chore(deps-dev): bump typescript from 5.9.3 to 6.0.3#259
Merged
nikolanovoselec merged 3 commits intodevelopfrom May 9, 2026
Merged
chore(deps-dev): bump typescript from 5.9.3 to 6.0.3#259nikolanovoselec merged 3 commits intodevelopfrom
nikolanovoselec merged 3 commits intodevelopfrom
Conversation
dependabot
Bot
added
dependencies
Owner
|
HOLD: |
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/develop/typescript-6.0.3
branch
from
8f21f55 to
0e242d7
Compare
4 tasks
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/develop/typescript-6.0.3
branch
2 times, most recently
from
cd4f2d7 to
9ac73af
Compare
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/develop/typescript-6.0.3
branch
from
9ac73af to
668ed10
Compare
3 tasks
* docs: reclassify 5 false-positive ADRs (issue #270 Q3) Per the new "What is NOT an ADR" rule in documentation-discipline.md, move five entries out of the architectural decision log: - AD9 (RESSOURCE_TIER spelling) -> configuration.md naming-compat note - AD23 (CORS admin-trust acceptance) -> src/lib/cors-cache.ts inline - AD24 (session IDs as namespace keys) -> src/lib/constants.ts inline - AD25 (E2E hardcoded test email) -> src/lib/access.ts inline - AD31 (root container is intentional) -> Dockerfile inline Each gets a concise SAST-false-positive comment at the source site and a row in the new "Static-Analyzer False Positives" table in security.md. The AD-N anchors remain as one-paragraph 'Status: Reclassified' stubs so inbound source-code references stay valid (same shape as existing 'Merged into AD-X' stubs). Active ADR count: 41 -> 36. * docs: replace fragile line numbers with named symbols in SAST stubs code-reviewer LOW + doc-updater MEDIUM: the security.md table and the AD31 stub both pointed at line numbers (Dockerfile:200, cors-cache.ts:121, etc.) that drift when files change. Replace with file path + named symbol/section anchor and add 'grep -rn SAST-false-positive .' as the durable cross-reference. * /sdd: propagate 'What is NOT an ADR' rule to skill + clean PR #286 added the rule to documentation-discipline.md (loaded into every agent on every run). This commit extends the rule into the /sdd skill itself so future project ADRs are clean from /sdd init onward, not only after doc-updater Pass 5 catches false positives. - ADR template (documentation-decisions-readme.md): add doc-discipline directive comment, 'What is NOT an ADR' callout with the four-shape table, reclassification-stub guidance, and the missing Status + Consequences fields on the AD1 example so 'Alternatives considered' is load-bearing from the first ADR. - SKILL.md: add Pass 5 reclassification to '/sdd clean' bullets; document the ADR template guardrail in 'Template conventions'. - commands/sdd.md: list false-positive ADRs as a /sdd clean MEDIUM finding with AUTO-RECLASSIFY in auto/unleashed. - Regenerate agent-seed.generated.ts. * hooks: gate review pipeline on PR base = main/master Both the PostToolUse review-reminder and Stop enforce-review-spawn hooks now check PR base branch via gh pr view --json state,headRefOid,baseRefName. PRs into 'develop'/'staging' and other intermediate integration branches no longer trigger the three-agent review pipeline; only PRs targeting 'main' or 'master' do. The cumulative review at the develop -> main PR covers everything that landed. Token cost roughly halves on feature -> develop -> main workflows without changing coverage at the merge-to-main boundary. PR-OPEN path now polls gh after gh pr create lands so the new PR's base is known before the directive fires (one-time 200-500ms cost per PR creation, not on the per-push hot path). PR-SYNC path adds baseRefName to the .git/sdd-pr-cache 3-line schema; legacy 2-line caches fall through to gh and rewrite. Stop hook adds an explicit exit-0 gate after the existing PR_STATE check. REQ-AGENT-021 AC4 reworded; sdd/changes.md updated; rules/common/ git-workflow.md trigger semantics table expanded with explicit target-branch column and a clone-tracking note. Tests cover all four base permutations (main, master, develop, no-PR) for both hooks plus the legacy-cache rewrite path. * hooks+sdd: fail-open on empty BASE_REF + SDLC docs for review pipeline External LLM review (gemini) flagged a fail-closed bug in the Stop hook's base gate: if 'jq' parses 'state' successfully but 'baseRefName' extracts to empty (transient gh quirk between two field reads on the same JSON), the case statement falls to '*) exit 0' and silently bypasses enforcement. Now matches main|master|'' - empty BASE_REF fails open to enforcement, not silent skip. User feedback: /sdd help screen and SKILL.md auto-detection section must call out the SDLC requirements so users understand what they need to set up to get autonomous review: 1. main/master branch as eventual merge target 2. PRs opened against main/master (directly or transitively) 3. gh CLI installed + authenticated 4. Upstream tracking on working branch 5. Recommended GitHub branch protection on main Trunk-based projects with a non-main default branch silently get no review; called out as a v1 trade-off. New regression test: gh returns OPEN+headRefOid but omits baseRefName — Stop hook must block, not silently skip. Pins the fail-open semantics. * hooks+spec: PR-SYNC empty-base parity, cache line-count detection, AC4 split Three follow-ups identified in the post-7580b15 review, batched in this PR: 1. PR-SYNC empty-base parity (git-push-review-reminder.sh): the PR-SYNC `case "$PR_BASE"` now matches `main|master|""`, mirroring the fail-open policy enforce-review-spawn.sh adopted in 7580b15. When gh returns state=OPEN but jq cannot parse baseRefName (rare transient quirk), the PostToolUse hook now fires the silent directive instead of silently exiting — better to over-review than skip a real PR-to-main on a parsing edge case. 2. Cache legacy detection by line count (git-push-review-reminder.sh): the legacy 2-line cache check no longer uses the empty-base heuristic. Detection is now `wc -l` against the cache file, so an OPEN PR with a transiently-empty base (cached as `branch\nOPEN\n\n`, 3 lines) is treated as a valid cache hit instead of looping back to gh on every push. Eliminates a 200-500ms per-push thrash that occurred whenever gh briefly returned state without baseRefName. 3. REQ-AGENT-021 AC4 run-on bullet split (sdd/agents.md): the 160-word AC4 (flagged MEDIUM by spec-reviewer for exceeding the 150-word run-on threshold) is split into 5 discrete bullets (4-8); items 5-7 renumbered to 9-11. No behavior change — the contract is unchanged, only its presentation. Plus the doc-updater MEDIUM-1 finding from the previous push: documentation/preseed.md "Resetting the review-spawn checkpoint" section now explicitly states enforcement is gated on main/master base and notes the empty-baseRefName fail-open path. Two new tests in host/__tests__/git-push-review-reminder.test.js: - "uses cached OPEN+empty-base result and fires (fail-open parity with Stop hook)" — proves the 3-line cache hit path skips gh and fires the directive when base is empty. - "fires on git push when gh returns OPEN with empty baseRefName (fail-open)" — live-gh fixture omitting baseRefName entirely; asserts the additionalContext directive is emitted. Regenerated src/lib/agent-seed.generated.ts. * doc: AC sub-ref AC4 → AC4, AC8 after bullet split --------- Co-authored-by: nikolanovoselec <nikolanovoselec@users.noreply.github.com>
Bumps the npm_and_yarn group with 1 update in the / directory: [ip-address](https://github.com/beaugunderson/ip-address). Updates `ip-address` from 10.1.0 to 10.2.0 - [Commits](https://github.com/beaugunderson/ip-address/commits) --- updated-dependencies: - dependency-name: ip-address dependency-version: 10.2.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [typescript](https://github.com/microsoft/TypeScript) from 5.9.3 to 6.0.3. - [Release notes](https://github.com/microsoft/TypeScript/releases) - [Commits](microsoft/TypeScript@v5.9.3...v6.0.3) --- updated-dependencies: - dependency-name: typescript dependency-version: 6.0.3 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/develop/typescript-6.0.3
branch
from
668ed10 to
c7116c3
Compare
nikolanovoselec
deleted the
dependabot/npm_and_yarn/develop/typescript-6.0.3
branch
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps typescript from 5.9.3 to 6.0.3.
Release notes
Sourced from typescript's releases.
Commits
050880cBump version to 6.0.3 and LKGeeae9dd🤖 Pick PR #63401 (Also check package name validity in...) into release-6.0 (#...ad1c695🤖 Pick PR #63368 (Harden ATA package name filtering) into release-6.0 (#63372)0725fb4🤖 Pick PR #63310 (Mark class property initializers as...) into release-6.0 (#...607a22aBump version to 6.0.2 and LKG9e72ab7🤖 Pick PR #63239 (Fix missing lib files in reused pro...) into release-6.0 (#...35ff23d🤖 Pick PR #63163 (Port anyFunctionType subtype fix an...) into release-6.0 (#...e175b69Bump version to 6.0.1-rc and LKGaf4caacUpdate LKG8efd7e8Merge remote-tracking branch 'origin/main' into release-6.0