Skip to content

chore: update dependencies, fix CI failure, and resolve security vulnerability#5

Merged
LucasFormiga merged 1 commit into
mainfrom
copilot/update-dependencies-and-fix-issues
Apr 24, 2026
Merged

chore: update dependencies, fix CI failure, and resolve security vulnerability#5
LucasFormiga merged 1 commit into
mainfrom
copilot/update-dependencies-and-fix-issues

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 23, 2026

Summary

This PR addresses all issues found in the dependency audit and CI investigation.

Issues Fixed

🔴 CI Failure — @biomejs/cli-linux-x64/biome not found

The latest CI run (#17) failed with:

Error: Cannot find module '@biomejs/cli-linux-x64/biome'

Root cause: @biomejs/biome@2.4.4 had a bug where the platform binary was not properly resolved on Linux CI runners.
Fix: Updated to @biomejs/biome@2.4.12 and ran biome migrate to update the biome.json schema from 2.4.42.4.12.

🔴 Critical Security Vulnerability — protobufjs GHSA-xq3m-2v4x-88gg

protobufjs@7.5.4 (arbitrary code execution) was installed as a dependency of @google/genai@tanstack/ai-gemini.
Fix: protobufjs@7.5.5 is now the latest in the ^7.5.4 range, so the stale 7.5.4 entry was removed from the lockfile. @google/genai bundles its own copy in dist/tokenizer/ and works without the separate package. npm audit now reports 0 vulnerabilities.

⚠️ Biome Lint Warning — useExhaustiveDependencies in WidgetBody.tsx

A suppression comment was placed inside the effect body (ineffective location).
Fix: Moved the // biome-ignore comment to the line directly before the useEffect call.

⚠️ Package exports field order warning

Both packages/core and packages/react had types after import/require in the exports field, causing a build-time warning.
Fix: Moved types to the first position in both exports objects.

Dependency Updates

Package From To Scope
@biomejs/biome 2.4.4 2.4.12 root devDeps
turbo 2.8.12 2.9.6 root devDeps
vitest 4.0.18 4.1.5 core + react devDeps
@vitest/coverage-v8 4.0.18 4.1.5 core devDeps
autoprefixer 10.4.27 10.5.0 react + playground devDeps
postcss 8.5.6 8.5.10 react + playground devDeps
dotenv 17.3.1 17.4.2 playground deps
@vitejs/plugin-react 5.1.4 5.2.0 playground devDeps

Major version bumps (TypeScript 6, Vite 8, Tailwind 4, lucide-react 1.x, jsdom 29, express 5) were intentionally skipped as they require separate review for breaking changes.

Validation

  • npm run lint — 0 warnings, 0 errors
  • npm run test — 43 tests pass (27 core + 16 react)
  • npm audit — 0 vulnerabilities
  • ✅ CodeQL Security Scan — 0 alerts

Copilot AI requested a review from LucasFormiga April 23, 2026 15:50
@LucasFormiga LucasFormiga marked this pull request as ready for review April 24, 2026 18:27
@LucasFormiga LucasFormiga merged commit 4b47c39 into main Apr 24, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@LucasFormiga LucasFormiga Awaiting requested review from LucasFormiga

Assignees

@LucasFormiga LucasFormiga

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@LucasFormiga