chore: patch dev-dependency vulns and align build target with Node 22#6
Merged
Conversation
Salvages the still-relevant pieces of the abandoned fix/review-medium branch (its exports-map fix and smoke test already landed via #3/#5): - Regenerate package-lock.json via `npm audit fix`, clearing 16 of 19 dev-dependency advisories (incl. the critical/high vite findings). The remaining 3 live inside npm's own bundled deps under semantic-release and are not resolvable from here. - tsup `target` node18 -> node22, matching `engines.node` (>=22). - config.test.ts: replace `as any` with `as unknown as SuperOpsRegion`. No production dependencies were affected; the published package is unchanged at runtime.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Salvages the still-relevant pieces of an abandoned local branch (
fix/review-medium) — its exports-map fix and smoke test already landed via #3 and #5, leaving three unique, still-useful changes.npm auditonmainreported 19 dev-dependency vulnerabilities (1 critical, 12 high, 5 moderate). All in dev tooling — zero production dependencies affected.Changes
package-lock.json— regenerated vianpm audit fix, clearing 16 of 19 advisories (including the critical/highvitefindings). The remaining 3 live inside npm's own bundled deps undersemantic-release(node_modules/npm/node_modules/*) and are not resolvable from here —npm audit fix --forceleaves them too.tsup.config.ts— buildtargetnode18→node22, matchingengines.node(>=22).tests/unit/config.test.ts— replaceas anywithas unknown as SuperOpsRegion.Verification
npm ci+ lint + typecheck + build + test all green; 106 tests pass.No production dependencies changed; the published package is unchanged at runtime.
chore:commit — no release triggered.