From b7d6ff14aa8344ead738496aa70ca5a15026ec51 Mon Sep 17 00:00:00 2001 From: ancplua Date: Fri, 3 Jul 2026 05:48:43 +0200 Subject: [PATCH] docs: mark Dependabot/v0.2.2 task complete in .claude/TASK.md Checklist was stale (IN PROGRESS with open boxes) while PR #80 had merged and v0.2.2 shipped to both registries. Re-verified 2026-07-03: npm & NuGet at 0.2.2, publish run green, 0 open Dependabot alerts. Co-Authored-By: Claude Fable 5 --- .claude/TASK.md | 58 +++++++++++++++++++++++-------------------------- 1 file changed, 27 insertions(+), 31 deletions(-) diff --git a/.claude/TASK.md b/.claude/TASK.md index 4b645f6..f545865 100644 --- a/.claude/TASK.md +++ b/.claude/TASK.md @@ -1,39 +1,35 @@ # TASK — Resolve all 6 Dependabot alerts → clean-tree release v0.2.2 (npm + NuGet) -Status: **IN PROGRESS** (started 2026-06-30). Prior task (synced OIDC trusted publishing, v0.2.1) -is COMPLETE & VERIFIED — see git history / PRs #64,#66,#70,#74-#78. +Status: **COMPLETE & VERIFIED** (2026-06-30; re-verified 2026-07-03). Prior task (synced OIDC +trusted publishing, v0.2.1) also COMPLETE — see git history / PRs #64,#66,#70,#74-#78. -## End goal -`ANcpLua/qyl-api-schema` shows **0 open** "Security and quality" (Dependabot) alerts, and a new +No task is currently in progress in this repo. + +## End goal — MET +`ANcpLua/qyl-api-schema` shows **0 open** "Security and quality" (Dependabot) alerts, and the dual-registry release **v0.2.2** is published (npm `@ancplua/qyl-api-schema` + NuGet `Qyl.Api.Contracts`), both live and lockstep. -## Context (verified 2026-06-30) -6 open alerts, all **transitive npm dev/build-tooling deps** in committed lockfiles — NOT deps that -reach consumers (shipped artifacts are `.tsp` files for npm + generated C# DTOs for the NuGet): -- `tar` <= 7.5.15 (patched 7.5.16; latest 7.5.19) — via `@typespec/compiler@1.13.0` (`tar: ^7.5.13`) - - root `package-lock.json` (#22), `emitters/csharp` (#15), `emitters/ts-types` (#19), `emitters/otelconventions-lint` (#18) -- `vite` 8.0.0-8.0.15 (patched 8.0.16) — via `vitest` (`vite: ^6||^7||^8`) - - `emitters/otelconventions-lint` (#16 HIGH 8.2, #17 MOD 5.5). Root already has vite 8.1.0 (clean). - -Both parent ranges are carets → `npm update --package-lock-only` moves the pins; no `overrides` needed. - -## Versioning (DO NOT hand-bump) -Tag-derived (CI-owned, commit 35c956c). `package.json` = `0.0.0-development`; csproj reads package.json -at pack time; `publish.yml` stamps BOTH npm + NuGet from the git tag. So the ONLY version action is -creating the `v0.2.2` tag/release. No version files change in the PR. +## Evidence (verified 2026-07-03) +- PR #80 (lockfile tar & vite bumps) merged to main. +- GitHub Release v0.2.2 published 2026-06-30T13:54:58Z; `publish.yml` run "v0.2.2 — resolve all + 6 Dependabot alerts": success. +- npmjs `@ancplua/qyl-api-schema` dist-tag latest = 0.2.2; nuget.org `Qyl.Api.Contracts` + index lists 0.2.2. +- Dependabot open alerts: 0. -## Plan / checklist -- [x] Branch `fix/dependabot-tar-vite-lockfiles` off green main (main currently green @ d38826f) -- [ ] Bump `tar` in 4 lockfiles + `vite` in otelconventions-lint via per-dir `npm update --package-lock-only` -- [ ] Verify minimal diff (only tar/vite moved) + resolved versions >= patched in EVERY lockfile -- [ ] Verify emitter lockfiles independently (root `npm ci` does NOT exercise them) -- [ ] Local `npm ci` + `npm run build:emitters` + `npm run lint` + `npm run lint:public` green (or rely on Nuke CI) -- [ ] Commit, push, open PR (honest dev-dep framing) -- [ ] CodeRabbit + Nuke `./build.sh Check` CI green → merge (public repo, contract-authorized) -- [ ] Tag + GitHub Release **v0.2.2** → publish.yml fires (NuGet first, npm last) -- [ ] Watch publish run to green; verify npm 0.2.2 AND NuGet 0.2.2 live; all 6 alerts CLOSED +## Checklist — all done +- [x] Branch `fix/dependabot-tar-vite-lockfiles` off green main +- [x] Bump `tar` in 4 lockfiles + `vite` in otelconventions-lint via per-dir `npm update --package-lock-only` +- [x] Verify minimal diff + resolved versions >= patched in every lockfile +- [x] Verify emitter lockfiles independently +- [x] Local build/lint gates green +- [x] Commit, push, PR #80 (honest dev-dep framing) +- [x] CodeRabbit + Nuke CI green → merged +- [x] Tag + GitHub Release v0.2.2 → publish.yml fired (NuGet first, npm last) +- [x] Publish run green; npm 0.2.2 AND NuGet 0.2.2 live; all 6 alerts CLOSED -## Honest framing -Resolves 6 Dependabot **dev-dependency** lockfile alerts. Clean-tree release, NOT a patch of a -vulnerability reaching consumers. PR/release body must not over-claim. +## Versioning (still true — DO NOT hand-bump) +Package version is tag-derived and CI-owned: `package.json` stays `0.0.0-development`, the csproj +carries no ``, and `publish.yml` stamps both registries from the git tag. The only +version action for a release is creating the tag/GitHub Release.