From 76ebdbd19e5537312170a539b99e8faacb6c6625 Mon Sep 17 00:00:00 2001
From: tehw0lf <tehwolf@protonmail.com>
Date: Thu, 23 Apr 2026 19:12:08 +0200
Subject: [PATCH 1/2] fix(npm-audit-autofix): always run audit fix without
 --omit=dev

Running npm audit fix --omit=dev removes all dev dependencies from node_modules
without writing them back to package-lock.json, causing git diff to see no changes
even when 920+ packages were removed. The audit step still respects omit_dev for
read-only audit checks.
---
 .github/workflows/npm-audit-autofix.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/npm-audit-autofix.yml b/.github/workflows/npm-audit-autofix.yml
index c70c5de..87f7179 100644
--- a/.github/workflows/npm-audit-autofix.yml
+++ b/.github/workflows/npm-audit-autofix.yml
@@ -72,7 +72,7 @@ jobs:
       - name: npm audit fix
         run: |
           set +e
-          npm audit fix${{ inputs.omit_dev && ' --omit=dev' || '' }}
+          npm audit fix
           set -e
 
       - name: check for changes

From 124c3219e8acef4fdb8adb888e926b97ef43f69e Mon Sep 17 00:00:00 2001
From: tehw0lf <tehwolf@protonmail.com>
Date: Thu, 23 Apr 2026 19:25:59 +0200
Subject: [PATCH 2/2] chore(deps): update aquasecurity/trivy-action to v0.36.0
 and astral-sh/setup-uv to v8.1.0

---
 .github/workflows/security-scan-artifacts.yml | 2 +-
 .github/workflows/test-and-build.yml          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/security-scan-artifacts.yml b/.github/workflows/security-scan-artifacts.yml
index d918706..2c25c80 100644
--- a/.github/workflows/security-scan-artifacts.yml
+++ b/.github/workflows/security-scan-artifacts.yml
@@ -85,7 +85,7 @@ jobs:
       - name: trivy filesystem scan
         id: trivy-fs
         if: ${{ inputs.artifact_path != '' && steps.check-artifact.outputs.exists == 'true' }}
-        uses: aquasecurity/trivy-action@0.35.0
+        uses: aquasecurity/trivy-action@v0.36.0
         with:
           scan-type: "fs"
           scan-ref: "${{ inputs.artifact_path }}"
diff --git a/.github/workflows/test-and-build.yml b/.github/workflows/test-and-build.yml
index baf6b7d..0c412c6 100644
--- a/.github/workflows/test-and-build.yml
+++ b/.github/workflows/test-and-build.yml
@@ -156,7 +156,7 @@ jobs:
             ${{ inputs.root_dir }}/yarn.lock
             ${{ inputs.root_dir }}/pnpm-lock.yaml
 
-      - uses: astral-sh/setup-uv@v7
+      - uses: astral-sh/setup-uv@v8.1.0
         if: ${{ inputs.tool == 'uv' }}
         with:
           enable-cache: true