Bump the dev-dependencies group across 1 directory with 7 updates

[dependabot]

Bumps the dev-dependencies group with 7 updates in the / directory:

Package	From	To
@cap-js/cds-typer	0.38.0	0.39.0
@cap-js/cds-types	0.16.0	0.17.0
@cap-js/sqlite	2.2.0	2.4.0
@sap/cds-dk	9.8.3	9.9.1
eslint	10.2.0	10.3.0
prettier	3.8.1	3.8.3
typescript-eslint	8.58.0	8.59.3

Updates @cap-js/cds-typer from 0.38.0 to 0.39.0

Release notes

Sourced from @​cap-js/cds-typer's releases.

v0.39.0

Added

• Added flag cds.env.typer.branded_primitive_types for branding CDS type definitions aliasing primitive TS types
• Added support for non-ASCII identifiers in .cds files. Non-ASCII characters in identifiers are sanitised to valid TypeScript names. Identifiers consisting entirely of non-ASCII characters (e.g., Kanji) are replaced with random hashes. All affected identifiers are exported under their sanitised/hashed name and also as an alias preserving the original name. To use the original name, import it with import ... as '...' syntax.

Changed

Deprecated

Removed

Fixed

• Association keys pointing to entities with inline enum types are now correctly typed in service projections across namespace boundaries

Security

Changelog

Sourced from @​cap-js/cds-typer's changelog.

[0.39.0] - 2026-05-11

Added

• Added flag cds.env.typer.branded_primitive_types for branding CDS type definitions aliasing primitive TS types
• Added support for non-ASCII identifiers in .cds files. Non-ASCII characters in identifiers are sanitised to valid TypeScript names. Identifiers consisting entirely of non-ASCII characters (e.g., Kanji) are replaced with random hashes. All affected identifiers are exported under their sanitised/hashed name and also as an alias preserving the original name. To use the original name, import it with import ... as '...' syntax.

Changed

Deprecated

Removed

Fixed

• Association keys pointing to entities with inline enum types are now correctly typed in service projections across namespace boundaries

Security

Commits

• 162b15d chore(version): minor version 0.39.0 (#609)
• c5cbf13 fix: export inline enums so they are accessible cross-namespace in service pr...
• cec179a feat: Non-alpha identifiers (#581)
• cc18bc6 chore(deps): Bump path-to-regexp from 0.1.12 to 0.1.13 (#604)
• b484218 chore(deps): Bump yaml from 2.5.0 to 2.8.3 (#603)
• 748e6f6 chore(deps-dev): Bump flatted from 3.3.1 to 3.4.2 (#598)
• 5738837 chore(deps-dev): Bump brace-expansion from 1.1.12 to 1.1.14 (#605)
• 43fff45 chore(deps-dev): Bump picomatch from 4.0.3 to 4.0.4 (#602)
• 5de3dbd chore(deps-dev): Bump minimatch from 3.1.2 to 3.1.5 (#596)
• 817e79c chore(deps-dev): Bump ajv from 6.12.6 to 6.14.0 (#593)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​cap-js/cds-typer since your current version.

Updates @cap-js/cds-types from 0.16.0 to 0.17.0

Release notes

Sourced from @​cap-js/cds-types's releases.

v0.17.0

Added

• Types for nested .where and .having predicates
• Passing events generated by cds-typer into service.on now offers code completion for the event's properties in the handler
• Allow all events that can be used in service.on to be used in service.once as well

Changed

• ResultHandler now returns unknown instead of void, to accommodate asynchronous functions when having @typescript-eslint/strict-void-return activated
• Documentation for cds.test.axios mentioning that @cap-js/cds-test@1 now returns an axios facade in absence of axios.
• made cds.context.locale optional
• cds.tx(ƒ) now returns the return type of ƒ

Deprecated

• cds.test.chai, cds.test.assert pointing to either cds.test.expect or a custom import of chai.
• cds.test.axios in favor of cds.test.defaults

Removed

Fixed

Security

Changelog

Sourced from @​cap-js/cds-types's changelog.

[0.17.0] - 2026-05-11

Added

• Types for nested .where and .having predicates
• Passing events generated by cds-typer into service.on now offers code completion for the event's properties in the handler
• Allow all events that can be used in service.on to be used in service.once as well

Changed

• ResultHandler now returns unknown instead of void, to accommodate asynchronous functions when having @typescript-eslint/strict-void-return activated
• Documentation for cds.test.axios mentioning that @cap-js/cds-test@1 now returns an axios facade in absence of axios.
• made cds.context.locale optional
• cds.tx(ƒ) now returns the return type of ƒ

Deprecated

• cds.test.chai, cds.test.assert pointing to either cds.test.expect or a custom import of chai.
• cds.test.axios in favor of cds.test.defaults

Removed

Fixed

Security

Commits

• 5c4e0a0 chore(version): minor version 0.17.0 (#554)
• 0b9140c build(deps-dev): bump fast-uri from 3.1.0 to 3.1.2 (#552)
• f9c9a86 build(deps-dev): bump axios from 1.15.1 to 1.16.0 (#551)
• fe0045f fix: add missing once events (#550)
• 8358aff Revert "Allow on events in once"
• 4d70141 Allow on events in once
• 2d54f7a feat: Add code completion for custom events in handlers (#547)
• 662aeb7 fix(test): add cds.test.defaults, deprecate .axios (#545)
• adcf9ba feat: Strong type where condition predicates (#503)
• 0111641 fix: signature of cds.tx (#544)
• Additional commits viewable in compare view

Updates @cap-js/sqlite from 2.2.0 to 2.4.0

Release notes

Sourced from @​cap-js/sqlite's releases.

db-service: v2.4.0

2.4.0 (2025-08-27)

Added

• tuple expansion: allow structs with exactly one element/fk in comparison (#1291) (75ea826)
• cds.db.foreach uses real object mode streaming (#1318) (cd28b53)

Fixed

• assoc2join: target side access detection (#1282) (6f9befa)
• cqn4sql: only consider own property [@cds](https://github.com/cds).persistence.skip (#1324) (bd1f52f)
• exists: do not loose custom where (#1322) (644918c)
• arithmetic operators can only be used with scalar operands (#1307) (d58d335)
• detect path expression inside nested xpr after exists (#1292) (852d915), closes #1225
• reject comparison of two empty structures (#1306) (d97304d)

hana: v2.4.0

2.4.0 (2025-11-26)

Added

• error standard function (#1421) (b1b0fca)
• show default pool configuration in env (#1422) (89b397a)

Fixed

• deps: update dependency hdb to v2 (#1266) (742a784)

Dependencies

• The following workspace dependencies were updated
  • dependencies
    • @​cap-js/db-service bumped from ^2.6.0 to ^2.7.0

sqlite: v2.4.0

2.4.0 (2026-04-29)

Added

• supersede potentially compromised release (#1590) (3be4044)

Dependencies

... (truncated)

Commits

• f9d6ece chore: release main (#1403)
• 6e924c9 fix: reject nested projection if duplicated (#1411)
• 31766cd fix: LimitedRank with compositions (#1391)
• 89b397a feat: show default pool configuration in env (#1422)
• f6ef6e0 chore(deps): update actions/checkout action to v6 (#1425)
• 565633e chore(deps): lock file maintenance (#1427)
• b1b0fca feat: error standard function (#1421)
• 6c4a4f0 chore: $main (#1397)
• 2a10d2c chore(deps): lock file maintenance (#1419)
• be54935 chore: enable provenance, remove obsolete NPM token (#1416)
• Additional commits viewable in compare view

Updates @sap/cds-dk from 9.8.3 to 9.9.1

Updates eslint from 10.2.0 to 10.3.0

Release notes

Sourced from eslint's releases.

v10.3.0

Features

• 379571a feat: add suggestions for no-unused-private-class-members (#20773) (sethamus)

Bug Fixes

• b6ae5cf fix: handle unavailable require cache (#20812) (Simon Podlipsky)
• 6fb3685 fix: rule suggestions cause continuation in class body (#20787) (Milos Djermanovic)

Documentation

• 32cc7ab docs: fix typos in docs and comments (#20809) (Tanuj Kanti)
• 7f47937 docs: Update README (GitHub Actions Bot)

Chores

• d32235e ci: use pnpm in eslint-flat-config-utils type integration test (#20826) (Francesco Trotta)
• 3ffb14e chore: clean up typos in comments and JSDoc (#20821) (Pixel998)
• 22eb58a chore: add missing continue-on-error to ecosystem-tests.yml (#20818) (Josh Goldberg ✨)
• 88bf002 ci: bump pnpm/action-setup from 6.0.1 to 6.0.3 (#20815) (dependabot[bot])
• 97c8c33 chore: update ilshidur/action-discord action to v0.4.0 (#20811) (renovate[bot])
• 2f58136 chore: pin peter-evans/create-pull-request action to 5f6978f (#20810) (renovate[bot])
• 77add7f chore: add initial ecosystem plugin tests workflow (#19643) (Josh Goldberg ✨)
• 4023b55 test: Add unit tests for SuppressionsService.prune() (#20797) (kuldeep kumar)
• 54080da test: add unit tests for ForkContext (#20778) (kuldeep kumar)
• f0e2bcc test: add unit tests for SuppressionsService.suppress() method (#20765) (kuldeep kumar)
• a7f0b94 chore: update dependency prettier to v3.8.3 (#20782) (renovate[bot])
• 7bf93d9 chore: update TypeScript to v6 (#20677) (sethamus)
• b42dd72 ci: bump pnpm/action-setup from 6.0.0 to 6.0.1 (#20781) (dependabot[bot])
• 2b252be test: add unit tests for IdGenerator (#20775) (kuldeep kumar)

v10.2.1

Bug Fixes

• 14be92b fix: model generator yield resumption paths in code path analysis (#20665) (sethamus)
• 84a19d2 fix: no-async-promise-executor false positives for shadowed Promise (#20740) (xbinaryx)
• af764af fix: clarify language and processor validation errors (#20729) (Pixel998)
• e251b89 fix: update eslint (#20715) (renovate[bot])

Documentation

• ca92ca0 docs: reuse markdown-it instance for markdown filter (#20768) (Amaresh S M)
• 57d2ee2 docs: Enable Eleventy incremental mode for watch (#20767) (Amaresh S M)
• c1621b9 docs: fix typos in code-path-analyzer.js (#20700) (Ayush Shukla)
• 1418d52 docs: Update README (GitHub Actions Bot)
• 39771e6 docs: Update README (GitHub Actions Bot)
• 71e0469 docs: fix incomplete JSDoc param description in no-shadow rule (#20728) (kuldeep kumar)
• 22119ce docs: clarify scope of for-direction rule with dead code examples (#20723) (Amaresh S M)
• 8f3fb77 docs: document meta.docs.dialects (#20718) (Pixel998)

Chores

• 7ddfea9 chore: update dependency prettier to v3.8.2 (#20770) (renovate[bot])
• fac40e1 ci: bump pnpm/action-setup from 5.0.0 to 6.0.0 (#20763) (dependabot[bot])
• 7246f92 test: add tests for SuppressionsService.load() error handling (#20734) (kuldeep kumar)
• 4f34b1e chore: update pnpm/action-setup action to v5 (#20762) (renovate[bot])

... (truncated)

Commits

• 7889204 10.3.0
• 5b69b4f Build: changelog update for 10.3.0
• d32235e ci: use pnpm in eslint-flat-config-utils type integration test (#20826)
• b6ae5cf fix: handle unavailable require cache (#20812)
• 3ffb14e chore: clean up typos in comments and JSDoc (#20821)
• 6fb3685 fix: rule suggestions cause continuation in class body (#20787)
• 22eb58a chore: add missing continue-on-error to ecosystem-tests.yml (#20818)
• 88bf002 ci: bump pnpm/action-setup from 6.0.1 to 6.0.3 (#20815)
• 379571a feat: add suggestions for no-unused-private-class-members (#20773)
• 97c8c33 chore: update ilshidur/action-discord action to v0.4.0 (#20811)
• Additional commits viewable in compare view

Updates prettier from 3.8.1 to 3.8.3

Release notes

Sourced from prettier's releases.

3.8.3

• SCSS: Prevent trailing comma in if() function (prettier/prettier#18471 by @​kovsu)

🔗 Changelog

3.8.2

• Support Angular v21.2

🔗 Changelog

Changelog

Sourced from prettier's changelog.

3.8.3

diff

SCSS: Prevent trailing comma in if() function (#18471 by @​kovsu)

// Input
$value: if(sass(false): 1; else: -1);
// Prettier 3.8.2
$value: if(
sass(false): 1; else: -1,
);
// Prettier 3.8.3
$value: if(sass(false): 1; else: -1);

3.8.2

diff

Angular: Support Angular v21.2 (#18722, #19034 by @​fisker)

Exhaustive typechecking with @default never;

<!-- Input -->
@switch (foo) {
  @case (1) {}
  @default never;
}
<!-- Prettier 3.8.1 -->
SyntaxError: Incomplete block "default never". If you meant to write the @ character, you should use the "&#64;" HTML entity instead. (3:3)
<!-- Prettier 3.8.2 -->
@​switch (foo) {
@​case (1) {}
@​default never;
}

arrow function and instanceof expressions.

</tr></table> 

... (truncated)

Commits

• d7108a7 Release 3.8.3
• 177f908 Prevent trailing comma in SCSS if() function (#18471)
• 1cd4066 Release @​prettier/plugin-oxc@​0.1.4
• a8700e2 Update oxc-parser to v0.125.0
• 752157c Fix tests
• 053fd41 Bump Prettier dependency to 3.8.2
• 904c636 Clean changelog_unreleased
• dc1f7fc Update dependents count
• b31557c Release 3.8.2
• 96bbaed Support Angular v21.2 (#18722)
• Additional commits viewable in compare view

Updates typescript-eslint from 8.58.0 to 8.59.3

Release notes

Sourced from typescript-eslint's releases.

v8.59.3

8.59.3 (2026-05-11)

This was a version bump only, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.2

8.59.2 (2026-05-04)

🩹 Fixes

• eslint-plugin: [no-unsafe-type-assertion] handle crash on recursive template literal types (#12150)
• eslint-plugin: [no-deprecated] object destructuring values should be treated as declarations (#12292)
• rule-tester: add TypeScript as a peer dependency (#12288)

❤️ Thank You

• Dariusz Czajkowski
• Dima Barabash
• Kirk Waiblinger @​kirkwaiblinger

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

v8.59.1

8.59.1 (2026-04-27)

🩹 Fixes

• eslint-plugin: [no-unnecessary-type-assertion] fix crash "TypeError: checker.getTypeArguments is not a function" (#12246)
• eslint-plugin: [no-unnecessary-type-assertion] preserve index signatures in undefined unions (#12257)
• eslint-plugin: [no-unnecessary-type-assertion] preserve phantom type arguments in generic inference (#12269)
• eslint-plugin: [no-unnecessary-type-assertion] avoid false positive in logical assignment assertions (#12278)
• eslint-plugin: [no-unnecessary-type-arguments] handle instantiation expressions (#12220)
• eslint-plugin: [no-unnecessary-condition] treat void as nullish in no-unnecessary-condition (#12241)

❤️ Thank You

• anasm266 @​anasm266
• Anshika Jain @​Anshikakalpana
• Ulrich Stark
• yugo innami @​nami8824

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

... (truncated)

Changelog

Sourced from typescript-eslint's changelog.

8.59.3 (2026-05-11)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.59.2 (2026-05-04)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.59.1 (2026-04-27)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.59.0 (2026-04-20)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.58.2 (2026-04-13)

🩹 Fixes

• remove tsbuildinfo cache file from published packages (#12187)

❤️ Thank You

• Abhijeet Singh @​cseas

See GitHub Releases for more information.

You can read about our versioning strategy and releases on our website.

8.58.1 (2026-04-08)

This was a version bump only for typescript-eslint to align it with other projects, there were no code changes.

... (truncated)

Commits

• 48e13c0 chore(release): publish 8.59.3
• 44f9625 chore(deps): update vitest monorepo to v4.1.5 (#12307)
• 2ec35f1 chore(release): publish 8.59.2
• 5245793 chore(release): publish 8.59.1
• ea9ae4f chore(release): publish 8.59.0
• 90c2803 chore(release): publish 8.58.2
• b3315fd chore: convert import eslint to import js - followup (#12100)
• be6b49a fix: remove tsbuildinfo cache file from published packages (#12187)
• 5311ed3 chore(release): publish 8.58.1
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
npm/@cap-js/cds-typer	0.39.0	Unknown	Unknown
npm/@cap-js/cds-types	0.17.0	Unknown	Unknown
npm/@cap-js/db-service	2.11.0	Unknown	Unknown
npm/@cap-js/sqlite	2.4.0	Unknown	Unknown
npm/@eslint/config-array	0.23.5	Unknown	Unknown
npm/@eslint/config-helpers	0.5.5	Unknown	Unknown
npm/@eslint/core	1.2.1	Unknown	Unknown
npm/@eslint/object-schema	3.0.5	Unknown	Unknown
npm/@eslint/plugin-kit	0.7.1	Unknown	Unknown
npm/@sap/cds	9.9.1	Unknown	Unknown
npm/@sap/cds-compiler	6.9.1	Unknown	Unknown
npm/@sap/cds-dk	9.9.1	Unknown	Unknown
npm/@sap/cds-mtxs	3.9.0	Unknown	Unknown
npm/@sap/xsenv	6.2.0	Unknown	Unknown
npm/@typescript-eslint/eslint-plugin	8.59.3	Unknown	Unknown
npm/@typescript-eslint/parser	8.59.3	Unknown	Unknown
npm/@typescript-eslint/project-service	8.59.3	Unknown	Unknown
npm/@typescript-eslint/scope-manager	8.59.3	Unknown	Unknown
npm/@typescript-eslint/tsconfig-utils	8.59.3	Unknown	Unknown
npm/@typescript-eslint/type-utils	8.59.3	Unknown	Unknown
npm/@typescript-eslint/types	8.59.3	Unknown	Unknown
npm/@typescript-eslint/typescript-estree	8.59.3	Unknown	Unknown
npm/@typescript-eslint/utils	8.59.3	Unknown	Unknown
npm/@typescript-eslint/visitor-keys	8.59.3	Unknown	Unknown
npm/better-sqlite3	12.9.0	Unknown	Unknown
npm/content-disposition	1.1.0	🟢 7.9	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Code-Review 🟢 7 Found 18/25 approved changesets -- score normalized to 7 Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 16 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10 Vulnerabilities 🟢 10 0 existing vulnerabilities detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Signed-Releases ⚠️ -1 no releases found Dependency-Update-Tool 🟢 10 update tool detected SAST 🟢 9 SAST tool detected but not run on all commits License 🟢 10 license file detected Security-Policy 🟢 9 security policy file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 28 out of 28 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 21 contributing companies or organizations
npm/eslint	10.3.0	🟢 6.4	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 7 Found 18/24 approved changesets -- score normalized to 7 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 9 SAST tool detected but not run on all commits
npm/hasown	2.0.3	Unknown	Unknown
npm/node-abi	3.92.0	Unknown	Unknown
npm/path-to-regexp	8.4.2	🟢 7.6	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches CI-Tests 🟢 10 26 out of 26 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 5 found 12 unreviewed changesets out of 29 -- score normalized to 5 Contributors 🟢 10 25 different organizations found -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 16 commit(s) out of 30 and 3 issue activity out of 30 found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 no published package detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 SAST 🟢 10 SAST tool is run on all commits Security-Policy 🟢 9 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities 🟢 10 no vulnerabilities detected
npm/prettier	3.8.3	🟢 6.5	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 2 Found 4/15 approved changesets -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 9 SAST tool detected but not run on all commits
npm/qs	6.15.1	🟢 5.3	Details Check Score Reason Maintained 🟢 10 29 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 1 Found 5/30 approved changesets -- score normalized to 1 Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices 🟢 5 badge detected: Passing Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/side-channel-list	1.0.1	Unknown	Unknown
npm/tinyglobby	0.2.16	Unknown	Unknown
npm/typescript-eslint	8.59.3	🟢 6	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 9 Found 25/27 approved changesets -- score normalized to 9 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/yaml	2.8.4	🟢 7.2	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 0 Found 0/11 approved changesets -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ -1 no releases found SAST 🟢 10 SAST tool is run on all commits

Scanned Files

• package-lock.json

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.