Skip to content

Comments

chore: Dependency updates, security fixes, and docs improvements#156

Open
TheRealAgentK wants to merge 8 commits intomainfrom
chore/kk/fixes-and-improvements
Open

chore: Dependency updates, security fixes, and docs improvements#156
TheRealAgentK wants to merge 8 commits intomainfrom
chore/kk/fixes-and-improvements

Conversation

@TheRealAgentK
Copy link

@TheRealAgentK TheRealAgentK commented Feb 21, 2026

chore: Dependency updates, security fixes, and docs improvements

Description 📝

  • Purpose: Address all open Dependabot PRs, resolve security vulnerabilities, fix a documentation bug, and add an AGENTS.md project guide.
  • Approach: Batch all dependency updates into a single branch rather than merging 5 separate Dependabot PRs. Run npm audit fix for transitive security fixes.

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • This change requires a documentation update

Updates

👉 DevDependency bumps — Supersedes Dependabot PRs #151, #152, #153, #154, #155:

  • @types/node: ^25.0.3 → ^25.3.0
  • express: ^5.1.0 → ^5.2.1
  • prettier: ^3.3.2 → ^3.8.1
  • tap: ^21.1.0 → ^21.6.2
  • typescript-eslint: ^8.39.0 → ^8.56.0
  • eslint-plugin-tsdoc: ^0.4.0 → ^0.5.0 (aligned with raygun4node)
  • @stylistic/eslint-plugin: ^5.1.0 → ^5.9.0

👉 Security fixes — Resolves 17 of 36 npm audit vulnerabilities via npm audit fix:

  • body-parser DoS, diff/jsdiff DoS, glob CLI command injection, js-yaml prototype pollution, qs arrayLimit DoS, tar hardlink/symlink path traversal
  • Remaining 19 vulns are in the eslint 9.x transitive dependency tree (ajv v6, minimatch) and require eslint 10 (breaking change) to resolve

👉 Runtime dependency bumps:

  • @types/aws-lambda: ^8.10.138 → ^8.10.160
  • raygun: ^2.0.0 → ^2.2.4

👉 Docs:

  • Fix incorrect import path in README (@raygun/aws-lambda@raygun.io/aws-lambda)
  • Add AGENTS.md with project guide and raygun4node integration notes

Test plan 🧪

  • Clean install (rm -rf node_modules build && npm ci) builds successfully
  • All 13 tests pass (npm test)
  • ESLint passes (npm run eslint and npm run tseslint)
  • Prettier passes (npm run prettier -- --check)
  • No changes to source code in lib/ — only dependency and documentation changes

Author to check 👓

  • Project and all contained modules builds successfully
  • Self-/dev-tested
  • Unit/UI/Automation/Integration tests provided where applicable
  • Code is written to standards
  • Appropriate documentation written (code comments, internal docs)

Reviewer to check ✔️

  • Project and all contained modules builds successfully
  • Change has been dev-/reviewer-tested, where possible
  • Unit/UI/Automation/Integration tests provided where applicable
  • Code is written to standards
  • Appropriate documentation written (code comments, internal docs)

@TheRealAgentK
chore(deps-dev): bump @types/node, express, prettier, tap, typescript…
72def78 
…-eslint

Update devDependencies to latest versions:
- @types/node: ^25.0.3 → ^25.3.0
- express: ^5.1.0 → ^5.2.1
- prettier: ^3.3.2 → ^3.8.1
- tap: ^21.1.0 → ^21.6.1
- typescript-eslint: ^8.39.0 → ^8.56.0

Supersedes Dependabot PRs #151, #152, #153, #154, #155.
@TheRealAgentK
fix(deps): resolve transitive security vulnerabilities
ce6dfd9 
npm audit fix resolves 17 vulnerabilities:
- body-parser DoS (GHSA-wqch-xfxh-vrr4)
- diff/jsdiff DoS (GHSA-73rr-hh4g-fpgx)
- glob CLI command injection (GHSA-5j98-mcp5-4vw2)
- js-yaml prototype pollution (GHSA-mh29-5h37-fv8m)
- qs arrayLimit DoS (GHSA-6rw7-vpxm-498p, GHSA-w7fw-mjwx-w883)
- tar hardlink/symlink path traversal (GHSA-r6q2-hw4h-h46w, GHSA-34x7-hfp2-rc4v,
  GHSA-83g3-92jg-28cx, GHSA-8qq5-rm4j-mr97)

Remaining 19 vulns are in eslint/typescript-eslint/tsdoc transitive deps
(ajv, minimatch) and require eslint 10 (breaking change) to fully resolve.
@TheRealAgentK
docs: add AGENTS.md with project guide and raygun4node integration notes
697e7b1
@TheRealAgentK
chore: clean up package-lock.json after dependency updates
9fb60c9
@TheRealAgentK
fix(docs): correct package name in README import example
97c57e5 
The import example used @raygun/aws-lambda but the actual
package name is @raygun.io/aws-lambda.
@TheRealAgentK
chore(deps): bump @types/aws-lambda to ^8.10.160 and raygun to ^2.2.4
f41741c
@TheRealAgentK
chore(deps-dev): bump eslint-plugin-tsdoc, @stylistic/eslint-plugin, tap
f32b074 
- eslint-plugin-tsdoc: ^0.4.0 → ^0.5.0 (align with raygun4node)
- @stylistic/eslint-plugin: ^5.1.0 → ^5.9.0
- tap: ^21.6.1 → ^21.6.2
@TheRealAgentK TheRealAgentK requested review from Copilot and miquelbeltran and removed request for miquelbeltran February 21, 2026 23:15
Copilot AI reviewed Feb 21, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR consolidates multiple Dependabot dependency updates into a single change, addresses security vulnerabilities, fixes a documentation bug in the README, and adds a new AGENTS.md guide for AI-assisted development. The changes primarily focus on keeping dependencies current while maintaining backward compatibility—no source code in lib/ has been modified.

Changes:

  • Updated 7 devDependencies and 2 runtime dependencies to their latest minor/patch versions
  • Fixed incorrect package import path in README from @raygun/aws-lambda to @raygun.io/aws-lambda
  • Added comprehensive AGENTS.md documentation covering project structure, conventions, and raygun4node integration details

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated no comments.

File Description
package.json Bumped devDependencies (@stylistic/eslint-plugin, @types/node, eslint-plugin-tsdoc, express, prettier, tap, typescript-eslint) and runtime dependencies (@types/aws-lambda, raygun) to latest versions
README.md Corrected package import path from incorrect @raygun/aws-lambda to correct @raygun.io/aws-lambda
AGENTS.md Added new AI agents guide documenting project overview, repository structure, build/development processes, code conventions, key patterns, and raygun4node integration details
Comments suppressed due to low confidence (1)

AGENTS.md:45

  • The reference to "../raygun4node in the workspace" is inaccurate. This project is not part of a workspace, and the raygun package is a runtime dependency installed from npm (as shown in package.json), not a local sibling directory. Consider revising to: "This package is a lightweight wrapper around the raygun Node.js client (installed from npm as a runtime dependency)."
This package is a lightweight wrapper around the `raygun` Node.js client (`../raygun4node` in the workspace).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@miquelbeltran miquelbeltran Awaiting requested review from miquelbeltran

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TheRealAgentK