Skip to content

chore: refresh dependency and upstream docs#24

Merged
imjlk merged 3 commits into
mainfrom
codex/dependency-ci-upstream-refresh
Jun 17, 2026
Merged

chore: refresh dependency and upstream docs#24
imjlk merged 3 commits into
mainfrom
codex/dependency-ci-upstream-refresh

Conversation

@imjlk

@imjlk imjlk commented Jun 17, 2026

Copy link
Copy Markdown
Owner

Summary

Key Changes

  • Bumps Codecov Action to codecov/codecov-action@v7.
  • Updates the root Astro catalog to ^6.4.7, docs app Starlight to ^0.40.0, Sharp to ^0.35.1, and tooling including Wrangler to ^4.101.0.
  • Regenerates bun.lock with Bun.
  • Adds package overrides for patched transitive build/dev dependencies reported by bun audit.
  • Replaces stale inline audit ignores with scripts/security-audit.ts, currently ignoring only the unpatched high picomatch advisory GHSA-c2c7-rcm5-vvqj from astro -> unstorage -> anymatch.
  • Updates Gravatar docs for profile API limits, avatar limit scope, primary-email-hash profile lookup behavior, /oembed, QR size/s alias behavior, and 0.gravatar.com/avatar examples.

Notes

  • No public runtime API/type changes.
  • No Sampo changeset, since this only refreshes dependencies, CI audit handling, and docs.
  • bun run security:check:strict still fails by design on residual picomatch@2.3.1 advisories only; bun pm why picomatch confirms the vulnerable 2.x instance is from astro -> unstorage -> anymatch.

Test Plan

  • bun run lint
  • bun run format:check
  • bun run typecheck
  • bun run test
  • bun run test:coverage
  • bun run build:package
  • cd apps/astro-gravatar.and.guide && bun run build
  • bun run pages:check
  • bun run security:check
  • bun run security:check:strict (expected failure: residual picomatch only)
  • cd packages/astro-gravatar && bun pm pack --dry-run

Closes #21.
Closes #22.
Closes #23.
Refs #17.

Summary by CodeRabbit

  • Documentation
    • Refreshed the authentication guide with clearer API key types and updated rate-limit guidance.
    • Improved error-handling and troubleshooting docs, including updated fallback avatar host details.
    • Expanded API v3 guidance on authentication vs profile request limits and which hashes resolve.
    • Documented s as an alias for size in QR code URL parameters.
  • Maintenance
    • Updated site dependencies to newer versions to keep tooling and image processing current.
    • Strengthened automated security checks and coverage upload configuration.

@coderabbitai

coderabbitai Bot commented Jun 17, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@imjlk, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 56 minutes and 45 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 801d1fc6-0164-4ce7-85bf-de8d0a68d0c2

📥 Commits

Reviewing files that changed from the base of the PR and between 2b6bf90 and 2815285.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml
📝 Walkthrough

Walkthrough

Extracts the bun audit ignore-advisory logic from an inline package.json script into a dedicated scripts/security-audit.ts executable; updates the CI workflow to use that script, adds explicit permissions to the security job, and bumps codecov-action to v7. Bumps several dev and catalog dependency versions. Updates Gravatar documentation to use 0.gravatar.com as the avatar host, revise rate limit figures, clarify authentication behavior, and add QR parameter aliases.

Changes

Security Audit Extraction and CI/Tooling Updates

Layer / File(s) Summary
Security audit script and wiring
scripts/security-audit.ts, package.json, .github/workflows/ci.yml
scripts/security-audit.ts is introduced to construct and spawn bun audit with --audit-level high and per-advisory --ignore flags; package.json security:check script is updated to invoke it; the CI security step adds explicit permissions: {contents: read} and delegates to bun run security:check; Codecov action is bumped from v6 to v7.
Dependency version bumps
package.json, apps/astro-gravatar.and.guide/package.json
Root catalog/overrides upgrade astro, esbuild, rollup, vite, ws, js-yaml, and postcss; root dev dependencies bump ESLint, Prettier, TypeScript-ESLint, and Wrangler; docs app bumps @astrojs/starlight to ^0.40.0 and sharp to ^0.35.1.

Gravatar Documentation Updates

Layer / File(s) Summary
API reference: host, auth, rate limits, QR params
apps/astro-gravatar.and.guide/src/content/docs/reference/api-endpoints.mdx, apps/.../reference/gravatar-qr.mdx
Bearer token description updated to clarify richer profile data and higher limits; note added that profile resolution requires the primary-email hash; s documented as a size alias in QR parameters; avatar URL templates and examples changed to 0.gravatar.com; rate-limit table extended with unauthenticated limits and a clarification that avatar image requests do not count toward profile endpoint quotas.
Guide docs: auth, error-handling, troubleshooting
apps/.../guides/authentication.mdx, apps/.../guides/error-handling.mdx, apps/.../guides/troubleshooting.mdx
Feature card wording and Public Access description updated in auth guide; fallback avatar URLs changed from www.gravatar.com to 0.gravatar.com in error-handling and troubleshooting; rate limit figures updated to explicit 1000/hour authenticated vs 100/hour unauthenticated.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

  • imjlk/astro-gravatar#9: Also modifies .github/workflows/ci.yml to update the Codecov upload step configuration, directly overlapping with the Codecov action version bump in this PR.

Poem

🐇 A rabbit once audited packages with flair,
But the flags in the script were too much to bear.
So I moved them to TypeScript, all tidy and neat,
And swapped www for 0 — a much cleaner feat!
Now the docs and the CI hum right along,
While I nibble my carrots and sing a new song. 🥕

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'chore: refresh dependency and upstream docs' directly aligns with the main objective of consolidating three dependency refresh PRs and updating documentation.
Linked Issues check ✅ Passed All coding objectives from linked issues are met: Codecov Action upgraded to v7 with commit SHA pinning [#21], Starlight upgraded to 0.40.0 and Sharp to 0.35.1 [#22], and seven tooling dependencies updated [#23]. Documentation updated for Gravatar API behaviors.
Out of Scope Changes check ✅ Passed All changes are in-scope: CI workflow updates, dependency version bumps, new security audit script, package.json updates, and documentation revisions align with the stated objectives of consolidating three dependency refreshes and updating related documentation.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/dependency-ci-upstream-refresh

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/ci.yml (1)

102-124: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Restrict security job token permissions

The security job relies on default GITHUB_TOKEN permissions. Add a minimal permissions block (contents: read) to reduce unnecessary token scope.

Suggested change
   security:
     name: Security Scan
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 102 - 124, Add a `permissions` block
to the `security` job to restrict the `GITHUB_TOKEN` scope to only what is
necessary. The `security` job currently relies on default token permissions, but
should explicitly declare a minimal `permissions` block with only `contents:
read` (required for the checkout action). Place this `permissions` block after
the `runs-on` property of the security job to follow the principle of least
privilege.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Line 71: The codecov/codecov-action reference uses a mutable tag `@v7` which
presents a supply chain risk since the tag can be reassigned to different
commits. Replace the `@v7` tag with the full immutable commit SHA for version
7.0.0 in the uses statement to ensure the workflow always uses the exact same
version and cannot be affected by tag reassignment.

---

Outside diff comments:
In @.github/workflows/ci.yml:
- Around line 102-124: Add a `permissions` block to the `security` job to
restrict the `GITHUB_TOKEN` scope to only what is necessary. The `security` job
currently relies on default token permissions, but should explicitly declare a
minimal `permissions` block with only `contents: read` (required for the
checkout action). Place this `permissions` block after the `runs-on` property of
the security job to follow the principle of least privilege.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2d1d8568-bb79-44c4-b41b-a847a3c4f3f5

📥 Commits

Reviewing files that changed from the base of the PR and between fcbc9ad and fa253f0.

⛔ Files ignored due to path filters (1)
  • bun.lock is excluded by !**/*.lock
📒 Files selected for processing (9)
  • .github/workflows/ci.yml
  • apps/astro-gravatar.and.guide/package.json
  • apps/astro-gravatar.and.guide/src/content/docs/guides/authentication.mdx
  • apps/astro-gravatar.and.guide/src/content/docs/guides/error-handling.mdx
  • apps/astro-gravatar.and.guide/src/content/docs/guides/troubleshooting.mdx
  • apps/astro-gravatar.and.guide/src/content/docs/reference/api-endpoints.mdx
  • apps/astro-gravatar.and.guide/src/content/docs/reference/gravatar-qr.mdx
  • package.json
  • scripts/security-audit.ts

Comment thread .github/workflows/ci.yml Outdated

imjlk commented Jun 17, 2026

Copy link
Copy Markdown
Owner Author

Addressed the review feedback in 2b6bf90:

  • Pinned codecov/codecov-action to the immutable v7.0.0 commit SHA.
  • Added minimal contents: read permissions to the security job.

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 17, 2026

Copy link
Copy Markdown

@imjlk: I'll kick off a fresh review of the PR to verify those changes and check everything else.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

imjlk commented Jun 17, 2026

Copy link
Copy Markdown
Owner Author

Follow-up correction in 2815285:

  • Replaced the annotated tag object SHA with the peeled v7.0.0 release commit SHA for codecov/codecov-action.
  • Kept the security job contents: read permission hardening.

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 17, 2026

Copy link
Copy Markdown

@imjlk: Thanks for the follow-up — using the peeled commit SHA (the actual tree commit rather than the annotated tag object) is the correct approach for pinning GitHub Actions, as it points directly to the immutable commit rather than a mutable tag wrapper. I'll kick off a fresh review to verify commit 2815285 and check the overall state of the PR.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@imjlk imjlk merged commit 16b24cc into main Jun 17, 2026
8 checks passed
@imjlk imjlk deleted the codex/dependency-ci-upstream-refresh branch June 17, 2026 10:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant