diff --git a/.claude/commands/release-ready.md b/.claude/commands/release-ready.md index 79c01a0..9712e8b 100644 --- a/.claude/commands/release-ready.md +++ b/.claude/commands/release-ready.md @@ -182,8 +182,7 @@ Manual package publishing is a high-risk activity that should be fully automated A project's security is only as strong as its weakest dependency. Proactively managing and monitoring dependencies for vulnerabilities is a critical aspect of modern software development. - **Vulnerability Scanning:** Recommend adding a scheduled GitHub Action or a CI step to run npm audit \--audit-level=high. This command scans the project's dependencies for known vulnerabilities and will fail the build if any high or critical severity issues are found, preventing vulnerable code from being deployed. -- **Automated Dependency Updates (Dependabot):** Check for the presence of a Dependabot configuration file at .github/dependabot.yml. Dependabot automates the process of keeping dependencies up-to-date by creating pull requests for new versions, which is a key practice for both security and maintenance. -- **Dependabot Configuration:** Analyze the dependabot.yml file for best practices. It should specify the correct package-ecosystem as npm and the directory as / (for the project root). To manage notification fatigue, recommend setting a reasonable schedule.interval (e.g., weekly) and consider using open-pull-requests-limit to prevent being overwhelmed by a large number of update PRs at once. +- **Dependency Management:** This project uses manual dependency updates rather than automated tools like Dependabot. This is documented in CONTRIBUTING.md and is acceptable for solo-maintained projects where automated PR overhead outweighs benefits. Security scanning via npm audit still runs in CI/CD. ## **Audit Section 6: Project Documentation and Community Health** diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index 141aad8..0000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,46 +0,0 @@ -version: 2 -updates: - # Enable version updates for npm - - package-ecosystem: 'npm' - directory: '/' - schedule: - interval: 'weekly' - day: 'monday' - time: '09:00' - timezone: 'America/New_York' - open-pull-requests-limit: 10 - reviewers: - - 'radleta' - assignees: - - 'radleta' - labels: - - 'dependencies' - - 'automated' - commit-message: - prefix: 'chore' - include: 'scope' - # Group minor and patch updates - groups: - development-dependencies: - dependency-type: 'development' - update-types: - - 'minor' - - 'patch' - production-dependencies: - dependency-type: 'production' - update-types: - - 'minor' - - 'patch' - - # Enable security updates for GitHub Actions - - package-ecosystem: 'github-actions' - directory: '/' - schedule: - interval: 'weekly' - day: 'monday' - open-pull-requests-limit: 5 - labels: - - 'dependencies' - - 'github-actions' - commit-message: - prefix: 'ci' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ee9fcf6..9aa5c2f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -44,12 +44,12 @@ jobs: - name: Install dependencies run: npm ci - - name: Run tests - run: npm test - - name: Build run: npm run build + - name: Run tests + run: npm test + - name: Publish to npm run: npm publish --provenance --access public env: diff --git a/CHANGELOG.md b/CHANGELOG.md index 01a672d..fbb467c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Fixed + +- **CI/CD**: Fixed release workflow test/build order - build now runs before tests (integration tests require compiled `dist/` directory) + +### Removed + +- **Dependabot**: Removed automated dependency updates (excessive PR noise for solo-maintained project, see CONTRIBUTING.md Dependency Management section) + ## [1.1.0] - 2025-11-04 ### Added @@ -394,8 +402,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Better alignment with Node.js ESM best practices - **CI/CD Security**: Added automated security scanning - npm audit check runs on every CI build (fails on high/critical vulnerabilities) - - Dependabot configured for weekly npm and GitHub Actions updates - - Groups minor/patch updates to reduce PR noise - **Code Coverage**: Added Vitest coverage thresholds - Minimum 70% coverage required for lines, functions, branches, statements - Prevents coverage regression diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 7087463..229a6a7 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -143,6 +143,10 @@ npm run format npm run validate ``` +## Dependency Management + +This project uses **manual dependency management** (no Dependabot). Dependencies are updated in batches by maintainers. `npm audit` runs in CI/CD and fails on high/critical vulnerabilities. If you discover a vulnerability, open an issue. + ## Development Workflow ### 1. Fork and Clone