Skip to content

Comments

chore: Upgrading oclif and related packages#160

Merged
madebydavid merged 2 commits intomainfrom
chore/oclif-upgrade
Feb 24, 2026
Merged

chore: Upgrading oclif and related packages#160
madebydavid merged 2 commits intomainfrom
chore/oclif-upgrade

Conversation

@madebydavid
Copy link
Member

@madebydavid madebydavid commented Feb 24, 2026

Goal

This is to resolve https://github.com/shipth-is/cli/security/dependabot/24

We seem to be using minimatch in a lot of packages.

What's changed

Package From To Where
@oclif/core ^4 ^4.8.1 dependencies
@oclif/plugin-help ^6 ^6.2.37 dependencies
@oclif/plugin-warn-if-update-available ^3.1.46 ^3.1.55 dependencies
eslint-config-oclif ^5 ^6 devDependencies
oclif ^4 ^4.22.81 devDependencies

To note

Unfortunately, this doesn't fix all of them - it seems that one dev dependency eslint-config-oclif has a self-dependency on an earlier version of itself - see oclif/eslint-config-oclif#319

npm audit will pick this up:

$ npm audit
# npm audit report

eslint-config-oclif  *
Severity: high
Depends on vulnerable versions of @eslint/compat
Depends on vulnerable versions of @eslint/eslintrc
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of eslint-plugin-jsdoc
Depends on vulnerable versions of eslint-plugin-n
...

Importantly, eslint-config-oclif is a dev dependency - so if we omit those we get no issues:

$ npm audit --omit dev
found 0 vulnerabilities

@madebydavid madebydavid marked this pull request as ready for review February 24, 2026 15:36
@madebydavid madebydavid requested a review from Copilot February 24, 2026 15:37
Copilot AI reviewed Feb 24, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR upgrades oclif runtime/dev tooling dependencies to address the linked Dependabot security advisory (notably around minimatch usage across the dependency tree).

Changes:

  • Bump @oclif/core and related oclif plugins to newer ^4.x / ^6.x patch releases.
  • Upgrade eslint-config-oclif from ^5 to ^6 and oclif devDependency to ^4.22.81.
  • Regenerate package-lock.json to reflect the upgraded dependency graph (including updated minimatch versions).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
package.json Updates oclif and linting-related dependency versions.
package-lock.json Locks upgraded versions and newly introduced transitive dependencies.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

package.json
Comment on lines +70 to 71
"eslint-config-oclif": "^6",
"eslint-config-oclif-typescript": "^3",
Copy link

Copilot AI Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Upgrading to eslint-config-oclif v6 pulls in transitive tooling that now requires newer Node versions (e.g. eslint@10 in the lockfile requires Node ^20.19.0). This conflicts with the repo’s pinned Node version (v20.17.0 in .nvmrc) and can cause npm install/ci warnings or failures in engine-strict environments. Consider either keeping eslint-config-oclif on v5 for now, or bumping the repo’s Node version/engines to meet the new minimums (and regenerating the lockfile accordingly).

Suggested change
"eslint-config-oclif": "^6",
"eslint-config-oclif-typescript": "^3",
"eslint-config-oclif": "^5",
"eslint-config-oclif-typescript": "^2",

Copilot uses AI. Check for mistakes.
Copy link
Member Author

@madebydavid madebydavid Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we update the .nvmrc instead?

Copy link
Member Author

@madebydavid madebydavid Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot - we updated the .nvmrc - can you reevaluate?

Copilot AI mentioned this pull request Feb 24, 2026
Closed
Copy link
Contributor

Copilot AI commented Feb 24, 2026

@madebydavid I've opened a new pull request, #161, to work on those changes. Once the pull request is ready, I'll request review from you.

@madebydavid
Copy link
Member Author

madebydavid commented Feb 24, 2026

@madebydavid I've opened a new pull request, #161, to work on those changes. Once the pull request is ready, I'll request review from you.

@copilot I closed your PR but that change is merged - can you review again?

Copilot AI mentioned this pull request Feb 24, 2026
Closed
Copy link
Contributor

Copilot AI commented Feb 24, 2026

@madebydavid I've opened a new pull request, #162, to work on those changes. Once the pull request is ready, I'll request review from you.

@madebydavid madebydavid merged commit 718e130 into main Feb 24, 2026
@madebydavid madebydavid deleted the chore/oclif-upgrade branch February 24, 2026 15:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@madebydavid