests	Status
elysia	✅	1/1	PASS
hono	✅	1/1	PASS

Overall: ✅ PASS

Bun v1.3.10 — all tests passed across both projects.

Generated by Build Test Bun for issue #1059

[github-actions]

PR: fix(ci): resolve integration test suite failures on main
PR: fix(security): eliminate TOCTOU race conditions in ssl-bump.ts
GitHub MCP merged-PR review: ✅
safeinputs-gh PR list: ✅
Playwright title check: ✅
Tavily search: ❌
File write + cat: ✅
Discussion query + comment: ✅
Build: ✅
Overall: FAIL

🔮 The oracle has spoken through Smoke Codex for issue #1059

[github-actions]

.NET Build Test Results

Project	Restore	Build	Run	Status
hello-world	✅	✅	✅	PASS
json-parse	✅	✅	✅	PASS

Overall: PASS

Run output

hello-world: Hello, World!

json-parse:

{
  "Name": "AWF Test",
  "Version": 1,
  "Success": true
}
Name: AWF Test, Success: True

Generated by Build Test .NET for issue #1059

[github-actions]

Go Build Test Results ✅

Project	Download	Tests	Status
color	✅	1/1	PASS
env	✅	1/1	PASS
uuid	✅	1/1	PASS

Overall: PASS

Generated by Build Test Go for issue #1059

[github-actions]

Smoke Test Results

• ✅ GitHub MCP: fix(ci): resolve integration test suite failures on main #1151 fix(ci): resolve integration test suite failures on main, chore(deps): bump the all-docs-site-dependencies group across 1 directory with 4 updates #1182 chore(deps): bump all-docs-site-dependencies
• ✅ Playwright: github.com title contains "GitHub"
• ✅ File write: /tmp/gh-aw/agent/smoke-test-claude-22929874779.txt created
• ✅ Bash verify: file contents confirmed

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude for issue #1059

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.12	Python 3.12.3	❌ NO
Node.js	v24.14.0	v20.20.0	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Result: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot for issue #1059

[github-actions]

Java Build Test Results

Project	Compile	Tests	Status
gson	✅	1/1	PASS
caffeine	✅	1/1	PASS

Overall: PASS ✅

Generated by Build Test Java for issue #1059

[Mossaka]

Closing in favor of an aggregated dependency update PR that combines all pending updates. This reduces PR noise and CI load.