chore(deps): clear Dependabot alerts + bring all dependencies to latest#131
Merged
Conversation
The main window starts hidden and is revealed from the frontend once settings hydrate. show() made it visible but never activated the app, so Citadel could launch behind whatever window already had focus. Focus the window right after showing it, mirroring the settings-window pattern. Fixes CDL-16 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Resolves 10 of 11 open Dependabot alerts: - vite 5 -> 6.4.3: server.fs.deny bypass (#50), optimized-deps .map path traversal (#27), launch-editor NTLMv2 disclosure (#51) - tar 0.4.44 -> 0.4.46 (#47/#24/#23) - tauri 2.10.3 -> 2.11.3 (#42) - rand -> 0.9.4 / 0.10.1 (#32/#28); cargo update dropped the vulnerable rand 0.7.3 / 0.8.5 from the phf build chain (#33) Bumped @vitejs/plugin-react-swc -> 4 and Storybook 8 -> 8.6.18 for vite 6 peer compatibility. Verified: web build, 184 vitest tests, storybook build, cargo check + cargo test all green. glib 0.18 (#22) remains: Linux-only, pinned by tauri's frozen gtk-rs 0.18 stack; no fix available upstream. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…ok 10) Unblocks the latest toolchain now that Storybook 10 lifts the vite<=6 peer cap that held the previous commit at vite 6. - vite 6.4.3 -> 8.1.0 (now rolldown-based) - vitest 3.2.6 -> 4.1.9 - storybook 8.6 -> 10.4.6: dropped the consolidated packages (addon-essentials, addon-interactions, blocks, test) now folded into core; added @storybook/addon-docs; bumped storybook-dark-mode -> 5 and @chromatic-com/storybook -> 5 for SB10 peer support - migrated @storybook/preview-api imports -> storybook/preview-api subpath Verified: web build (vite 8), 184 vitest tests, storybook build, biome lint. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Pulls every dependency to the newest version satisfying its existing semver range. Notable: @tanstack/react-router 1.29 -> 1.170 (regenerated routeTree.gen.ts to the new format), typescript 5.3 -> 5.9, all @tauri-apps plugins/api/cli to latest 2.x, all @radix-ui primitives, zustand/dompurify/ clsx/tailwind-merge/postcss/autoprefixer. React stays on 18 (normalized to ~18.2.0); major-version bumps left for follow-up. Verified: tsc, vite 8 build, 184 vitest tests, storybook build. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Low-risk dev-only major/minor bumps verified independently: - @biomejs/biome 2.4.16 -> 2.5.1 (lint + format clean) - @faker-js/faker 8.4.1 -> 10.5.0 (only stable namespaced APIs used in test factories; 184 vitest tests pass) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Verifiable dev/build-tooling majors: - typescript 5.9 -> 6.0.3: migrated tsconfig off the now-deprecated `baseUrl` (paths resolve relative to the config dir under moduleResolution "bundler") - unplugin-icons 0.18 -> 23.0.1 (vite plugin loads; build clean) - postcss-load-config 5 -> 6.0.1 (autoprefixer still applies in build output) Verified: tsc, vite 8 build, 184 vitest tests, storybook build. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Drop four dependencies with zero references outside package.json (leftovers from the pre-Radix / Svelte era): - bits-ui (Svelte component lib) - @crabnebula/tauri-plugin-drag (JS side; the Rust plugin stays) - @melt-ui/pp (Svelte preprocessor) - @fontsource/fira-mono (unused font) Verified: vite 8 build + 184 vitest tests. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- react / react-dom 18.2 -> 19.2.7, @types/react(-dom) -> 19 - ref props now nullable per React 19 types: RefObject<T> -> RefObject<T | null> in use-library-keymap and BookGrid - replace deprecated MutableRefObject with RefObject (unified + mutable in 19) Entry point already uses createRoot. Verified: tsc, vite 8 build, 184 vitest tests, storybook build, biome lint. Runtime smoke-test to follow. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Tailwind was never wired into the build: no @tailwind/@import directives, no PostCSS or Vite Tailwind plugin, and zero imports of tailwindcss/ tailwind-merge/tailwind-variants in src. The app styles entirely with CSS Modules + clsx, and tailwind.config.js was abandoned shadcn scaffolding whose HSL vars don't match the real --ctd-*/--pal- OKLCH tokens in styles.css. Removed tailwindcss, tailwind-merge, tailwind-variants, and tailwind.config.js. Kept clsx, postcss, autoprefixer (all in active use). Verified: vite 8 build (autoprefixer still applies), 184 vitest tests. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Migrate the build's type-check step from tsc to the native Go compiler: - add @typescript/native-preview (tsgo) as a dev dependency - build:web now runs `tsgo && vite build`; add a `typecheck` script - keep the `typescript` package (6.x) installed — Vite, Storybook docgen and the editor still consume its language-service API tsgo type-checks this repo cleanly (paths + project references + composite) in ~0.28s vs ~1.9s for tsc (~6.7x faster). Native binaries resolve per platform via optional deps, so CI on ubuntu-22.04 + macos-15 both use it. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
libcalibre Test Coverage ReportOverall coverage: 81.63% Coverage breakdown available in the artifacts. |
The text-merge of Cargo.lock dropped quick-xml (added by main's metadata SRU work); cargo check re-locked it. Workspace compiles + all tests pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
libcalibre Test Coverage ReportOverall coverage: 81.63% Coverage breakdown available in the artifacts. |
The codebase uses ES2022 APIs (Array/String.prototype.at) while tsconfig
declared lib ES2020. tsc tolerated this; the TS7 native compiler (tsgo) does
not, so CI's build_app failed with TS2550 ("change lib to es2022 or later")
on 4 files. Raise target + lib to ES2022 to match what the code actually uses.
Verified with both tsc and tsgo; full build:web passes.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
libcalibre Test Coverage ReportOverall coverage: 81.63% Coverage breakdown available in the artifacts. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Patches the open Dependabot alerts and then brings every dependency (JS + Rust) to its latest installable version. Each step was verified independently (tsc/tsgo, vite build, 184 vitest tests, Storybook build, cargo check/test, biome lint), and the two high-risk migrations (React 19, dependency churn) were smoke-tested by running the app.
Security — Dependabot alerts
Fixes 10 of 11 open alerts:
server.fs.denybypass (Fade/hide read books #50), optimized-deps.mappath traversal (Rewrite it in React #27), launch-editor NTLMv2 disclosure (chore: Use macos-15 runner #51)Remaining:
glib0.18 (#22) — Linux-only, pinned by tauri's frozen gtk-rs 0.18 GTK3 stack. No fix available upstream; recommend dismissing.Toolchain to latest
@storybook/preview-apiimports)MutableRefObject) — verified by running the app: routing, search filtering, and the book-edit page all worktsgo) — ~6.7× faster than tsc; thetypescriptpackage stays for tooling/editorcargo update(all Rust crates within semver); biome 2.5.1, faker 10, unplugin-icons 23, postcss-load-config 6@tanstack/react-router1.29 → 1.170, all@tauri-apps/@radix-uipackages, zustand/dompurify/clsx, etc.Cleanup
Removed dead packages with zero references:
bits-ui,@crabnebula/tauri-plugin-drag(JS),@melt-ui/pp,@fontsource/fira-mono, and the entire unused Tailwind stack (tailwindcss/tailwind-merge/tailwind-variants+tailwind.config.js) — the app styles with CSS Modules + clsx, Tailwind was never wired into the build.🤖 Generated with Claude Code