Skip to content

Pin external dependencies to exact versions #924

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 19, 2025
Merged

Pin external dependencies to exact versions #924

merged 1 commit into from
Nov 19, 2025
+328 −77

Conversation

@jdalton
Copy link
Contributor

@jdalton jdalton commented Nov 19, 2025
edited by cursor bot
Loading

Pins @coana-tech/cli and @cyclonedx/cdxgen to exact versions.

Note

Pins and upgrades @cyclonedx/cdxgen and @coana-tech/cli, updating the lockfile and related transitive dependencies; minor dlx helper cleanup.

  • Dependencies:
    • Pin and bump @cyclonedx/cdxgen to 11.11.0 and @coana-tech/cli to 14.12.90 in package.json.
    • Refresh pnpm-lock.yaml with corresponding transitive updates (e.g., @cyclonedx/cdxgen-plugins-* 1.7.0, got 14.6.0, various @npmcli/*, ssri 13.0.0, etc.).
  • Utilities:
    • Minor refactor in src/utils/dlx.mts to directly reference constants.ENV.INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION when spawning @cyclonedx/cdxgen.

Written by Cursor Bugbot for commit 7760555. Configure here.

@jdalton
chore: pin @coana-tech/cli and @cyclonedx/cdxgen to exact versions
7760555 
Update external tool dependencies to pinned versions:
- @coana-tech/cli: 14.12.88 → 14.12.90
- @cyclonedx/cdxgen: 11.7.0 → 11.11.0

These packages are used without tilde prefixes in the codebase,
ensuring deterministic and reproducible installations.
@socket-security
Copy link

socket-security bot commented Nov 19, 2025

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednpm/​@​coana-tech/​cli@​14.12.88 ⏵ 14.12.9089 +110080 +196100
Updatednpm/​@​cyclonedx/​cdxgen@​11.7.0 ⏵ 11.11.088 +110010099 +1100

View full report

@socket-security-staging
Copy link

socket-security-staging bot commented Nov 19, 2025

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednpm/​@​coana-tech/​cli@​14.12.88 ⏵ 14.12.9089 +110080 +196100
Updatednpm/​@​cyclonedx/​cdxgen@​11.7.0 ⏵ 11.11.08810010099 +3100

View full report

@jdalton jdalton merged commit 6ab5d0f into v1.x Nov 19, 2025
8 checks passed
@jdalton jdalton deleted the jdalton/pinned-external branch November 19, 2025 23:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jdalton