v1.3.4 - Dependency updates, CI Health & Security patches#79
v1.3.4 - Dependency updates, CI Health & Security patches#79neverinfamous wants to merge 7 commits intomainfrom
Conversation
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
do-manager | 6d2cbf0 | Apr 06 2026, 12:17 PM |
There was a problem hiding this comment.
Pull request overview
Release v1.3.4 focuses on dependency/security maintenance and CI hardening, along with documentation and small TypeScript/React cleanup changes across the frontend.
Changes:
- Updated npm dependencies and bumped project version to 1.3.4.
- Updated CI workflows/actions (Docker publish actions, TruffleHog tag) and Dependabot to include Docker ecosystem updates.
- Refined docs/release notes (README/DOCKER_README badges, CHANGELOG restructuring, added
.env.example, addedreleases/v1.3.4.md).
Reviewed changes
Copilot reviewed 33 out of 34 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
package.json |
Version bump + dependency updates/overrides adjustments. |
package-lock.json |
Lockfile updated for new dependency graph. |
vite.config.ts |
Updated Rollup manualChunks to a function-based implementation (Vite/Rollup config). |
tsconfig.app.json |
Adjusted TS compiler options (notably path alias settings). |
src/hooks/useSelection.ts |
Minor typing/initialization cleanup. |
src/components/features/*.tsx |
Minor useState typing simplifications across multiple feature components. |
README.md |
Switched version badge to GitHub release-based badge; removed stale “Last Updated”. |
DOCKER_README.md |
Updated version badge + tightened intro; tag table generalized. |
CHANGELOG.md |
Rewritten/condensed changelog with v1.3.4 entry and links. |
releases/v1.3.4.md |
Added release notes for v1.3.4. |
.env.example |
Added environment template for local/container setup. |
.github/workflows/docker-publish.yml |
Updated Docker actions to newer major versions. |
.github/workflows/secrets-scanning.yml |
Switched TruffleHog ref from main to v3. |
.github/dependabot.yml |
Added Docker ecosystem updates. |
UNRELEASED.md |
Added placeholder “Unreleased” header. |
.github/workflows/docs-drift-detector.md (deleted) |
Removed agentic workflow definition. |
.github/workflows/docs-drift-detector.lock.yml (deleted) |
Removed generated lock workflow. |
.github/workflows/dependency-maintenance.md (deleted) |
Removed agentic workflow definition. |
.github/workflows/dependency-maintenance.lock.yml (deleted) |
Removed generated lock workflow. |
.github/workflows/ci-health-monitor.md (deleted) |
Removed agentic workflow definition. |
.github/workflows/ci-health-monitor.lock.yml (deleted) |
Removed generated lock workflow. |
.github/workflows/agentics-maintenance.yml (deleted) |
Removed gh-aw maintenance workflow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| /* Module Resolution */ | ||
| "forceConsistentCasingInFileNames": true, | ||
| "resolveJsonModule": true, | ||
| "esModuleInterop": true, | ||
| /* Path Aliases */ | ||
| "baseUrl": ".", | ||
| "paths": { | ||
| "@/*": ["./src/*"] | ||
| } |
There was a problem hiding this comment.
Removing baseUrl while keeping compilerOptions.paths will disable the @/* path alias (TypeScript only applies paths when baseUrl is set). This likely breaks builds since the codebase imports from @/… (e.g., src/components/ui/button.tsx). Reintroduce baseUrl (commonly ".") or otherwise restructure config so the alias remains active.
| - **Dependabot:** Fixed Method Injection in POSIX Character Classes causes incorrect Glob Matching in picomatch (CVE-2024-XXXX)## [1.3.3] - 2026-03-07 | ||
|
|
There was a problem hiding this comment.
The 1.3.4 Security bullet and the ## [1.3.3] header are concatenated on the same line, which breaks the changelog markdown structure. Insert a newline before ## [1.3.3] - 2026-03-07 so the section renders correctly.
| - **Dependabot:** Fixed Method Injection in POSIX Character Classes causes incorrect Glob Matching in picomatch (CVE-2024-XXXX)## [1.3.3] - 2026-03-07 | |
| - **Dependabot:** Fixed Method Injection in POSIX Character Classes causes incorrect Glob Matching in picomatch (CVE-2024-XXXX) | |
| ## [1.3.3] - 2026-03-07 |
| export function useSelection<T extends { id: string }>(): SelectionState<T> { | ||
| const [selectedIds, setSelectedIds] = useState<Set<string>>(new Set()); | ||
| const [selectedIds, setSelectedIds] = useState(new Set<string>()); | ||
|
|
There was a problem hiding this comment.
useState(new Set<string>()) evaluates new Set() on every render (even though React only uses it on the initial mount). Consider using a lazy initializer (useState(() => new Set<string>())) to avoid unnecessary allocations, especially in a reusable hook.
v1.3.4
Highlights
CI/CD
docker/build-push-action@v7,setup-buildx-action@v4,login-action@v4,metadata-action@v6) to native Node 24 runtimes to comply with the upcoming June 2026 deprecation deadline.trufflesecurity/trufflehogto robust@v3tag to avoid floating reference risks.dockerpackage ecosystem to Dependabot configuration to receive base image updates.Documentation
DOCKER_README.md, and created.env.example.Changed
Security
Compare: v1.3.3...v1.3.4