ci(deps): bump the actions group across 1 directory with 6 updates by dependabot[bot] · Pull Request #354 · StackOneHQ/stackone-ai-node

dependabot · 2026-03-30T08:18:04Z

Bumps the actions group with 6 updates in the / directory:

Package	From	To
jaywcjlove/coverage-badges-cli	`2.2.0`	`2.3.0`
actions/deploy-pages	`4.0.5`	`5.0.0`
anthropics/claude-code-action	`1.0.34`	`1.0.82`
dependabot/fetch-metadata	`2.5.0`	`3.0.0`
lewagon/wait-on-check-action	`1.5.0`	`1.6.0`
actions/setup-node	`6.2.0`	`6.3.0`

Updates jaywcjlove/coverage-badges-cli from 2.2.0 to 2.3.0

Release notes

Sourced from jaywcjlove/coverage-badges-cli's releases.

v2.3.0

Documentation v2.3.0: https://raw.githack.com/jaywcjlove/coverage-badges-cli/0031c7f/index.html
Comparing Changes: jaywcjlove/coverage-badges-cli@v2.3.0...v2.3.0

Commits

998665f released v2.3.0
5b02883 chore: update Node.js version to 24 in action.yml
1a37a69 ci: update workflows config.
134a128 doc: Update README.md
f83e4a6 doc: Update README.md
See full diff in compare view

Updates actions/deploy-pages from 4.0.5 to 5.0.0

Release notes

Sourced from actions/deploy-pages's releases.

v5.0.0

Changelog

Update Node.js version to 24.x @salmanmkc (#404)

Add workflow file for publishing releases to immutable action package @Jcambass (#374)

Bump braces from 3.0.2 to 3.0.3 in the npm_and_yarn group across 1 directory @dependabot (#360)

Make the rebuild dist workflow work nicer with Dependabot @yoannchaudet (#361)

Bump the non-breaking-changes group across 1 directory with 3 updates @dependabot (#358)

Delete repeated sentence @garethsb (#359)

Update README.md @tsusdere (#348)

Bump the non-breaking-changes group with 4 updates @dependabot (#341)

Remove error message for file permissions @TooManyBees (#340)

See details of all code changes since previous release.

⚠️ For use with products other than GitHub.com, such as GitHub Enterprise Server, please consult the compatibility table.

Commits

cd2ce8f Merge pull request #404 from salmanmkc/node24
bbe2a95 Update Node.js version to 24.x
854d7aa Merge pull request #374 from actions/Jcambass-patch-1
306bb81 Add workflow file for publishing releases to immutable action package
b742728 Merge pull request #360 from actions/dependabot/npm_and_yarn/npm_and_yarn-513...
7273294 Bump braces in the npm_and_yarn group across 1 directory
963791f Merge pull request #361 from actions/dependabot-friendly
51bb29d Make the rebuild dist workflow safer for Dependabot
89f3d10 Merge pull request #358 from actions/dependabot/npm_and_yarn/non-breaking-cha...
bce7355 Merge branch 'main' into dependabot/npm_and_yarn/non-breaking-changes-99c12deb21
Additional commits viewable in compare view

Updates anthropics/claude-code-action from 1.0.34 to 1.0.82

Release notes

Sourced from anthropics/claude-code-action's releases.

v1.0.82

Full Changelog: anthropics/claude-code-action@v1...v1.0.82

v1.0.81

Full Changelog: anthropics/claude-code-action@v1...v1.0.81

v1.0.80

Full Changelog: anthropics/claude-code-action@v1...v1.0.80

v1.0.79

Full Changelog: anthropics/claude-code-action@v1...v1.0.79

v1.0.78

Full Changelog: anthropics/claude-code-action@v1...v1.0.78

v1.0.77

Subprocess environment scrubbing for untrusted-input workflows

Workflows that configure allowed_non_write_users now automatically get CLAUDE_CODE_SUBPROCESS_ENV_SCRUB=1, which makes Claude Code (v2.1.79+) strip Anthropic and cloud provider credentials from the environment of subprocesses it spawns (Bash tool, hooks, MCP stdio servers). The parent Claude process keeps these vars for its own API calls — only child subprocess environments are scrubbed.

Why: Workflows that process untrusted input (issue triage, PR review from non-write users) are exposed to prompt injection. A malicious issue body could trick Claude into running a Bash command that reads $ANTHROPIC_API_KEY via shell expansion and leaks it through an observable side channel. Scrubbing the subprocess environment removes the read primitive entirely.

What's scrubbed: Anthropic auth tokens, cloud provider credentials, GitHub Actions OIDC and runtime tokens, OTEL auth headers.

What's kept: GITHUB_TOKEN / GH_TOKEN — so wrapper scripts can still call the GitHub API.

Opt out: Set CLAUDE_CODE_SUBPROCESS_ENV_SCRUB: "0" at the job or step level if your workflow legitimately needs a subprocess to inherit these credentials.

No action required for most users — if you've configured allowed_non_write_users, scrubbing is now on automatically. If your workflow breaks because a subprocess expected inherited credentials, re-inject them explicitly (e.g., via MCP server env: config) or use the opt-out.

What's Changed

Auto-set subprocess env scrub when allowed_non_write_users is configured by @OctavianGuzu in anthropics/claude-code-action#1093

Full Changelog: anthropics/claude-code-action@v1.0.76...v1.0.77

v1.0.76

Full Changelog: anthropics/claude-code-action@v1...v1.0.76

v1.0.75

Full Changelog: anthropics/claude-code-action@v1...v1.0.75

v1.0.74

What's Changed

Restore .claude/ and .mcp.json from PR base branch before CLI runs by @km-anthropic in anthropics/claude-code-action#1066

Remove redundant git status/diff/log from tag mode allowlist by @ddworken in anthropics/claude-code-action#1075

Full Changelog: anthropics/claude-code-action@v1...v1.0.74

v1.0.73

... (truncated)

Commits

88c168b chore: bump Claude Code to 2.1.87 and Agent SDK to 0.2.87
e7b588b chore: bump Claude Code to 2.1.86 and Agent SDK to 0.2.86
094bd24 chore: bump Claude Code to 2.1.85 and Agent SDK to 0.2.85
3ac52d0 chore: bump Claude Code to 2.1.84 and Agent SDK to 0.2.84
0ee1bee chore: bump Claude Code to 2.1.83 and Agent SDK to 0.2.83
ff9acae Auto-set subprocess env scrub when allowed_non_write_users is configured (#1093)
6062f37 chore: bump Claude Code to 2.1.81 and Agent SDK to 0.2.81
df37d2f chore: bump Claude Code to 2.1.79 and Agent SDK to 0.2.79
1ba15be Remove redundant git status/diff/log from tag mode allowlist (#1075)
9ddce40 Restore .claude/ and .mcp.json from PR base branch before CLI runs (#1066)
Additional commits viewable in compare view

Updates dependabot/fetch-metadata from 2.5.0 to 3.0.0

Release notes

Sourced from dependabot/fetch-metadata's releases.

v3.0.0

What's Changed

feat: Parse versions from metadata links by @ppkarwasz in dependabot/fetch-metadata#632

Upgrade actions core and actions github packages by @truggeri in dependabot/fetch-metadata#649

docs: Add notes for using alert-lookup with App Token by @sue445 in dependabot/fetch-metadata#656

feat!: update Node.js version to v24 by @sturman in dependabot/fetch-metadata#671

Switch build tooling from ncc to esbuild by @truggeri in dependabot/fetch-metadata#676

Add --legal-comments=none to esbuild build commands by @jeffwidman in dependabot/fetch-metadata#679

Bump tsconfig target from es2022 to es2024 by @jeffwidman in dependabot/fetch-metadata#680

Remove vestigial outDir from tsconfig.json by @jeffwidman in dependabot/fetch-metadata#681

Switch tsconfig module resolution to bundler by @jeffwidman in dependabot/fetch-metadata#682

Remove skipLibCheck from tsconfig.json by @jeffwidman in dependabot/fetch-metadata#683

Add typecheck step to CI by @jeffwidman in dependabot/fetch-metadata#685

Enable noImplicitAny in tsconfig.json by @jeffwidman in dependabot/fetch-metadata#684

Upgrade @actions/core to ^3.0.0 by @truggeri in dependabot/fetch-metadata#677

Upgrade @actions/github to ^9.0.0 and @octokit/request-error to ^7.1.0 by @truggeri in dependabot/fetch-metadata#678

Bump qs from 6.14.0 to 6.14.1 by @dependabot[bot] in dependabot/fetch-metadata#651

Bump hono from 4.11.1 to 4.11.4 by @dependabot[bot] in dependabot/fetch-metadata#652

Bump hono from 4.11.4 to 4.11.7 by @dependabot[bot] in dependabot/fetch-metadata#653

Bump hono from 4.11.7 to 4.12.0 by @dependabot[bot] in dependabot/fetch-metadata#657

Bump qs from 6.14.1 to 6.14.2 by @dependabot[bot] in dependabot/fetch-metadata#655

Bump @modelcontextprotocol/sdk from 1.25.1 to 1.26.0 by @dependabot[bot] in dependabot/fetch-metadata#654

Bump @hono/node-server from 1.19.9 to 1.19.10 by @dependabot[bot] in dependabot/fetch-metadata#665

Bump hono from 4.12.2 to 4.12.5 by @dependabot[bot] in dependabot/fetch-metadata#664

Bump minimatch from 3.1.2 to 3.1.5 by @dependabot[bot] in dependabot/fetch-metadata#667

Bump hono from 4.12.5 to 4.12.7 by @dependabot[bot] in dependabot/fetch-metadata#668

Bump actions/create-github-app-token from 2.2.1 to 3.0.0 by @dependabot[bot] in dependabot/fetch-metadata#669

Bump flatted from 3.3.3 to 3.4.2 by @dependabot[bot] in dependabot/fetch-metadata#670

build(deps-dev): bump picomatch from 2.3.1 to 2.3.2 by @dependabot[bot] in dependabot/fetch-metadata#674

New Contributors

@ppkarwasz made their first contribution in dependabot/fetch-metadata#632

@truggeri made their first contribution in dependabot/fetch-metadata#649

@sue445 made their first contribution in dependabot/fetch-metadata#656

@sturman made their first contribution in dependabot/fetch-metadata#671

Full Changelog: dependabot/fetch-metadata@v2...v3.0.0

Commits

ffa630c v3.0.0 (#686)
ec8fff2 Merge pull request #674 from dependabot/dependabot/npm_and_yarn/picomatch-2.3.2
caf48bd build(deps-dev): bump picomatch from 2.3.1 to 2.3.2
13d8274 Upgrade @actions/github to ^9.0.0 and @octokit/request-error to ^7.1.0 (#678)
b603099 Upgrade @actions/core from ^1.11.1 to ^3.0.0 (#677)
c5dc5b1 Enable noImplicitAny in tsconfig.json (#684)
a183f3c Add typecheck step to CI (#685)
5e17564 Remove skipLibCheck from tsconfig.json (#683)
bb56eeb Switch tsconfig module resolution to bundler (#682)
3632e3d Remove vestigial outDir from tsconfig.json (#681)
Additional commits viewable in compare view

Updates lewagon/wait-on-check-action from 1.5.0 to 1.6.0

Release notes

Sourced from lewagon/wait-on-check-action's releases.

v1.6.0

Added

Add checks-discovery-timeout option (#139)

Changelog

Sourced from lewagon/wait-on-check-action's changelog.

Changelog

Unreleased

v1.6.0 - 2026-03-29

Added

Add checks-discovery-timeout option

v1.5.0 - 2026-01-25

Added

Add fail-on-no-checks option

Fixed

Bump rexml to 3.4.2

v1.4.1 - 2025-09-21

Fixed

Linux ARM64 support

v1.4.0 - 2025-06-27

Added

Add class docs

Add frozen_string_literal comments

Removed

Remove OpenStruct instances

Remove Double quotes

Remove Double assertions

Remove allow_any uses

Fixed

Fix spelling mistakes

Fix CI gem caching

Convert config.verbose to a boolean

Bump rexml to 3.3.9

v1.3.4 - 2024-04-04

Commits

a08fbe2 Bump version: 1.5.0 → 1.6.0
9499267 Add v1.6.0 changelog notes (#141)
fa9c37b Add checks-discovery-timeout documentation (#140)
e183d72 fix/wait for check discovery (#139)
8ad3eaf Bump faraday from 2.3.0 to 2.14.1 (#136)
93f8133 Set repo-token as required and validate required inputs (#135)
See full diff in compare view

Updates actions/setup-node from 6.2.0 to 6.3.0

Release notes

Sourced from actions/setup-node's releases.

v6.3.0

What's Changed

Enhancements:

Support parsing devEngines field by @susnux in actions/setup-node#1283

When using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node.

Dependency updates:

Fix npm audit issues by @gowridurgad in actions/setup-node#1491

Replace uuid with crypto.randomUUID() by @trivikr in actions/setup-node#1378

Upgrade minimatch from 3.1.2 to 3.1.5 by @dependabot in actions/setup-node#1498

Bug fixes:

Remove hardcoded bearer for mirror-url @marco-ippolito in actions/setup-node#1467

Scope test lockfiles by package manager and update cache tests by @gowridurgad in actions/setup-node#1495

New Contributors

@susnux made their first contribution in actions/setup-node#1283

Full Changelog: actions/setup-node@v6...v6.3.0

Commits

53b8394 Bump minimatch from 3.1.2 to 3.1.5 (#1498)
54045ab Scope test lockfiles by package manager and update cache tests (#1495)
c882bff Replace uuid with crypto.randomUUID() (#1378)
774c1d6 feat(node-version-file): support parsing devEngines field (#1283)
efcb663 fix: remove hardcoded bearer (#1467)
d02c89d Fix npm audit issues (#1491)
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Summary by cubic

Update GitHub Actions across CI, release, and automation workflows to latest versions to improve reliability and align with Node 24 runtimes. Includes major bumps and small quality-of-life fixes.

Dependencies
- actions/deploy-pages 4.0.5 → 5.0.0 (Node 24)
- dependabot/fetch-metadata 2.5.0 → 3.0.0 (Node 24; esbuild tooling)
- anthropics/claude-code-action 1.0.34 → 1.0.89 (subprocess env scrubbing when allowed_non_write_users is set)
- lewagon/wait-on-check-action 1.5.0 → 1.6.0 (adds checks-discovery-timeout)
- actions/setup-node 6.2.0 → 6.3.0 (supports devEngines.runtime, minor fixes)
- jaywcjlove/coverage-badges-cli 2.2.0 → 2.3.0 (Node 24)

^{Written for commit 31ddbce. Summary will update on new commits.}

dependabot · 2026-03-30T08:18:05Z

Labels

The following labels could not be found: ci. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

pkg-pr-new · 2026-03-30T08:18:51Z

Open in StackBlitz

npm i https://pkg.pr.new/@stackone/ai@354

commit: 31ddbce

cubic-dev-ai

No issues found across 4 files

Bumps the actions group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [jaywcjlove/coverage-badges-cli](https://github.com/jaywcjlove/coverage-badges-cli) | `2.2.0` | `2.3.0` | | [actions/deploy-pages](https://github.com/actions/deploy-pages) | `4.0.5` | `5.0.0` | | [anthropics/claude-code-action](https://github.com/anthropics/claude-code-action) | `1.0.34` | `1.0.82` | | [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata) | `2.5.0` | `3.0.0` | | [lewagon/wait-on-check-action](https://github.com/lewagon/wait-on-check-action) | `1.5.0` | `1.6.0` | | [actions/setup-node](https://github.com/actions/setup-node) | `6.2.0` | `6.3.0` | Updates `jaywcjlove/coverage-badges-cli` from 2.2.0 to 2.3.0 - [Release notes](https://github.com/jaywcjlove/coverage-badges-cli/releases) - [Commits](jaywcjlove/coverage-badges-cli@4e8975a...998665f) Updates `actions/deploy-pages` from 4.0.5 to 5.0.0 - [Release notes](https://github.com/actions/deploy-pages/releases) - [Commits](actions/deploy-pages@d6db901...cd2ce8f) Updates `anthropics/claude-code-action` from 1.0.34 to 1.0.82 - [Release notes](https://github.com/anthropics/claude-code-action/releases) - [Commits](anthropics/claude-code-action@f642197...88c168b) Updates `dependabot/fetch-metadata` from 2.5.0 to 3.0.0 - [Release notes](https://github.com/dependabot/fetch-metadata/releases) - [Commits](dependabot/fetch-metadata@21025c7...ffa630c) Updates `lewagon/wait-on-check-action` from 1.5.0 to 1.6.0 - [Release notes](https://github.com/lewagon/wait-on-check-action/releases) - [Changelog](https://github.com/lewagon/wait-on-check-action/blob/master/CHANGELOG.md) - [Commits](lewagon/wait-on-check-action@7404930...a08fbe2) Updates `actions/setup-node` from 6.2.0 to 6.3.0 - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@6044e13...53b8394) --- updated-dependencies: - dependency-name: jaywcjlove/coverage-badges-cli dependency-version: 2.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/deploy-pages dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: anthropics/claude-code-action dependency-version: 1.0.82 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: dependabot/fetch-metadata dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: lewagon/wait-on-check-action dependency-version: 1.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/setup-node dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot bot added the dependencies label Mar 30, 2026

dependabot bot requested a review from a team as a code owner March 30, 2026 08:18

dependabot bot added the dependencies label Mar 30, 2026

cubic-dev-ai bot reviewed Mar 30, 2026

View reviewed changes

Copilot AI review requested due to automatic review settings April 6, 2026 08:14

dependabot bot force-pushed the dependabot/github_actions/actions-66a40ff891 branch from f311b15 to 31ddbce Compare April 6, 2026 08:14

dependabot bot review requested due to automatic review settings April 6, 2026 08:14

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci(deps): bump the actions group across 1 directory with 6 updates#354

ci(deps): bump the actions group across 1 directory with 6 updates#354
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/actions-66a40ff891

dependabot bot commented on behalf of github Mar 30, 2026 •

edited by cubic-dev-ai bot

Loading

Uh oh!

dependabot bot commented on behalf of github Mar 30, 2026

Uh oh!

pkg-pr-new bot commented Mar 30, 2026 •

edited

Loading

Uh oh!

cubic-dev-ai bot left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot bot commented on behalf of github Mar 30, 2026 • edited by cubic-dev-ai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v2.3.0

v5.0.0

Changelog

v1.0.82

v1.0.81

v1.0.80

v1.0.79

v1.0.78

v1.0.77

Subprocess environment scrubbing for untrusted-input workflows

What's Changed

v1.0.76

v1.0.75

v1.0.74

What's Changed

v1.0.73

v3.0.0

What's Changed

New Contributors

v1.6.0

Added

Changelog

Unreleased

v1.6.0 - 2026-03-29

Added

v1.5.0 - 2026-01-25

Added

Fixed

v1.4.1 - 2025-09-21

Fixed

v1.4.0 - 2025-06-27

Added

Removed

Fixed

v1.3.4 - 2024-04-04

v6.3.0

What's Changed

Enhancements:

Dependency updates:

Bug fixes:

New Contributors

Summary by cubic

Uh oh!

dependabot bot commented on behalf of github Mar 30, 2026

Labels

Uh oh!

pkg-pr-new bot commented Mar 30, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot bot commented on behalf of github Mar 30, 2026 •

edited by cubic-dev-ai bot

Loading

pkg-pr-new bot commented Mar 30, 2026 •

edited

Loading