* chore(deps-dev): bump oxlint-tsgolint from 0.14.2 to 0.22.1
Bumps [oxlint-tsgolint](https://github.com/oxc-project/tsgolint) from 0.14.2 to 0.22.1.
- [Release notes](https://github.com/oxc-project/tsgolint/releases)
- [Commits](https://github.com/oxc-project/tsgolint/compare/v0.14.2...v0.22.1)
---
updated-dependencies:
- dependency-name: oxlint-tsgolint
dependency-version: 0.22.1
dependency-type: direct:development
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
* chore: Switch tsconfig to bundler resolution for tsgolint 0.22.1
oxlint-tsgolint 0.22.1 removed support for moduleResolution=node10
(the alias for "node"). Switch to "bundler" with resolvePackageJsonExports
disabled so packages whose exports field omits a types condition still
resolve. Update markdown-it type imports to sub-paths since the package's
.d.mts entry only re-exports a subset of named types.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* fix: Resolve type-aware lint errors caught by tsgolint 0.22.1
oxlint-tsgolint 0.22.1 catches several await-thenable, no-floating-promises,
and no-meaningless-void-operator cases the prior 0.14.2 missed:
- Drop redundant inner `await` from Promise.all([await x, await y]) call sites
so the array entries are real Promises rather than already-resolved values.
- Replace Promise.all wrappers around synchronous presenters (presentEvent,
presentTemplate, presentPublicTeam) with plain map / direct calls.
- Wrap non-promise branches of ternaries inside Promise.all with
Promise.resolve so the array remains thenable across both arms.
- Add `void` to the unawaited provider.connect() in the auth-failed retry
chain, and remove `void` from the disconnect() call which returns void.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tom Moor <tom@getoutline.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
The "js-yaml": "^4.1.1" resolution is now a no-op — every package that
requests js-yaml in the dep graph already asks for ^4.1.0 or ^4.1.1, both
of which naturally resolve to 4.1.1. Removing the resolution does not
change any installed version.
Audited the remaining resolutions; all still prevent a lower version from
being installed (or are intentional dedupe pins for @types/* and
prosemirror-transform per #12304, plus the i18next-parser compatibility
pin from #12307).
Co-authored-by: Claude <noreply@anthropic.com>
i18next-parser 8.13.0 used a default import for cheerio, which broke
when cheerio dropped its default export. 9.x switched to a namespace
import. Pin the parser's transitive i18next to ^23.16.8 so plural keys
continue to be emitted in compatibilityJSON v3 format expected by the
runtime (i18next 22.5.1).
* chore(deps): Remove resolutions that no longer prevent downgrades
Audited each resolution by removing it and running yarn install to check
whether any package would resolve to a lower version. Removed 31 entries
that were no-ops because the natural resolution already satisfies (or
exceeds) the resolution target — caret ranges that npm now publishes a
matching or higher version for, and one fast-xml-parser pin where the
underlying dependency moved.
Kept 13 entries: those that still prevent a regression, plus the @types/*
and prosemirror-transform pins that exist to dedupe transitive copies
against the project's own pinned versions.
* chore(deps): Bump @babel/preset-env to 7.29.5 to address GHSA-fv7c-fp4j-7gwp
@babel/plugin-transform-modules-systemjs <=7.29.3 generates arbitrary
code when compiling malicious input. Upgrading @babel/preset-env to
^7.29.5 brings in the patched ^7.29.4 transitively.
---------
Co-authored-by: Claude <noreply@anthropic.com>
* wip
* Remove obsolete snapshots
* simplify
* chore(test): Convert mocks to TypeScript and tighten fetch mock types
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* Remove unneccessary patches
* Migrate to msw instead of custom fetch mock
* Address PR review comments
- Split chained vi.useFakeTimers().setSystemTime() into separate calls.
- Switch test setup to dynamic imports so EventEmitter.defaultMaxListeners
assignment runs before module init (static imports were hoisted above it).
- Drop redundant NODE_ENV guard in monkeyPatchSequelizeErrorsForJest; its
sole caller already gates on env.isTest.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* chore: Replace lodash with es-toolkit
Migrate all direct lodash imports to es-toolkit/compat for a smaller,
faster, lodash-compatible utility library. Transitive lodash usage from
other packages remains unchanged.
* fix: Restore isPlainObject semantics in CanCan policy
The lodash migration aliased `isObject` to `lodash/isPlainObject` and
the codemod incorrectly mapped the local name to es-toolkit's `isObject`,
which also returns true for arrays and functions. This caused condition
objects in policy definitions to be skipped, breaking authorization
checks across the codebase.
* fix: Restore unicode-aware length counting in validators
es-toolkit/compat's size() returns string.length, while lodash's _.size()
counts unicode code points. Switch to [...value].length to preserve the
previous behavior so multi-byte characters like emoji count as one.
* chore: Vendor request-filtering-agent
* fix: honor fetch timeout and undefined allow list in proxy pre-flight
Default allowIPAddressList to [] so an unset ALLOWED_PRIVATE_IP_ADDRESSES
env var doesn't overwrite the agent's default and crash on .length, and
race the pre-flight DNS lookup against the request's abort signal so the
configured fetch timeout applies to slow DNS resolution.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* chore(deps-dev): bump oxlint-tsgolint from 0.1.6 to 0.21.1
Bumps [oxlint-tsgolint](https://github.com/oxc-project/tsgolint) from 0.1.6 to 0.21.1.
- [Release notes](https://github.com/oxc-project/tsgolint/releases)
- [Commits](https://github.com/oxc-project/tsgolint/compare/v0.1.6...v0.21.1)
---
updated-dependencies:
- dependency-name: oxlint-tsgolint
dependency-version: 0.21.1
dependency-type: direct:development
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
* chore: Adjust lint config for newer oxlint-tsgolint
Pin oxlint to 1.50.0 and oxlint-tsgolint to 0.14.2. Older oxlint
can't parse newer tsgolint diagnostic payloads, and tsgolint >=0.15
rejects moduleResolution: "node" — moving off it requires either
"bundler" (currently breaks @hocuspocus@1.1.3 typings, which lack a
types condition in their package.json exports) or "node16"/"nodenext"
(would require explicit .js extensions on every relative import).
Add per-package ignorePatterns since they no longer propagate from
the root config when nested configs are present.
Drop tsconfig baseUrl (typescript-go in tsgolint rejects it) and add
a plugins/* path alias so cross-plugin imports keep resolving. The
babel resolver is switched from babel-plugin-tsconfig-paths-module-
resolver (which required baseUrl) to babel-plugin-module-resolver
with explicit aliases.
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Tom Moor <tom@getoutline.com>
Drops nine global resolutions whose versions are already produced by
yarn's natural resolution: @hocuspocus/server, fengari, d3, node-fetch,
socket.io-parser, @xmldom/xmldom, tar, @hono/node-server, and underscore.
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Pin lodash and lodash-es to ^4.18.1 via resolutions so transitive deps
pick up the patched versions, then drop the advisory ID.
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* chore: Resolve minimatch ReDoS advisories via dep bumps and resolutions
Bump glob (8→11), rimraf (2→6), babel-jest, jest-environment-jsdom (29→30),
and lint-staged (13→16) to drop several vulnerable transitive chains. Pin
remaining minimatch and brace-expansion descriptors via resolutions so all
in-tree copies are on their latest patched release. Removes 9 ignored
advisory IDs from .yarnrc.yml.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* fix: Make routeHelpers.urlify origin testable for jsdom 26
jsdom 26 (jest-environment-jsdom@30) makes window.location and
location.origin non-configurable, breaking the previous test that
redefined them via Object.defineProperty.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* chore: Align jest-cli to ^30.3.0 with other jest packages
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
* First pass
* Remove prop drilling, fix comment layout
* Revert dev:watch to use dev:backend
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
The autotrack npm package is no longer maintained. Vendor the three
plugins we use (eventTracker, outboundLinkTracker, urlChangeTracker)
and their dom-utils dependencies into a single local JS file.
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* chore: Patch upgrade all dependencies and fix type issues
Upgrades 38 packages to latest patch versions. Dedupes prosemirror-view
and @bull-board/api to fix type conflicts, pins @types/markdown-it to
14.1.1 via resolutions (14.1.2 has a breaking type change), and removes
an unused @ts-expect-error in mark.ts.
Also fixes npmMinimalAgeGate from 86400 to 1440 — the unit is minutes
not seconds, so it was blocking any package published in the last 60
days instead of 24 hours.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: Update resolutions to match bumped dependency versions
Syncs @types/react (17.0.75 → 17.0.91), @hocuspocus/server (1.1.2 →
1.1.3), and prosemirror-transform (1.10.0 → 1.10.5) in the resolutions
field to match the upgraded versions in dependencies/devDependencies.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* chore: Update modelcontextprotocol
* fix: Restore native Web API classes after jest-fetch-mock setup
jest-fetch-mock replaces globalThis.Response with a cross-fetch polyfill
that doesn't support Web Streams (ReadableStream bodies become Buffers).
The MCP SDK's @hono/node-server adapter calls response.body.getReader()
which fails with the polyfilled Response. Since dontMock() is already
called, preserving the native classes is the correct behavior.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Adds a yarn resolution to upgrade the transitive dependency
fast-xml-parser to 5.5.7, resolving a security vulnerability.
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
dependabot[bot]