[Deps] Safe dependency updates (2026-02-25)

[github-actions]

Automated Safe Dependency Updates

This PR contains safe patch-level dependency updates verified to pass all existing tests.

Updated Dependencies

Package	Previous	Updated	Type
@commitlint/cli	20.4.1	20.4.2	patch
@commitlint/config-conventional	20.4.1	20.4.2	patch
@types/node	25.2.3	25.3.0	minor
@typescript-eslint/eslint-plugin	8.55.0	8.56.1	patch
@typescript-eslint/parser	8.55.0	8.56.1	patch
eslint	10.0.0	10.0.2	patch
glob	13.0.1	13.0.6	patch
typescript-eslint	8.55.0	8.56.1	patch

Security Fixes Included

No HIGH/CRITICAL vulnerabilities were found. One MODERATE vulnerability (ajv ReDoS, GHSA-2g4f-4pwh-qvx6) was identified in a transitive dev dependency — not directly fixable without major version bumps.

Skipped Updates (Major Version Changes)

The following packages have newer major versions with breaking changes and were excluded:

• chalk: 4.x → 5.x (ESM-only breaking change)
• commander: 12.x → 14.x (major)
• eslint-plugin-security: 3.x → 4.x (major)
• execa: 5.x → 9.x (major)

Verification

• All tests pass (792 passing, 3 pre-existing failures unrelated to these updates)
• No breaking changes detected
• All updates are within existing semver ranges in package.json

---

Generated by Dependency Security Monitor Workflow

AI generated by Dependency Security Monitor

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	82.30%	82.45%	📈 +0.15%
Statements	82.23%	82.37%	📈 +0.14%
Functions	82.74%	82.74%	➡️ +0.00%
Branches	74.46%	74.55%	📈 +0.09%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	83.2% → 83.8% (+0.55%)	82.5% → 83.0% (+0.54%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

This PR contains automated safe dependency updates for development dependencies, primarily patch-level updates that stay within existing semver ranges defined in package.json. The updates include linting tools (commitlint, typescript-eslint, eslint), type definitions (@types/node), and the glob package.

Changes:

• Updated 8 devDependency packages to their latest patch/minor versions (commitlint, typescript-eslint, eslint, glob, @types/node)
• Updated transitive dependencies (acorn, ajv, minimatch, eslint-scope, espree, minipass, path-scurry, undici-types) to support the main package updates
• Deduplicated fdir package by moving it from nested location under tinyglobby to top-level node_modules

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File	Description
package.json	Updated glob from ^13.0.1 to ^13.0.6 (explicit minimum version bump)
package-lock.json	Updated locked versions for 8 direct devDependencies and their transitive dependencies; deduplicated fdir package

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The package.json shows glob updated to ^13.0.6, but the PR description mentions several other packages (commitlint, typescript-eslint, @types/node, eslint) that were also updated in package-lock.json. For consistency and to document the minimum tested versions, consider updating all explicitly updated packages in package.json (e.g., @commitlint/cli to ^20.4.2, @typescript-eslint/eslint-plugin to ^8.56.1, etc.), not just glob.

[github-actions]

Build Test: Bun Results ✅

Project	Install	Tests	Status
elysia	✅	1/1	PASS
hono	✅	1/1	PASS

Overall: PASS

Tested with Bun v1.3.9

Generated by Build Test Bun for issue #1027

[github-actions]

Deno Build Test Results

Project	Tests	Status
oak	1/1	✅ PASS
std	1/1	✅ PASS

Overall: ✅ PASS

Generated by Build Test Deno for issue #1027

[github-actions]

.NET Build Test Results

Project	Restore	Build	Run	Status
hello-world	✅	✅	✅	PASS
json-parse	✅	✅	✅	PASS

Overall: ✅ PASS

Run output

hello-world:

Hello, World!
```

**json-parse:**
```
{
  "Name": "AWF Test",
  "Version": 1,
  "Success": true
}
Name: AWF Test, Success: True

Generated by Build Test .NET for issue #1027

[github-actions]

Smoke Test Results

Merged PRs: #1026 feat: unify API proxy sidecar into Squid proxy container | #1025 docs: add sandbox design rationale (Docker vs microVMs)

Test	Result
GitHub MCP (last 2 merged PRs)	✅
Playwright (github.com title check)	✅
File write (smoke-test-claude-22409306434.txt)	✅
Bash verification (cat file)	✅

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude for issue #1027

[github-actions]

C++ Build Test Results

Project	CMake	Build	Status
fmt	✅	✅	PASS
json	✅	✅	PASS

Overall: ✅ PASS

All C++ projects configured and built successfully.

Generated by Build Test C++ for issue #1027

[github-actions]

🟢 Build Test: Node.js — PASS

Project	Install	Tests	Status
clsx	✅	PASS	✅ PASS
execa	✅	PASS	✅ PASS
p-limit	✅	PASS	✅ PASS

Overall: PASS ✅

Generated by Build Test Node.js for issue #1027

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.12	Python 3.12.3	❌ NO
Node.js	v24.13.1	v20.20.0	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Result: ❌ Not all versions matched. Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot for issue #1027