9b8f1e61dbe40e6f0bd3b510561fdba3e8d5367e
17 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
|
d35b79f1bd |
build(deps-dev): bump rollup from 4.60.1 to 4.61.1 (#7566)
Bumps [rollup](https://github.com/rollup/rollup) from 4.60.1 to 4.61.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rollup/rollup/releases">rollup's releases</a>.</em></p> <blockquote> <h2>v4.61.1</h2> <h2>4.61.1</h2> <p><em>2026-06-04</em></p> <h3>Bug Fixes</h3> <ul> <li>Avoid extraneous newlines when adding headers via plugins (<a href="https://redirect.github.com/rollup/rollup/issues/6403">#6403</a>)</li> <li>Fix a rare issue where starting Rollup would hang on Windows (<a href="https://redirect.github.com/rollup/rollup/issues/6404">#6404</a>)</li> </ul> <h3>Pull Requests</h3> <ul> <li><a href="https://redirect.github.com/rollup/rollup/pull/6402">#6402</a>: Improve documentation for manualPureFunctions (<a href="https://github.com/lukastaegert"><code>@lukastaegert</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6403">#6403</a>: Does not add an extra leading line feed for addons (<a href="https://github.com/TrickyPi"><code>@TrickyPi</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6404">#6404</a>: fix: set report.excludeNetwork=true before getReport() to avoid blocking PTR lookups (<a href="https://github.com/jdz321"><code>@jdz321</code></a>, <a href="https://github.com/lukastaegert"><code>@lukastaegert</code></a>)</li> </ul> <h2>v4.61.0</h2> <h2>4.61.0</h2> <p><em>2026-06-01</em></p> <h3>Features</h3> <ul> <li>Sort entry modules to make chunk hashes deterministic (<a href="https://redirect.github.com/rollup/rollup/issues/6391">#6391</a>)</li> </ul> <h3>Pull Requests</h3> <ul> <li><a href="https://redirect.github.com/rollup/rollup/pull/6376">#6376</a>: Eliminate AWS credential exposure on fork PRs in REPL artefact workflow (<a href="https://github.com/lukastaegert"><code>@lukastaegert</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6378">#6378</a>: fix(deps): update minor/patch updates (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot])</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6379">#6379</a>: chore(deps): update dependency lint-staged to v17 (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot], <a href="https://github.com/lukastaegert"><code>@lukastaegert</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6380">#6380</a>: chore(deps): update dependency lru-cache to v11 (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot], <a href="https://github.com/lukastaegert"><code>@lukastaegert</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6381">#6381</a>: chore(deps): lock file maintenance (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot], <a href="https://github.com/lukastaegert"><code>@lukastaegert</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6382">#6382</a>: chore(deps): update dependency <code>@types/node</code> to ^20.19.41 (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot])</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6386">#6386</a>: fix(deps): update minor/patch updates (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot])</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6387">#6387</a>: chore(deps): update aws-actions/configure-aws-credentials action to v6 (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot])</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6388">#6388</a>: fix(deps): update swc monorepo (major) (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot], <a href="https://github.com/lukastaegert"><code>@lukastaegert</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6389">#6389</a>: chore(deps): lock file maintenance (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot])</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6391">#6391</a>: Sort entry modules to make chunk hash names deterministic (<a href="https://github.com/TrickyPi"><code>@TrickyPi</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6394">#6394</a>: fix(deps): update minor/patch updates (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot], <a href="https://github.com/lukastaegert"><code>@lukastaegert</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6395">#6395</a>: chore(deps): update react monorepo to v19 (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot], <a href="https://github.com/lukastaegert"><code>@lukastaegert</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6396">#6396</a>: fix(deps): update rust crate swc_compiler_base to v57 (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot], <a href="https://github.com/lukastaegert"><code>@lukastaegert</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6397">#6397</a>: chore(deps): lock file maintenance (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot], <a href="https://github.com/lukastaegert"><code>@lukastaegert</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6400">#6400</a>: docs: fix broken links (<a href="https://github.com/jiyujie2006"><code>@jiyujie2006</code></a>)</li> </ul> <h2>v4.60.4</h2> <h2>4.60.4</h2> <p><em>2026-05-14</em></p> <h3>Bug Fixes</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rollup/rollup/blob/master/CHANGELOG.md">rollup's changelog</a>.</em></p> <blockquote> <h2>4.61.1</h2> <p><em>2026-06-04</em></p> <h3>Bug Fixes</h3> <ul> <li>Avoid extraneous newlines when adding headers via plugins (<a href="https://redirect.github.com/rollup/rollup/issues/6403">#6403</a>)</li> <li>Fix a rare issue where starting Rollup would hang on Windows (<a href="https://redirect.github.com/rollup/rollup/issues/6404">#6404</a>)</li> </ul> <h3>Pull Requests</h3> <ul> <li><a href="https://redirect.github.com/rollup/rollup/pull/6402">#6402</a>: Improve documentation for manualPureFunctions (<a href="https://github.com/lukastaegert"><code>@lukastaegert</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6403">#6403</a>: Does not add an extra leading line feed for addons (<a href="https://github.com/TrickyPi"><code>@TrickyPi</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6404">#6404</a>: fix: set report.excludeNetwork=true before getReport() to avoid blocking PTR lookups (<a href="https://github.com/jdz321"><code>@jdz321</code></a>, <a href="https://github.com/lukastaegert"><code>@lukastaegert</code></a>)</li> </ul> <h2>4.61.0</h2> <p><em>2026-06-01</em></p> <h3>Features</h3> <ul> <li>Sort entry modules to make chunk hashes deterministic (<a href="https://redirect.github.com/rollup/rollup/issues/6391">#6391</a>)</li> </ul> <h3>Pull Requests</h3> <ul> <li><a href="https://redirect.github.com/rollup/rollup/pull/6376">#6376</a>: Eliminate AWS credential exposure on fork PRs in REPL artefact workflow (<a href="https://github.com/lukastaegert"><code>@lukastaegert</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6378">#6378</a>: fix(deps): update minor/patch updates (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot])</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6379">#6379</a>: chore(deps): update dependency lint-staged to v17 (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot], <a href="https://github.com/lukastaegert"><code>@lukastaegert</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6380">#6380</a>: chore(deps): update dependency lru-cache to v11 (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot], <a href="https://github.com/lukastaegert"><code>@lukastaegert</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6381">#6381</a>: chore(deps): lock file maintenance (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot], <a href="https://github.com/lukastaegert"><code>@lukastaegert</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6382">#6382</a>: chore(deps): update dependency <code>@types/node</code> to ^20.19.41 (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot])</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6386">#6386</a>: fix(deps): update minor/patch updates (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot])</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6387">#6387</a>: chore(deps): update aws-actions/configure-aws-credentials action to v6 (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot])</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6388">#6388</a>: fix(deps): update swc monorepo (major) (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot], <a href="https://github.com/lukastaegert"><code>@lukastaegert</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6389">#6389</a>: chore(deps): lock file maintenance (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot])</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6391">#6391</a>: Sort entry modules to make chunk hash names deterministic (<a href="https://github.com/TrickyPi"><code>@TrickyPi</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6394">#6394</a>: fix(deps): update minor/patch updates (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot], <a href="https://github.com/lukastaegert"><code>@lukastaegert</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6395">#6395</a>: chore(deps): update react monorepo to v19 (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot], <a href="https://github.com/lukastaegert"><code>@lukastaegert</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6396">#6396</a>: fix(deps): update rust crate swc_compiler_base to v57 (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot], <a href="https://github.com/lukastaegert"><code>@lukastaegert</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6397">#6397</a>: chore(deps): lock file maintenance (<a href="https://github.com/renovate"><code>@renovate</code></a>[bot], <a href="https://github.com/lukastaegert"><code>@lukastaegert</code></a>)</li> <li><a href="https://redirect.github.com/rollup/rollup/pull/6400">#6400</a>: docs: fix broken links (<a href="https://github.com/jiyujie2006"><code>@jiyujie2006</code></a>)</li> </ul> <h2>4.60.4</h2> <p><em>2026-05-14</em></p> <h3>Bug Fixes</h3> <ul> <li>Improve stability of chunk hashes (<a href="https://redirect.github.com/rollup/rollup/issues/6362">#6362</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/rollup/rollup/commit/b77daf0a97cf96e61870cc02de584e923bc70fad"><code>b77daf0</code></a> 4.61.1</li> <li><a href="https://github.com/rollup/rollup/commit/91b6dc4def27e990412fa4dc5b4fe1a9af3adcba"><code>91b6dc4</code></a> fix: set report.excludeNetwork=true before getReport() to avoid blocking PTR ...</li> <li><a href="https://github.com/rollup/rollup/commit/f2a0449e1c7144acf12d2bf0a4aad76c9a7d85e6"><code>f2a0449</code></a> Improve documentation for manualPureFunctions (<a href="https://redirect.github.com/rollup/rollup/issues/6402">#6402</a>)</li> <li><a href="https://github.com/rollup/rollup/commit/7bdce6c9e34bd395891aca96d17ccd14c5fd24ad"><code>7bdce6c</code></a> Does not add an extra leading line feed for addons (<a href="https://redirect.github.com/rollup/rollup/issues/6403">#6403</a>)</li> <li><a href="https://github.com/rollup/rollup/commit/765167f1edc66adebef89fea5e3f260f4587b64e"><code>765167f</code></a> 4.61.0</li> <li><a href="https://github.com/rollup/rollup/commit/0f547eb02ca6785e1a01287f857809992cf884a7"><code>0f547eb</code></a> Sort entry modules to make chunk hash names deterministic (<a href="https://redirect.github.com/rollup/rollup/issues/6391">#6391</a>)</li> <li><a href="https://github.com/rollup/rollup/commit/583878733e55e24ed7f16d3e0ba565aa3f14718e"><code>5838787</code></a> docs: fix broken links (<a href="https://redirect.github.com/rollup/rollup/issues/6400">#6400</a>)</li> <li><a href="https://github.com/rollup/rollup/commit/cc0f51af8e06aec3ca5f191c7863fb065527e2e9"><code>cc0f51a</code></a> chore(deps): update react monorepo to v19 (<a href="https://redirect.github.com/rollup/rollup/issues/6395">#6395</a>)</li> <li><a href="https://github.com/rollup/rollup/commit/dd300378ad86a4727645e7490d818ef24bab1970"><code>dd30037</code></a> fix(deps): update rust crate swc_compiler_base to v57 (<a href="https://redirect.github.com/rollup/rollup/issues/6396">#6396</a>)</li> <li><a href="https://github.com/rollup/rollup/commit/cb86c3e5693ef0e7ec3e83e78555d6e492b323a3"><code>cb86c3e</code></a> chore(deps): lock file maintenance (<a href="https://redirect.github.com/rollup/rollup/issues/6397">#6397</a>)</li> <li>Additional commits viewable in <a href="https://github.com/rollup/rollup/compare/v4.60.1...v4.61.1">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
1822b3f378 |
build(deps): bump @codemirror/language from 6.12.1 to 6.12.3 (#7565)
Bumps [@codemirror/language](https://github.com/codemirror/language) from 6.12.1 to 6.12.3. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/codemirror/language/blob/main/CHANGELOG.md">@codemirror/language's changelog</a>.</em></p> <blockquote> <h2>6.12.3 (2026-03-25)</h2> <h3>Bug fixes</h3> <p>Fix a crash in <code>bracketMatching</code> when composing at end of document.</p> <h2>6.12.2 (2026-02-25)</h2> <h3>Bug fixes</h3> <p>Make sure brackets are highlighted in the initial editor state.</p> <p>Pause bracket matching updates during composition, to avoid disrupting Mobile Safari's fragile composition handling.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/codemirror/language/commit/f5af31eed71fa22e8c110d74e61098c0fb1c1acb"><code>f5af31e</code></a> Mark version 6.12.3</li> <li><a href="https://github.com/codemirror/language/commit/371c9ba6be9ac489c4ebd6f26be352e0eb1a41c6"><code>371c9ba</code></a> Fix bogus bracket highlighting being generated at end of document</li> <li><a href="https://github.com/codemirror/language/commit/9531899bd88aac7c932a749668ddbfcd9acfb80f"><code>9531899</code></a> Remove duplicated slash in forum url in README</li> <li><a href="https://github.com/codemirror/language/commit/2f4e7014a54171ec5af260e04a97cb10c14b3aac"><code>2f4e701</code></a> Fix forum link in readme</li> <li><a href="https://github.com/codemirror/language/commit/b5cd54b2ffc8e6edb0f2ae464aa2a59d600d8352"><code>b5cd54b</code></a> Mark version 6.12.2</li> <li><a href="https://github.com/codemirror/language/commit/5f867636405510f243798507e7fb24f5ca5ed767"><code>5f86763</code></a> Pause bracket matching updates during composition</li> <li><a href="https://github.com/codemirror/language/commit/af8dca9d061caec6e00213ac25b690e62dba39c4"><code>af8dca9</code></a> Properly show matched brackets in the initial editor state</li> <li><a href="https://github.com/codemirror/language/commit/693a25efaa025d857e969720876f2dcb5683528c"><code>693a25e</code></a> Use git+https format for package.json repository field</li> <li>See full diff in <a href="https://github.com/codemirror/language/compare/6.12.1...6.12.3">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
6ac15bce31 |
build(deps-dev): bump esbuild from 0.27.3 to 0.28.0 (#7331)
Bumps [esbuild](https://github.com/evanw/esbuild) from 0.27.3 to 0.28.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/evanw/esbuild/releases">esbuild's releases</a>.</em></p> <blockquote> <h2>v0.28.0</h2> <ul> <li> <p>Add support for <code>with { type: 'text' }</code> imports (<a href="https://redirect.github.com/evanw/esbuild/issues/4435">#4435</a>)</p> <p>The <a href="https://github.com/tc39/proposal-import-text">import text</a> proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by <a href="https://docs.deno.com/examples/importing_text/">Deno</a> and <a href="https://bun.com/docs/guides/runtime/import-html">Bun</a>. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing <a href="https://esbuild.github.io/content-types/#text"><code>text</code> loader</a>. Here's an example:</p> <pre lang="js"><code>import string from './example.txt' with { type: 'text' } console.log(string) </code></pre> </li> <li> <p>Add integrity checks to fallback download path (<a href="https://redirect.github.com/evanw/esbuild/issues/4343">#4343</a>)</p> <p>Installing esbuild via npm is somewhat complicated with several different edge cases (see <a href="https://esbuild.github.io/getting-started/#additional-npm-flags">esbuild's documentation</a> for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the <code>npm</code> command, and then with a HTTP request to <code>registry.npmjs.org</code> as a last resort).</p> <p>This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level <code>esbuild</code> package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.</p> </li> <li> <p>Update the Go compiler from 1.25.7 to 1.26.1</p> <p>This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:</p> <ul> <li>It now uses the <a href="https://go.dev/doc/go1.26#new-garbage-collector">new garbage collector</a> that comes with Go 1.26.</li> <li>The Go compiler is now more aggressive with allocating memory on the stack.</li> <li>The executable format that the Go linker uses has undergone several changes.</li> <li>The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.</li> </ul> <p>You can read the <a href="https://go.dev/doc/go1.26">Go 1.26 release notes</a> for more information.</p> </li> </ul> <h2>v0.27.7</h2> <ul> <li> <p>Fix lowering of define semantics for TypeScript parameter properties (<a href="https://redirect.github.com/evanw/esbuild/issues/4421">#4421</a>)</p> <p>The previous release incorrectly generated class fields for TypeScript parameter properties even when the configured target environment does not support class fields. With this release, the generated class fields will now be correctly lowered in this case:</p> <pre lang="ts"><code>// Original code class Foo { constructor(public x = 1) {} y = 2 } <p>// Old output (with --loader=ts --target=es2021)<br /> class Foo {<br /> constructor(x = 1) {<br /> this.x = x;<br /> __publicField(this, "y", 2);<br /> }<br /> x;<br /> }</p> <p>// New output (with --loader=ts --target=es2021)<br /> class Foo {<br /> </code></pre></p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/evanw/esbuild/blob/main/CHANGELOG.md">esbuild's changelog</a>.</em></p> <blockquote> <h2>0.28.0</h2> <ul> <li> <p>Add support for <code>with { type: 'text' }</code> imports (<a href="https://redirect.github.com/evanw/esbuild/issues/4435">#4435</a>)</p> <p>The <a href="https://github.com/tc39/proposal-import-text">import text</a> proposal has reached stage 3 in the TC39 process, which means that it's recommended for implementation. It has also already been implemented by <a href="https://docs.deno.com/examples/importing_text/">Deno</a> and <a href="https://bun.com/docs/guides/runtime/import-html">Bun</a>. So with this release, esbuild also adds support for it. This behaves exactly the same as esbuild's existing <a href="https://esbuild.github.io/content-types/#text"><code>text</code> loader</a>. Here's an example:</p> <pre lang="js"><code>import string from './example.txt' with { type: 'text' } console.log(string) </code></pre> </li> <li> <p>Add integrity checks to fallback download path (<a href="https://redirect.github.com/evanw/esbuild/issues/4343">#4343</a>)</p> <p>Installing esbuild via npm is somewhat complicated with several different edge cases (see <a href="https://esbuild.github.io/getting-started/#additional-npm-flags">esbuild's documentation</a> for details). If the regular installation of esbuild's platform-specific package fails, esbuild's install script attempts to download the platform-specific package itself (first with the <code>npm</code> command, and then with a HTTP request to <code>registry.npmjs.org</code> as a last resort).</p> <p>This last resort path previously didn't have any integrity checks. With this release, esbuild will now verify that the hash of the downloaded binary matches the expected hash for the current release. This means the hashes for all of esbuild's platform-specific binary packages will now be embedded in the top-level <code>esbuild</code> package. Hopefully this should work without any problems. But just in case, this change is being done as a breaking change release.</p> </li> <li> <p>Update the Go compiler from 1.25.7 to 1.26.1</p> <p>This upgrade should not affect anything. However, there have been some significant internal changes to the Go compiler, so esbuild could potentially behave differently in certain edge cases:</p> <ul> <li>It now uses the <a href="https://go.dev/doc/go1.26#new-garbage-collector">new garbage collector</a> that comes with Go 1.26.</li> <li>The Go compiler is now more aggressive with allocating memory on the stack.</li> <li>The executable format that the Go linker uses has undergone several changes.</li> <li>The WebAssembly build now unconditionally makes use of the sign extension and non-trapping floating-point to integer conversion instructions.</li> </ul> <p>You can read the <a href="https://go.dev/doc/go1.26">Go 1.26 release notes</a> for more information.</p> </li> </ul> <h2>0.27.7</h2> <ul> <li> <p>Fix lowering of define semantics for TypeScript parameter properties (<a href="https://redirect.github.com/evanw/esbuild/issues/4421">#4421</a>)</p> <p>The previous release incorrectly generated class fields for TypeScript parameter properties even when the configured target environment does not support class fields. With this release, the generated class fields will now be correctly lowered in this case:</p> <pre lang="ts"><code>// Original code class Foo { constructor(public x = 1) {} y = 2 } <p>// Old output (with --loader=ts --target=es2021)<br /> class Foo {<br /> constructor(x = 1) {<br /> this.x = x;<br /> __publicField(this, "y", 2);<br /> }<br /> x;<br /> }</p> <p></code></pre></p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/evanw/esbuild/commit/6a794dff68e6a43539f6da671e3080efdf11ca70"><code>6a794df</code></a> publish 0.28.0 to npm</li> <li><a href="https://github.com/evanw/esbuild/commit/64ee0ea63b2ff303caafc9610c388dc72c882c23"><code>64ee0ea</code></a> fix <a href="https://redirect.github.com/evanw/esbuild/issues/4435">#4435</a>: support <code>with { type: text }</code> imports</li> <li><a href="https://github.com/evanw/esbuild/commit/ef65aeeaacdb71eade186f888975b1de89574314"><code>ef65aee</code></a> fix sort order in <code>snapshots_packagejson.txt</code></li> <li><a href="https://github.com/evanw/esbuild/commit/1a26a8ecbc39aaf1379c524a0274a08fbcbed655"><code>1a26a8e</code></a> try to fix <code>test-old-ts</code>, also shuffle CI tasks</li> <li><a href="https://github.com/evanw/esbuild/commit/556ce6c1fc00d7c0917fbfada01ed8e5251bc510"><code>556ce6c</code></a> use <code>''</code> instead of <code>null</code> to omit build hashes</li> <li><a href="https://github.com/evanw/esbuild/commit/8e675a81a473ea69a46a69792f1386bb110dd877"><code>8e675a8</code></a> ci: allow missing binary hashes for tests</li> <li><a href="https://github.com/evanw/esbuild/commit/7067763b904fe8a522fa840a4a48c5fbd4c395e0"><code>7067763</code></a> Reapply "update go 1.25.7 => 1.26.1"</li> <li><a href="https://github.com/evanw/esbuild/commit/39473a952ab3b450d0578b698a8b8d2a02332e0d"><code>39473a9</code></a> fix <a href="https://redirect.github.com/evanw/esbuild/issues/4343">#4343</a>: integrity check for binary download</li> <li><a href="https://github.com/evanw/esbuild/commit/2025c9ff6ab15ba6b0f9d074fd732250cc46e4a3"><code>2025c9f</code></a> publish 0.27.7 to npm</li> <li><a href="https://github.com/evanw/esbuild/commit/c6b586e4904f47e8d5f783a2813660c13e2672e7"><code>c6b586e</code></a> fix typo in <code>Makefile</code> for <code>@esbuild/win32-x64</code></li> <li>Additional commits viewable in <a href="https://github.com/evanw/esbuild/compare/v0.27.3...v0.28.0">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
1325503565 |
build(deps): bump @codemirror/lang-javascript from 6.2.4 to 6.2.5 (#7328)
Bumps [@codemirror/lang-javascript](https://github.com/codemirror/lang-javascript) from 6.2.4 to 6.2.5. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/codemirror/lang-javascript/blob/main/CHANGELOG.md">@codemirror/lang-javascript's changelog</a>.</em></p> <blockquote> <h2>6.2.5 (2026-03-02)</h2> <h3>Bug fixes</h3> <p>Support code folding of JSX elements and tags.</p> <p>When reading properties in <code>scopeCompletionSource</code>, use the original object, not a prototype.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/codemirror/lang-javascript/commit/a202a000e8d3d107d1c340db933d9f09a828308a"><code>a202a00</code></a> Mark version 6.2.5</li> <li><a href="https://github.com/codemirror/lang-javascript/commit/190b567c8066a4383826b9a32e3a53f3ed01e442"><code>190b567</code></a> Fix missing inherited getters in enumeratePropertyCompletions</li> <li><a href="https://github.com/codemirror/lang-javascript/commit/a94cdcb88454738842564881d6980502f0bfc784"><code>a94cdcb</code></a> Add folding for JSX elements and tags</li> <li><a href="https://github.com/codemirror/lang-javascript/commit/78a85210d83c41bef23c222425f2ebf3d4353e2d"><code>78a8521</code></a> Use git+https format for package.json repository field</li> <li>See full diff in <a href="https://github.com/codemirror/lang-javascript/compare/6.2.4...6.2.5">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
38c185fb8b |
[codex] Add agent permissions and controls plan (#6386)
## Thinking Path > - Paperclip orchestrates AI agents for zero-human companies by keeping task ownership, approvals, and operator control inside one control plane. > - Agent permissions and plugin-hosted company settings sit on the boundary between autonomy and governance. > - V1 needs scoped task assignment rules, plugin extension points, and clearer company access surfaces without weakening company boundaries. > - The branch builds the core authorization service, plugin SDK/host APIs, and UI simplifications needed to support those controls. > - Paperclip EE plugin surfaces were intentionally moved out of this core PR per review direction, so this PR now carries only the public core/plugin infrastructure work. > - The latest updates preserve the PAP-9937 branch changes that belong in this PR, remove the `design/` artifacts, and exclude the experimental `plugin-briefs` package. > - Greptile feedback was applied through the authorization/audit paths and the final cleanup commit was re-reviewed at 5/5 with no unresolved Greptile threads. > - The benefit is safer assignment control with extension hooks for richer permission products while preserving simple defaults for normal operators. ## What Changed - Added scoped task-assignment authorization decisions and routed issue/agent assignment mutations through the authorization service. - Added plugin SDK and host APIs for company settings slots, authorization policy/grant management, assignment previews, and bridge invocation scope propagation. - Simplified core company access UI and moved advanced controls behind plugin-provided settings surfaces. - Added retry-now affordances for blocked issue next-step notices. - Added protected-assignment enforcement for persisted agent/project/issue policies, including explicit-grant fallback behavior. - Added incremental principal-access compatibility backfill for active agent memberships and role-default human permission grants. - Added the Markdown code block wrap action fix from the latest branch changes. - Removed `design/` artifacts from the PR and removed `packages/plugins/plugin-briefs` from the final diff. - Addressed Greptile feedback for plugin actor sanitization, legacy membership handling, audit pagination, unknown grant-scope metadata, and startup test mocks. ## Verification - `pnpm exec vitest run server/src/__tests__/access-service.test.ts server/src/__tests__/company-portability.test.ts` -> 2 files passed, 54 tests passed. - `pnpm exec vitest run server/src/__tests__/server-startup-feedback-export.test.ts server/src/__tests__/access-service.test.ts server/src/__tests__/company-portability.test.ts` -> 3 files passed, 62 tests passed. - `pnpm exec vitest run server/src/__tests__/authorization-service.test.ts server/src/__tests__/plugin-access-authorization-host-services.test.ts server/src/__tests__/server-startup-feedback-export.test.ts` -> 3 files passed, 28 tests passed. - `pnpm --filter @paperclipai/server typecheck` -> passed. - `git diff --check` -> passed. - `node ./scripts/check-docker-deps-stage.mjs` -> passed. - `CI=true pnpm install --frozen-lockfile --ignore-scripts` -> passed with no lockfile update. - `pnpm exec vitest run ui/src/components/MarkdownBody.interaction.test.tsx` -> 1 test passed. - `git ls-files design packages/plugins/plugin-briefs | wc -l` -> 0. - GitHub CI on `40cd83b53` -> all checks passed, merge state `CLEAN`. - Greptile on `40cd83b53` -> 5/5, 102 files reviewed, 0 comments/annotations added, 0 unresolved review threads. - Confirmed the PR diff contains no `design/`, `packages/plugins/plugin-briefs`, `pnpm-lock.yaml`, or `.github/workflows` changes. ## Risks - Medium: task assignment authorization paths are behaviorally stricter for protected/private policy data, so existing plugin-authored policies may block assignment until explicit grants or approval flows are configured. - Medium: plugin-host authorization APIs expand the surface area available to trusted plugins and need careful review for company scoping. - Low: startup now performs a principal-access compatibility backfill, but the migration and runtime backfill use conflict-tolerant inserts. > For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and discuss it in `#dev` before opening the PR. Feature PRs that overlap with planned core work may need to be redirected — check the roadmap first. See `CONTRIBUTING.md`. ## Model Used - OpenAI Codex, GPT-5 coding agent, tool-enabled workflow with shell, git, and GitHub CLI access. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [x] If this change affects the UI, I have included before/after screenshots - [x] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge --------- Co-authored-by: Paperclip <noreply@paperclip.ing> |
||
|
|
b947a7d76c |
[codex] Improve local plugin development workflow (#5821)
## Thinking Path > - Paperclip is the control plane for autonomous AI-agent companies. > - Plugins are the extension point for adding capabilities without expanding the core product surface. > - Local plugin development needed a tighter CLI-first loop so plugin authors can scaffold, run, install, inspect, and reload plugins without reaching into internal package paths. > - The server plugin install path also needed local-path handling that keeps plugin identity, dashboard routes, and development watchers coherent. > - This pull request adds the CLI scaffold/install workflow, fixes the server and SDK edge cases that blocked that loop, and updates the agent-facing plugin creation skill and docs. > - The benefit is that contributors can develop plugins from local folders with a documented, repeatable happy path. ## What Changed - Added `paperclipai plugin init` coverage and CLI wiring for local plugin scaffolding. - Improved local plugin install handling, plugin key route resolution, dashboard capability behavior, and dev watcher startup/reload behavior. - Fixed plugin SDK worker entrypoint validation for symlinked package layouts. - Added targeted tests for plugin init, server plugin authz/watcher behavior, SDK worker host validation, and the authoring smoke example. - Added a short local plugin development guide and refreshed the plugin authoring guide plus `paperclip-create-plugin` skill instructions. ## Verification - `pnpm run preflight:workspace-links && pnpm --filter @paperclipai/plugin-sdk build && pnpm --filter @paperclipai/create-paperclip-plugin typecheck && pnpm --filter paperclipai typecheck && pnpm --filter @paperclipai/plugin-sdk typecheck && pnpm --filter @paperclipai/server typecheck` - `pnpm exec vitest run --project paperclipai cli/src/__tests__/plugin-init.test.ts` - `pnpm exec vitest run --project @paperclipai/plugin-sdk packages/plugins/sdk/tests/worker-rpc-host.test.ts` - `pnpm exec vitest run --project @paperclipai/server server/src/__tests__/plugin-dev-watcher.test.ts --pool=forks --poolOptions.forks.isolate=true` - `pnpm exec vitest run --project @paperclipai/server server/src/__tests__/plugin-routes-authz.test.ts --pool=forks --poolOptions.forks.isolate=true` - `pnpm --dir packages/plugins/examples/plugin-authoring-smoke-example test` - Confirmed `pnpm-lock.yaml` is not included in the PR diff. ## Risks - Medium risk: this touches plugin install routing, CLI command behavior, and the local development watcher. - Local path plugin installs execute trusted local code by design; the new docs call out that trust boundary. - No database migrations are included. > For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and discuss it in `#dev` before opening the PR. Feature PRs that overlap with planned core work may need to be redirected — check the roadmap first. See `CONTRIBUTING.md`. ## Model Used - OpenAI Codex, GPT-5 coding agent, tool-enabled local shell and git workflow, medium reasoning effort. Context window details were not exposed in this runtime. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [x] If this change affects the UI, I have included before/after screenshots - [x] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge UI screenshots: not applicable; this PR changes CLI/server/plugin docs and tests, not board UI rendering. --------- Co-authored-by: Paperclip <noreply@paperclip.ing> |
||
|
|
3c73ed26b5 |
Expand plugin host surface (#5205)
## Thinking Path > - Paperclip orchestrates AI agents for zero-human companies > - The plugin system is the extension boundary for optional product capabilities > - Rich plugins need more than a worker entrypoint: they need scoped database storage, local project folders, managed agents/routines, host navigation, and reusable UI components > - The LLM Wiki work exposed those missing host surfaces while keeping plugin code outside the core control plane > - This pull request expands the core plugin host, SDK, server APIs, and UI bridge so plugins can declare and use those surfaces > - The benefit is that future plugins can integrate with Paperclip through documented, validated contracts instead of bespoke server or UI imports ## What Changed - Added plugin-managed database namespaces and migration tracking, including Drizzle schema/migration files and SQL validation for namespace isolation. - Added server support for plugin local folders, managed agents, managed routines, scoped plugin APIs, and plugin operation visibility. - Expanded shared plugin manifest/types/validators and SDK host/testing/UI exports for richer plugin surfaces. - Added reusable UI pieces for file trees, managed routines, resizable sidebars, route sidebars, and plugin bridge initialization. - Updated plugin docs and example plugins to use the expanded host and SDK surface. ## Verification - `pnpm install --frozen-lockfile` - `pnpm run preflight:workspace-links && pnpm exec vitest run packages/shared/src/validators/plugin.test.ts server/src/__tests__/plugin-database.test.ts server/src/__tests__/plugin-local-folders.test.ts server/src/__tests__/plugin-managed-agents.test.ts server/src/__tests__/plugin-managed-routines.test.ts server/src/__tests__/plugin-orchestration-apis.test.ts ui/src/api/plugins.test.ts ui/src/components/FileTree.test.tsx ui/src/components/ResizableSidebarPane.test.tsx ui/src/pages/PluginPage.test.tsx ui/src/plugins/bridge.test.ts` passed: 11 files, 67 tests. - Confirmed this PR changes 89 files and does not include `pnpm-lock.yaml` or `.github/workflows/*`. ## Risks - Medium: this expands plugin host contracts across db/shared/server/ui and includes a new core migration (`0076_useful_elektra.sql`). - The plugin database namespace validator is intentionally restrictive; plugin authors may need follow-up affordances for SQL patterns that remain blocked. - Merge this before the LLM Wiki plugin PR so the plugin can resolve the new SDK and host APIs. > For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and discuss it in `#dev` before opening the PR. Feature PRs that overlap with planned core work may need to be redirected — check the roadmap first. See `CONTRIBUTING.md`. ## Model Used - OpenAI Codex, GPT-5 coding agent, tool-enabled shell/git/GitHub workflow. Context window size was not exposed by the runtime. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [x] If this change affects the UI, I have included before/after screenshots - [x] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge --------- Co-authored-by: Paperclip <noreply@paperclip.ing> |
||
|
|
868d08903e |
test: isolate CLI company import e2e state (#4560)
## Thinking Path > - Paperclip orchestrates AI agents for zero-human companies, and its CLI import/export path is part of how operators move company state safely between environments. > - The `paperclipai company import/export` e2e test is supposed to validate that portability flow inside a hermetic harness, not against a developer's live Paperclip home. > - This regression showed nested CLI subprocesses could silently fall back to ambient `PAPERCLIP_*` state and mutate a real local instance by creating extra companies such as `CLI-1-Roundtrip-Test`. > - The first job was to pin the test subprocesses to isolated config, home, instance, auth, and context paths, and to add a regression assertion that proves the nested CLI writes stay inside the test-owned state. > - Once the PR was up, CI and Greptile exposed two follow-on issues that were blocking merge: plugin SDK typecheck bootstrap was racing across packages in fresh CI, and the new lock helper needed one more fix to release its lock on failure. > - This pull request therefore ends up doing two tightly related things: fixing the original CLI isolation leak, and hardening the supporting typecheck/bootstrap path enough for the fix to verify cleanly in CI. > - The benefit is that the portability e2e test is now actually isolated, and the PR verification path is stable enough to catch regressions instead of introducing its own nondeterministic failures. ## What Changed - Hardened `cli/src/__tests__/company-import-export-e2e.test.ts` so nested CLI subprocesses re-seed isolated `PAPERCLIP_CONFIG`, `PAPERCLIP_HOME`, `PAPERCLIP_INSTANCE_ID`, `PAPERCLIP_CONTEXT`, `PAPERCLIP_AUTH_STORE`, and throwaway `HOME` values instead of falling back to ambient machine state. - Added a regression assertion around `paperclipai context set --json`, then cleared the temporary `context.json` so the isolation check and the later export/import flow stay independent. - Passed the same isolated `HOME` into the server subprocess so both sides of the e2e harness are symmetric. - Introduced locking in `scripts/ensure-plugin-build-deps.mjs` and switched the server/plugin example `typecheck` scripts to use that helper instead of launching concurrent raw `@paperclipai/plugin-sdk` builds. - Fixed the helper failure path so it releases the lock before exiting non-zero, which prevents stale-lock timeouts during parallel typecheck runs. ## Verification - `pnpm vitest run cli/src/__tests__/company-import-export-e2e.test.ts --project paperclipai` - `pnpm --filter paperclipai typecheck` - `pnpm -r typecheck` - PR checks now pass on the current head, including `policy`, `verify`, `e2e`, `security/snyk`, and `Greptile Review`. ## Risks - Low risk. The product-facing behavior change is scoped to test harness code in the CLI e2e suite. - The CI stabilization changes only affect bootstrap/typecheck helper paths for the server and plugin/example packages, but they do touch shared verification plumbing; the main risk is changing how fresh build artifacts are prepared in local/CI typecheck runs. ## Model Used - Anthropic Claude via Paperclip `claude_local`, model `claude-opus-4-7`, high-effort local coding agent, used for the initial implementation and first peer-reviewed verification. - OpenAI Codex via Paperclip `codex_local`, model `gpt-5.4`, high reasoning-effort local coding agent with tool use, used for CI triage, Greptile follow-up fixes, verification, and PR maintenance. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [x] If this change affects the UI, I have included before/after screenshots - [x] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge |
||
|
|
9c6f551595 |
[codex] Add plugin orchestration host APIs (#4114)
## Thinking Path > - Paperclip orchestrates AI agents for zero-human companies. > - The plugin system is the extension path for optional capabilities that should not require core product changes for every integration. > - Plugins need scoped host APIs for issue orchestration, documents, wakeups, summaries, activity attribution, and isolated database state. > - Without those host APIs, richer plugins either cannot coordinate Paperclip work safely or need privileged core-side special cases. > - This pull request adds the plugin orchestration host surface, scoped route dispatch, a database namespace layer, and a smoke plugin that exercises the contract. > - The benefit is a broader plugin API that remains company-scoped, auditable, and covered by tests. ## What Changed - Added plugin orchestration host APIs for issue creation, document access, wakeups, summaries, plugin-origin activity, and scoped API route dispatch. - Added plugin database namespace tables, schema exports, migration checks, and idempotent replay coverage under migration `0059_plugin_database_namespaces`. - Added shared plugin route/API types and validators used by server and SDK boundaries. - Expanded plugin SDK types, protocol helpers, worker RPC host behavior, and testing utilities for orchestration flows. - Added the `plugin-orchestration-smoke-example` package to exercise scoped routes, restricted database namespaces, issue orchestration, documents, wakeups, summaries, and UI status surfaces. - Kept the new orchestration smoke fixture out of the root pnpm workspace importer so this PR preserves the repository policy of not committing `pnpm-lock.yaml`. - Updated plugin docs and database docs for the new orchestration and database namespace surfaces. - Rebased the branch onto `public-gh/master`, resolved conflicts, and removed `pnpm-lock.yaml` from the final PR diff. ## Verification - `pnpm install --frozen-lockfile` - `pnpm --filter @paperclipai/db typecheck` - `pnpm exec vitest run packages/db/src/client.test.ts` - `pnpm exec vitest run server/src/__tests__/plugin-database.test.ts server/src/__tests__/plugin-orchestration-apis.test.ts server/src/__tests__/plugin-routes-authz.test.ts server/src/__tests__/plugin-scoped-api-routes.test.ts server/src/__tests__/plugin-sdk-orchestration-contract.test.ts` - From `packages/plugins/examples/plugin-orchestration-smoke-example`: `pnpm exec vitest run --config ./vitest.config.ts` - `pnpm --dir packages/plugins/examples/plugin-orchestration-smoke-example run typecheck` - `pnpm --filter @paperclipai/server typecheck` - PR CI on latest head `293fc67c`: `policy`, `verify`, `e2e`, and `security/snyk` all passed. ## Risks - Medium risk: this expands plugin host authority, so route auth, company scoping, and plugin-origin activity attribution need careful review. - Medium risk: database namespace migration behavior must remain idempotent for environments that may have seen earlier branch versions. - Medium risk: the orchestration smoke fixture is intentionally excluded from the root workspace importer to avoid a `pnpm-lock.yaml` PR diff; direct fixture verification remains listed above. - Low operational risk from the PR setup itself: the branch is rebased onto current `master`, the migration is ordered after upstream `0057`/`0058`, and `pnpm-lock.yaml` is not in the final diff. > For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and discuss it in `#dev` before opening the PR. Feature PRs that overlap with planned core work may need to be redirected — check the roadmap first. See `CONTRIBUTING.md`. Roadmap checked: this work aligns with the completed Plugin system milestone and extends the plugin surface rather than duplicating an unrelated planned core feature. ## Model Used - OpenAI Codex, GPT-5-based coding agent in a tool-enabled CLI environment. Exact hosted model build and context-window size are not exposed by the runtime; reasoning/tool use were enabled for repository inspection, editing, testing, git operations, and PR creation. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [x] If this change affects the UI, I have included before/after screenshots (N/A: no core UI screen change; example plugin UI contract is covered by tests) - [x] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge --------- Co-authored-by: Paperclip <noreply@paperclip.ing> |
||
|
|
866032eaaa |
fix(security): bump rollup to 4.59.0 to fix path-traversal CVE
Addresses GHSA-mw96-cpmx-2vgc (arbitrary file write via path traversal in rollup <4.59.0). Bumps the direct dependency in the plugin authoring example and adds a pnpm override for transitive copies via Vite. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> |
||
|
|
af844b778e |
Add plugin telemetry bridge capability
Expose telemetry.track through the plugin SDK and server host bridge, forward plugin-prefixed events into the shared telemetry client, and demonstrate the capability in the kitchen sink example.\n\nCo-Authored-By: Paperclip <noreply@paperclip.ing> |
||
|
|
22b8e90ba6 | Fix plugin smoke example typecheck | ||
|
|
30888759f2 | Clarify plugin authoring and external dev workflow | ||
|
|
cb5d7e76fb | Expand kitchen sink plugin demos | ||
|
|
6fa1dd2197 | Add kitchen sink plugin example | ||
|
|
12ccfc2c9a | Simplify plugin runtime and cleanup lifecycle | ||
|
|
80cdbdbd47 | Add plugin framework and settings UI |