Weekly dependency audit 2026-06-27

[grahambrooks]

Summary

Weekly dependency audit report for 2026-06-27. This PR adds dep-audits/2026-06-27.md documenting the current state.

The session scope limitation persists — the scheduled session can only write to grahambrooks/.github, so actual maintenance branches and PRs in the target repos still cannot be auto-created.

What's in the audit

• Go: attribute and ai-dev-container have meaningful minor/patch updates ready to apply; bsdoc has a major skip.
• Rust (9 repos): cargo update lock-file bumps ready for colab, gitatlas-cli, mcpm, bsv, genie, cic, astgen, adoc, puml.
• JS: gitatlas is current.
• 4 private repos and several complex monorepos still skipped.

What needs to happen

To enable full automation, add target repositories to the session's GitHub scope (or provide a PAT with repo access). Manual bash commands to apply all updates are included in the audit file.

Skipped majors

• github.com/github/copilot-sdk/go v0.3.0 → v1.0.2 (bsdoc)
• thiserror v1.x → v2.0.18 (bx, casual-review)

---

Generated by Claude Code

[Copilot]

Pull request overview

Adds the weekly dependency audit report for 2026-06-27 to this .github repository, documenting carry-forward dependency update opportunities across several Go and Rust repositories and explaining why automated PR creation is still blocked by the current session scope.

Changes:

• Added a new audit markdown report for 2026-06-27.
• Documented carry-forward dependency update status across Go, Rust, and JS/TS repos.
• Included an “Action Required” section with manual update commands and guidance to expand GitHub scope for future automation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.