diff --git a/dep-audits/2026-06-27.md b/dep-audits/2026-06-27.md new file mode 100644 index 0000000..e7b4384 --- /dev/null +++ b/dep-audits/2026-06-27.md @@ -0,0 +1,110 @@ +# Weekly Dependency Audit — 2026-06-27 + +> Generated by scheduled maintenance routine. +> **PRs could not be auto-created** — session GitHub scope is still limited to `grahambrooks/.github` only. +> See "Action Required" section at bottom. + +--- + +## Status vs Last Week (2026-06-20) + +The 2026-06-20 audit identified updates across Go, Rust, and JS repos but could not create branches or PRs in those repositories due to session scope limits. **Those items remain open and actionable** — it is unknown whether they have been applied manually. The updates listed below are carried forward and should be treated as current until confirmed applied. + +--- + +## Go Repos — Updates Identified (Carry-forward from 2026-06-20) + +### `attribute` +- `stretchr/testify` v1.7.0 → **v1.11.1** (minor) +- Notable indirects: `golang.org/x/tools`, `x/mod`, `x/sync`, `x/sys`, `x/net`, `gliderlabs/ssh`, `google/go-cmp` +- Command: `go get -u ./... && go mod tidy` + +### `ai-dev-container` +- `github.com/moby/moby/api` v1.54.0 → **v1.55.0** +- `github.com/moby/moby/client` v0.3.0 → **v0.5.0** +- `github.com/docker/go-connections` v0.6.0 → **v0.7.0** +- `go.opentelemetry.io/otel*` v1.42.0 → v1.44.0 +- Command: `go get -u ./... && go mod tidy` + +### `bsdoc` +- `github.com/github/copilot-sdk/go` v0.3.0 → v1.0.2 (**MAJOR — skip**) +- Minor indirect bumps only; low priority + +--- + +## Rust Repos — Cargo.lock Updates (Carry-forward from 2026-06-20) + +All of the following need `cargo update` run and the updated `Cargo.lock` committed: + +| Repo | Notable updates | +|---|---| +| `colab` | `jiff`, `chrono`, `bitflags`, `bytes`, `log`, `assert_cmd`, `ignore` | +| `gitatlas-cli` | `libgit2-sys`, `lru`, `chrono`, `bitflags`, `libz-sys`, `compact_str`, `log` | +| `mcpm` | `clap` v4→v4.6, `anstream`, `aws-lc-rs`, `bytes`, `anyhow`, `compact_str` | +| `bsv` | `aws-lc-rs`, `fancy-regex`, `h2`, `hyper`, `jni`, `bytes`, `bitflags` | +| `genie` | `hyper`, `h2`, `http`, `chrono`, `bytes` | +| `cic` | `hyper`, `http`, `compact_str`, `chrono`, `bytes` | +| `astgen` | `dashmap`, `jiff`, `regex`, `ignore`, `log` | +| `adoc` | `serde_json`, `insta`, `syn`, `regex-syntax`, `bitflags` | +| `puml` | `insta`, `kqueue`, `mio`, `inotify`, `memchr`, `bitflags` | + +Skip (`thiserror` v1→v2 major): `bx`, `casual-review` + +Already current: `symgraph`, `refactor-dsl`, `mcp-dep`, `rv`, `facts` + +--- + +## JS / TS Repos + +### `gitatlas` — No updates needed (semver ranges already resolve to latest) + +--- + +## Skipped (same as prior week) + +- **Private** (`snag`, `insight`, `structurizr-lsp`, `code-provenance`) — need credentials +- `forge` — complex Rust workspace, skip conservatively +- `product-backstage` — yarn monorepo, consider Renovate bot +- `codecity` — check `frontend/` with `npm outdated` +- `casual-review` — VSCode extension, check manually +- Static sites (`grahambrooks.blog`, `grahambrooks.github.io`) — no manifests +- No manifests: `.github`, `gb-agent-skills`, `insight-agents`, `mermaid-adr`, `accounting-pattern` + +--- + +## Action Required: Fix Session Scope (same as last week) + +**Root cause:** The scheduled Claude Code session's GitHub MCP is scoped only to `grahambrooks/.github`, so it cannot push branches or open PRs in other repos. + +**To fix for future runs:** In your Claude Code web session settings, add each target repo to the allowed scope, or set a GitHub PAT with `repo` scope as an environment variable. Once fixed, the routine will auto-create PRs. + +**To apply updates manually now:** + +```bash +# Go repos +cd ~/repos/attribute +git checkout -b maintenance/deps-2026-06-27 +go get -u ./... && go mod tidy +git commit -am 'chore(deps): weekly dependency updates' +git push -u origin maintenance/deps-2026-06-27 +# Then open PR on GitHub + +cd ~/repos/ai-dev-container +git checkout -b maintenance/deps-2026-06-27 +go get -u ./... && go mod tidy +git commit -am 'chore(deps): weekly dependency updates' +git push -u origin maintenance/deps-2026-06-27 + +# Rust repos (Cargo.lock bumps) +for repo in colab gitatlas-cli mcpm bsv genie cic astgen adoc puml; do + cd ~/repos/$repo + git checkout -b maintenance/deps-2026-06-27 + cargo update + git commit -am 'chore(deps): weekly dependency updates' + git push -u origin maintenance/deps-2026-06-27 +done +``` + +--- + +*This audit is a carry-forward. Exact version numbers may have advanced further since 2026-06-20 — run the commands above to get the current latest.*