Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions .claude/commands/release-ready.md
Original file line number Diff line number Diff line change
Expand Up @@ -182,8 +182,7 @@ Manual package publishing is a high-risk activity that should be fully automated
A project's security is only as strong as its weakest dependency. Proactively managing and monitoring dependencies for vulnerabilities is a critical aspect of modern software development.

- **Vulnerability Scanning:** Recommend adding a scheduled GitHub Action or a CI step to run npm audit \--audit-level=high. This command scans the project's dependencies for known vulnerabilities and will fail the build if any high or critical severity issues are found, preventing vulnerable code from being deployed.
- **Automated Dependency Updates (Dependabot):** Check for the presence of a Dependabot configuration file at .github/dependabot.yml. Dependabot automates the process of keeping dependencies up-to-date by creating pull requests for new versions, which is a key practice for both security and maintenance.
- **Dependabot Configuration:** Analyze the dependabot.yml file for best practices. It should specify the correct package-ecosystem as npm and the directory as / (for the project root). To manage notification fatigue, recommend setting a reasonable schedule.interval (e.g., weekly) and consider using open-pull-requests-limit to prevent being overwhelmed by a large number of update PRs at once.
- **Dependency Management:** This project uses manual dependency updates rather than automated tools like Dependabot. This is documented in CONTRIBUTING.md and is acceptable for solo-maintained projects where automated PR overhead outweighs benefits. Security scanning via npm audit still runs in CI/CD.

## **Audit Section 6: Project Documentation and Community Health**

Expand Down
46 changes: 0 additions & 46 deletions .github/dependabot.yml

This file was deleted.

6 changes: 3 additions & 3 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,12 +44,12 @@ jobs:
- name: Install dependencies
run: npm ci

- name: Run tests
run: npm test

- name: Build
run: npm run build

- name: Run tests
run: npm test

- name: Publish to npm
run: npm publish --provenance --access public
env:
Expand Down
10 changes: 8 additions & 2 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

### Fixed

- **CI/CD**: Fixed release workflow test/build order - build now runs before tests (integration tests require compiled `dist/` directory)

### Removed

- **Dependabot**: Removed automated dependency updates (excessive PR noise for solo-maintained project, see CONTRIBUTING.md Dependency Management section)

## [1.1.0] - 2025-11-04

### Added
Expand Down Expand Up @@ -394,8 +402,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Better alignment with Node.js ESM best practices
- **CI/CD Security**: Added automated security scanning
- npm audit check runs on every CI build (fails on high/critical vulnerabilities)
- Dependabot configured for weekly npm and GitHub Actions updates
- Groups minor/patch updates to reduce PR noise
- **Code Coverage**: Added Vitest coverage thresholds
- Minimum 70% coverage required for lines, functions, branches, statements
- Prevents coverage regression
Expand Down
4 changes: 4 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,10 @@ npm run format
npm run validate
```

## Dependency Management

This project uses **manual dependency management** (no Dependabot). Dependencies are updated in batches by maintainers. `npm audit` runs in CI/CD and fails on high/critical vulnerabilities. If you discover a vulnerability, open an issue.

## Development Workflow

### 1. Fork and Clone
Expand Down
Loading