chore(deps): upgrade dev deps to fix audit and bump 3.2.0#27
Merged
chore(deps): upgrade dev deps to fix audit and bump 3.2.0#27
Conversation
Resolves all 14 npm audit vulnerabilities (7 high, 7 moderate) by
upgrading devDependencies. Runtime behavior unchanged — vulnerabilities
were only in build/test tooling, not distributed in the published package.
Upgrades:
- @typescript-eslint/{eslint-plugin,parser}: ^6.21.0 → ^8.59.0
- vitest, @vitest/coverage-v8, @vitest/ui: ^1.6.1 → ^4.1.5
- openapi-typescript: ^6.7.0 → ^7.13.0
Adapts scripts/generate-types.ts to openapi-typescript v7 (AST output via
astToString, URL input, Redocly config to tolerate legacy specs). Renames
duplicate operationId in nf-servico-v1.yaml — v6 silently merged the two
distinct operations under /external/{id} and /{id}; v7 correctly keeps
them separate. Migrates test signatures for vitest 4 (it() options arg
moved to second position, FormData mock uses function instead of arrow).
Bumps version 3.1.0 → 3.2.0 (minor) and adds CHANGELOG entry.
CI on Node 18 failed because vitest 4 depends on rolldown, which imports `styleText` from node:util — only available in Node 20+. Downgrade vitest, @vitest/coverage-v8 and @vitest/ui from ^4.1.5 to ^3.2.4. Vitest 3.2.4 supports Node 18 ^ 20 ^ >=22 and already ships with the patched esbuild via Vite, so npm audit remains at 0 vulnerabilities. Existing test changes (it(name, opts, fn) signature, FormData function mock) are forward-compatible with both 3.x and 4.x. Validated full pipeline (validate:spec, generate, lint, typecheck, build, test) under Node 18.20.8 and Node 24.13.1.
The job uses actions/github-script to post a PR comment with spec validation info, but failed with HTTP 403 "Resource not accessible by integration" because the default GITHUB_TOKEN permissions for the workflow were read-only. Scope the new permissions to this job only (least privilege) and keep `contents: read` for checkout — adding a `permissions:` block implicitly drops all other defaults to none.
📋 OpenAPI Spec Validation✅ All specs validated and types generated successfully Specs processed:
Generated types available as artifact in |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
npm auditvulnerabilities (7 high, 7 moderate) in devDependencies — runtime SDK behavior is unchanged3.1.0→3.2.0(minor) with CHANGELOG entry in Portugueseopenapi-typescriptv7 (AST output, URL input, Redocly config) — fixes a real duplicateoperationIdinnf-servico-v1.yamlthat v6 silently mergedDependency upgrades (devDependencies only)
@typescript-eslint/eslint-plugin^6.21.0^8.59.0@typescript-eslint/parser^6.21.0^8.59.0vitest^1.6.1^3.2.4@vitest/coverage-v8^1.6.1^3.2.4@vitest/ui^1.6.1^3.2.4openapi-typescript^6.7.0^7.13.0Spec change
openapi/spec/nf-servico-v1.yaml: renamedoperationIdofGET /v1/companies/{company_id}/serviceinvoices/external/{id}fromServiceInvoices_idGet→ServiceInvoices_externalIdGet. Resolves a real duplicate that v6 silently merged. Metadata-only change — does not affect API runtime behavior.Possible type-level impact for consumers
Users referencing internal generated types (
operations["ServiceInvoices_idGet"]) for the/external/{id}endpoint must switch tooperations["ServiceInvoices_externalIdGet"]. Consumers using onlyNfeClientand its public methods are not affected.Test plan
npm auditreports 0 vulnerabilitiesnpm run validate:spec— all 12 specs validnpm run generate— 7 specs generated successfullynpm run lint— 0 errors (35 preexistinganywarnings)npm run typecheck— passesnpm test -- --run— 606 passed, 47 skippednpm run build— success (dist/index.d.ts457 KB)