Skip to content

Weekly dependency audit 2026-06-27 #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
grahambrooks wants to merge 1 commit into
base: main
Choose a base branch
from
+110 −0
Open

Weekly dependency audit 2026-06-27 #3

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
110 changes: 110 additions & 0 deletions dep-audits/2026-06-27.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
# Weekly Dependency Audit — 2026-06-27

> Generated by scheduled maintenance routine.
> **PRs could not be auto-created** — session GitHub scope is still limited to `grahambrooks/.github` only.
> See "Action Required" section at bottom.

---

## Status vs Last Week (2026-06-20)

The 2026-06-20 audit identified updates across Go, Rust, and JS repos but could not create branches or PRs in those repositories due to session scope limits. **Those items remain open and actionable** — it is unknown whether they have been applied manually. The updates listed below are carried forward and should be treated as current until confirmed applied.

---

## Go Repos — Updates Identified (Carry-forward from 2026-06-20)

### `attribute`
- `stretchr/testify` v1.7.0 → **v1.11.1** (minor)
- Notable indirects: `golang.org/x/tools`, `x/mod`, `x/sync`, `x/sys`, `x/net`, `gliderlabs/ssh`, `google/go-cmp`
- Command: `go get -u ./... && go mod tidy`

### `ai-dev-container`
- `github.com/moby/moby/api` v1.54.0 → **v1.55.0**
- `github.com/moby/moby/client` v0.3.0 → **v0.5.0**
- `github.com/docker/go-connections` v0.6.0 → **v0.7.0**
- `go.opentelemetry.io/otel*` v1.42.0 → v1.44.0
- Command: `go get -u ./... && go mod tidy`

### `bsdoc`
- `github.com/github/copilot-sdk/go` v0.3.0 → v1.0.2 (**MAJOR — skip**)
- Minor indirect bumps only; low priority

---

## Rust Repos — Cargo.lock Updates (Carry-forward from 2026-06-20)

All of the following need `cargo update` run and the updated `Cargo.lock` committed:

| Repo | Notable updates |
|---|---|
| `colab` | `jiff`, `chrono`, `bitflags`, `bytes`, `log`, `assert_cmd`, `ignore` |
| `gitatlas-cli` | `libgit2-sys`, `lru`, `chrono`, `bitflags`, `libz-sys`, `compact_str`, `log` |
| `mcpm` | `clap` v4→v4.6, `anstream`, `aws-lc-rs`, `bytes`, `anyhow`, `compact_str` |
| `bsv` | `aws-lc-rs`, `fancy-regex`, `h2`, `hyper`, `jni`, `bytes`, `bitflags` |
| `genie` | `hyper`, `h2`, `http`, `chrono`, `bytes` |
| `cic` | `hyper`, `http`, `compact_str`, `chrono`, `bytes` |
| `astgen` | `dashmap`, `jiff`, `regex`, `ignore`, `log` |
| `adoc` | `serde_json`, `insta`, `syn`, `regex-syntax`, `bitflags` |
| `puml` | `insta`, `kqueue`, `mio`, `inotify`, `memchr`, `bitflags` |

Skip (`thiserror` v1→v2 major): `bx`, `casual-review`

Already current: `symgraph`, `refactor-dsl`, `mcp-dep`, `rv`, `facts`

---

## JS / TS Repos

### `gitatlas` — No updates needed (semver ranges already resolve to latest)

---

## Skipped (same as prior week)

- **Private** (`snag`, `insight`, `structurizr-lsp`, `code-provenance`) — need credentials
- `forge` — complex Rust workspace, skip conservatively
- `product-backstage` — yarn monorepo, consider Renovate bot
- `codecity` — check `frontend/` with `npm outdated`
- `casual-review` — VSCode extension, check manually
- Static sites (`grahambrooks.blog`, `grahambrooks.github.io`) — no manifests
- No manifests: `.github`, `gb-agent-skills`, `insight-agents`, `mermaid-adr`, `accounting-pattern`

---

## Action Required: Fix Session Scope (same as last week)

**Root cause:** The scheduled Claude Code session's GitHub MCP is scoped only to `grahambrooks/.github`, so it cannot push branches or open PRs in other repos.

**To fix for future runs:** In your Claude Code web session settings, add each target repo to the allowed scope, or set a GitHub PAT with `repo` scope as an environment variable. Once fixed, the routine will auto-create PRs.

**To apply updates manually now:**

```bash
# Go repos
cd ~/repos/attribute
git checkout -b maintenance/deps-2026-06-27
go get -u ./... && go mod tidy
git commit -am 'chore(deps): weekly dependency updates'
git push -u origin maintenance/deps-2026-06-27
# Then open PR on GitHub

cd ~/repos/ai-dev-container
git checkout -b maintenance/deps-2026-06-27
go get -u ./... && go mod tidy
git commit -am 'chore(deps): weekly dependency updates'
git push -u origin maintenance/deps-2026-06-27

# Rust repos (Cargo.lock bumps)
for repo in colab gitatlas-cli mcpm bsv genie cic astgen adoc puml; do
cd ~/repos/$repo
git checkout -b maintenance/deps-2026-06-27
cargo update
git commit -am 'chore(deps): weekly dependency updates'
git push -u origin maintenance/deps-2026-06-27
done
```

---

*This audit is a carry-forward. Exact version numbers may have advanced further since 2026-06-20 — run the commands above to get the current latest.*
Loading