Skip to content

Bump actions/setup-node from 4 to 6#2

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/setup-node-6
Open

Bump actions/setup-node from 4 to 6#2
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions/setup-node-6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown

Bumps actions/setup-node from 4 to 6.

Release notes

Sourced from actions/setup-node's releases.

v6.0.0

What's Changed

Breaking Changes

Dependency Upgrades

Full Changelog: actions/setup-node@v5...v6.0.0

v5.0.0

What's Changed

Breaking Changes

This update, introduces automatic caching when a valid packageManager field is present in your package.json. This aims to improve workflow performance and make dependency management more seamless. To disable this automatic caching, set package-manager-cache: false

steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
  with:
    package-manager-cache: false

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades

New Contributors

Full Changelog: actions/setup-node@v4...v5.0.0

v4.4.0

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4 to 6.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](actions/setup-node@v4...v6)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: ci, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot requested a review from naman7474 as a code owner June 23, 2026 16:02
naman7474 added a commit that referenced this pull request Jul 5, 2026
Closes the "GitHub access to one repo → read the whole org" security-review
blocker. Default stays "shared" (whole-org read, zero behavior change); an
owner can flip a project to "walled" so reads require project membership.

Enforced at the application guard layer (RLS stays org-only):
- New ensureProjectVisible / canReadProject guards (guards.ts) + projectVisibility
  reader (permissions.ts). Applied to every projectId read route: dashboard
  overview/insights, ingest graph/proposed/decisions-search, and the documents/
  features/conflicts/counts reads.
- orgOverview hides walled projects from non-members.
- projectMembers becomes an authoritative roster: connectOrJoin (auto-join,
  create, cross-service join) and createProject now backfill an active
  project_members row (owner for creators, member for joiners). Invites already
  did. Plus a one-off scripts/backfill-project-members.ts for existing projects.
- Owner-only visibility toggle on the Members page (reuses the settings patch
  endpoint); projectOverview now returns the current visibility.

core 97/97 (new visibility.api.test.ts: shared read-all, walled 403 vs member
200 across overview/graph/proposed/insights, org-overview hiding, roster
backfill), guards + permissions 100% coverage, web tsc + build clean.
Migration-free (projects.settings jsonb).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
naman7474 added a commit that referenced this pull request Jul 5, 2026
Follow-up to #2: reads were walled uniformly but write/mutation routes still
checked only org membership, so any org member outside a wall could mutate a
walled project — and the doc-lifecycle mutations had no role check even on
shared projects (a pre-existing PRD §15 gap).

New guard `requireProjectRole(roles)` (no shared bypass — a write role is a
write role) + `canManageDocTx` (§15: registrant ∨ doc owner ∨ owner/pm;
canRatifyTx is now an alias since it's the same predicate).

- Doc lifecycle (state / unregister / resync): §15 enforced INSIDE the services
  (covers every caller), closing the shared-project hole too.
- State mappings + property → owner/pm (decision: owner/pm, not owner-only —
  PMs administer product-layer config).
- Connector plumbing + graph mutations (POST connections/allowlist,
  graph derive/nodes/edges) and POST /repos → owner/pm.
- GET connections + allowlist and POST /documents (register) → project-visible.
- Worker paths untouched (cross-org trusted, correct); Slack ratify buttons were
  already walled-safe via getProjectRoleTx (null for non-members).

Tests: extended with a WRITE matrix mirroring the read one — visibility.api.test
(member/outsider 403 vs owner OK on connector+graph writes) and documents.api.test
(member 403 on doc state, §15). core 100/100; guards + permissions 100% coverage.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
naman7474 added a commit that referenced this pull request Jul 5, 2026
invite() checked only org membership and inserted the project_members row with
a caller-controlled, unvalidated role. Two one-line exploits, both now closed:

1. Self-invite past a wall: any org member could POST /…/:walledProject/invite
   with their own handle → invited row → their next connect flips it active
   (the #2 roster-backfill path) → inside the wall.
2. Privilege escalation to owner on ANY project: pass role:"owner" → the same
   flow mints owner. Post-#2, owner/pm gates every write, so this was the master
   key to settings, visibility, mappings, connector plumbing, and ratification.

Fix (in the service, so CLI + web + any caller inherit it):
- whitelist role ∈ {member, pm, owner} (400 otherwise);
- only owners/PMs may invite at all (getProjectRoleTx, not org membership);
- only an owner may grant owner/pm — a PM can invite members only.

Accept path audited: activateInvites matches by handle + status='invited' and
only flips status/memberId, never the role (as-stored) — no user-controlled
input there.

Tests: invite matrix in visibility.api.test — outsider self-invite 403, member
invite 403, member/pm granting owner 403, bogus role 400, owner-grants-any and
pm-grants-member OK. core 101/101.

Decision for PRD §21 log: PMs may invite members (not owner-only) — mirrors the
mappings owner/pm call.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
naman7474 added a commit that referenced this pull request Jul 7, 2026
…, #1)

Bootstrap lockstep.yaml with a run-once /lockstep-setup skill and resolve a
repo's consumes by closed-world matching against the org's own dependency graph.

- server: produced-surface catalog — listProjectSurfaces + GET /surfaces,
  syncProducedSurfaces + POST /surfaces (idempotent produces→contracts), and
  registerDependency now auto-resolves + self-heals producedRepoId from the catalog.
- cli: `lockstep scan` (walk repo → produces + graph-resolved consumes, tiered
  proposal, --json/--apply), extractOutbound detector (fetch/axios/gRPC/import),
  writeManifest (merge-preserving, reuses applyFile), trackedFiles.
- skill: SETUP_SKILL_MD wired into init as a 5th artifact and the sole yaml writer;
  capture hook stays read-only.
- backlog: prune IMPROVEMENTS.md — remove shipped #2 + #11, reframe #1, renumber.

Tests: cli 66/66, core 104/104; new modules ≥90% coverage.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
naman7474 added a commit that referenced this pull request Jul 7, 2026
Move #1 (consumes autodetection) into the "shipped & removed" banner alongside
#2 and #11; keep the remaining future-depth bits (GraphQL/base-URL coverage,
service-level shorthand, gateway/mesh/OTel import) as an explicit non-blocker
note. Renumber the rest to 9 items and refresh the pitch-guidance honest-gaps line.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants