chore(deps): bump github/codeql-action from 4.35.2 to 4.35.3#277
Merged
nikolanovoselec merged 1 commit intodevelopfrom May 9, 2026
Merged
Conversation
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.35.2 to 4.35.3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@95e58e9...e46ed2c) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
nikolanovoselec
deleted the
dependabot/github_actions/develop/github/codeql-action-4.35.3
branch
3 tasks
nikolanovoselec
added a commit
that referenced
this pull request
May 9, 2026
…Trivy refresh * fix(host): raise PTY_KEEPALIVE_MS floor to 120m as safety net (AD47) The host PTY reaper at 45m was killing the user's claude process before the user-configured sleepAfter (up to 2h) had a chance to fire, forcing /resume on every reconnect after ~1h idle. Reframed as a pure safety net for stuck lastInputAt and floor raised to match maximum sleepAfter. * chore(deps): bump github/codeql-action from 4.35.2 to 4.35.3 (#277) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.35.2 to 4.35.3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@95e58e9...e46ed2c) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump jsdom from 29.1.0 to 29.1.1 in /web-ui (#282) Bumps [jsdom](https://github.com/jsdom/jsdom) from 29.1.0 to 29.1.1. - [Release notes](https://github.com/jsdom/jsdom/releases) - [Commits](jsdom/jsdom@v29.1.0...v29.1.1) --- updated-dependencies: - dependency-name: jsdom dependency-version: 29.1.1 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump oxlint from 1.62.0 to 1.63.0 in /web-ui (#279) Bumps [oxlint](https://github.com/oxc-project/oxc/tree/HEAD/npm/oxlint) from 1.62.0 to 1.63.0. - [Release notes](https://github.com/oxc-project/oxc/releases) - [Changelog](https://github.com/oxc-project/oxc/blob/main/npm/oxlint/CHANGELOG.md) - [Commits](https://github.com/oxc-project/oxc/commits/oxlint_v1.63.0/npm/oxlint) --- updated-dependencies: - dependency-name: oxlint dependency-version: 1.63.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump oxlint from 1.62.0 to 1.63.0 (#280) Bumps [oxlint](https://github.com/oxc-project/oxc/tree/HEAD/npm/oxlint) from 1.62.0 to 1.63.0. - [Release notes](https://github.com/oxc-project/oxc/releases) - [Changelog](https://github.com/oxc-project/oxc/blob/main/npm/oxlint/CHANGELOG.md) - [Commits](https://github.com/oxc-project/oxc/commits/oxlint_v1.63.0/npm/oxlint) --- updated-dependencies: - dependency-name: oxlint dependency-version: 1.63.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump zod from 4.3.6 to 4.4.3 (#281) Bumps [zod](https://github.com/colinhacks/zod) from 4.3.6 to 4.4.3. - [Release notes](https://github.com/colinhacks/zod/releases) - [Commits](colinhacks/zod@v4.3.6...v4.4.3) --- updated-dependencies: - dependency-name: zod dependency-version: 4.4.3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump zod from 4.3.6 to 4.4.3 in /web-ui (#283) Bumps [zod](https://github.com/colinhacks/zod) from 4.3.6 to 4.4.3. - [Release notes](https://github.com/colinhacks/zod/releases) - [Commits](colinhacks/zod@v4.3.6...v4.4.3) --- updated-dependencies: - dependency-name: zod dependency-version: 4.4.3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(trivy): suppress 5 new bookworm CVEs (gnutls/mbedtls/libssh2) CVE-2026-3833, CVE-2026-42010, CVE-2026-42011 — libgnutls30 nameConstraints and NUL-char auth-bypass family. Container is HTTPS client only. CVE-2026-25835 — libmbedtls DRBG seed misuse. Transitive rclone/curl dep with no exposed DRBG material. CVE-2026-7598 — libssh2 integer overflow via large username/password. Container uses git-over-HTTPS, libssh2 never invoked with credentials. * docs(spec): clarify REQ-SESSION-004 AC4 'sole enforcer' as container-level spec-reviewer flagged that AC4's literal wording does not admit the host-side PTY reaper documented in AD47. Inserts 'container-level' to make the lane separation explicit. Pure clarification, no behavioural change to the spec. * feat(terminal): bump scrollback from 400 to 1000 lines Both the browser xterm.js instance and the host-side headless serialize buffer are bumped together to keep client and reconnect-restore in sync. * docs: add AD47 backlinks to architecture.md and container.md doc-updater MEDIUM-2 + MEDIUM-3: the 'single source of truth' idle prose in both files described collectMetrics as the sole enforcer without acknowledging the safety-net reaper documented in AD47. Adds one sentence + AD47 anchor link in each file. * fix: align test fixture and spec with scrollback 1000 - web-ui test fixture asserted scrollback:400; bumped to 1000 (code-reviewer HIGH on PR #285) - sdd/mobile.md REQ-MOB-004 constraint enumerated 400 lines; bumped to 1000 (spec-reviewer HIGH on PR #285) - sdd/changes.md 2026-05-09 entry recording the user-observable bump * fix(container): graceful Stop/Delete with final R2 bisync Both POST /api/sessions/:id/stop and DELETE /api/sessions/:id call container.destroy(), which the @cloudflare/containers SDK delivers as SIGKILL. SIGKILL is uncatchable, so the entrypoint trap that runs the final rclone bisync (REQ-SESSION-011) never fired on user-initiated shutdowns — only the idle/quota path (which uses stop('SIGTERM')) actually synced. Files written between the last 60s incremental sync and shutdown were lost from R2. The DO destroy() override now performs a graceful SIGTERM shutdown inside the DO, polling ctx.container.running for up to 25 s before falling back to super.destroy()'s SIGKILL. Storage identifiers are still cleared first so resurrection prevention (REQ-SESSION-009) is preserved. - src/container/index.ts: graceful shutdown in destroy() override - src/routes/session/crud.ts: comment updated to reflect new flow - src/__tests__/routes/session.test.ts: deleted theater test ('does NOT call prepareShutdown') that masked the bug; renamed the lifecycle.ts companion test that lied about not waiting - sdd/session-lifecycle.md: REQ-SESSION-006 AC1 + AC3 rewritten, REQ-SESSION-011 gains AC6 covering all paths to the trap - sdd/changes.md: 2026-05-09 entry - documentation/architecture.md: Session Stop Flow + destroy() Override descriptions updated - documentation/mobile.md: stale 400 reference updated to 1000 (doc-updater MEDIUM finding from prior pass) * fix: address review findings on bisync graceful shutdown - Remove em dashes introduced in this branch (user hard rule), replacing with regular hyphens, semicolons, or sentence breaks. - Fix REQ-SESSION-006 AC3 wording: the misleading 'before R2 credentials are wiped' phrasing is replaced with 'before SDK teardown' and AC1 now notes that the entrypoint trap reads R2 creds from process env vars baked at container start, so DO storage clear ordering is not relevant to bisync correctness. - Use logger.warn with structured data (error: message string) instead of passing the raw Error object as the second arg to match the documented logger signature. * test: cover destroy() graceful shutdown polling loop Adds four tests for the new destroy() override polling logic: - Happy path: SIGTERM stops the container, polling loop exits early. - Timeout: container stays running, loop exits after 25s, super.destroy still called. - stop() rejects: error caught, super.destroy still called. - Container already stopped: SIGTERM skipped, only storage cleanup runs. Also localizes a beforeEach in the destroy describe block so the existing storage-cleanup tests run with running=false (they don't exercise the new polling branch and would otherwise wait the full 25s). Fixes AD47 line references that drifted from the actual source positions (server.ts:62 to :64, session.ts:300-318 to :296-319). --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: nikolanovoselec <nikolanovoselec@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps github/codeql-action from 4.35.2 to 4.35.3.
Release notes
Sourced from github/codeql-action's releases.
Changelog
Sourced from github/codeql-action's changelog.
... (truncated)
Commits
e46ed2cMerge pull request #3867 from github/update-v4.35.3-8c6e48dbeb73d1d1Add changelog entry for #385324e0bb0Reorder changelog entriesec298daUpdate changelog for v4.35.38c6e48dMerge pull request #3865 from github/update-bundle/codeql-bundle-v2.25.37190983Add changelog note2bb2095Update default bundle to codeql-bundle-v2.25.37851e55Merge pull request #3850 from github/mbg/private-registry/cloudsmith-gcp262a15fAdd generic non-printable chars test for OIDC configsa6109b1Merge pull request #3853 from github/mbg/start-proxy/improved-checksDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)