chore(deps): bump the all-npm-dependencies group with 14 updates

[Copilot]

Summary

Reimplements #1708 (Dependabot dependency bumps) with all necessary code changes to make tests pass.

Dependency Updates

Package	From	To
chalk	4.1.2	5.6.2
commander	12.1.0	14.0.3
execa	5.1.1	9.6.1
@eslint/compat	2.0.3	2.0.4
@types/node	25.5.0	25.5.2
@typescript-eslint/eslint-plugin	8.57.1	8.58.0
@typescript-eslint/parser	8.57.1	8.58.0
esbuild	0.25.12	0.28.0
eslint	10.0.3	10.2.0
eslint-plugin-security	3.0.1	4.0.0
markdownlint-cli2	0.21.0	0.22.0
ts-jest	29.4.6	29.4.9
typescript	5.9.3	6.0.2
typescript-eslint	8.57.1	8.58.0

Key Changes Beyond Version Bumps

execa v5 → v9 migration

• Changed from default import to named exports: import { execa, execaSync } from 'execa'
• Replaced execa.sync() with execaSync() across all production and test files
• Updated test mock patterns to provide named exports instead of default export
• Updated ExecaReturnValue type to Result in test fixtures

TypeScript 5 → 6 compatibility

• Added "ignoreDeprecations": "6.0" to tsconfig.json for the deprecated moduleResolution: "node" option

Jest ESM handling

• Added custom resolver (jest-resolver.js) to handle ESM-only packages whose exports maps only have "import" conditions (no "require")
• Updated transformIgnorePatterns to include all ESM-only transitive dependencies of execa (is-plain-obj, human-signals, npm-run-path, etc.)

Test updates

• Updated jest-esm-config.test.ts to validate actual ESM-only imports (chalk v5, execa v9) instead of preparatory infrastructure

Verification

• ✅ Build (tsc) — clean
• ✅ Type-check (tsc --noEmit -p tsconfig.check.json) — clean
• ✅ Tests — 28 suites, 1382 tests pass
• ✅ Lint — 0 errors
• ✅ CodeQL — 0 alerts

[github-actions]

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric	Base	PR	Delta
Lines	86.22%	86.34%	📈 +0.12%
Statements	86.08%	86.19%	📈 +0.11%
Functions	87.50%	87.50%	➡️ +0.00%
Branches	78.81%	78.80%	📉 -0.01%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/cli.ts	62.1% → 62.2% (+0.12%)	62.6% → 62.7% (+0.11%)
src/docker-manager.ts	86.6% → 87.0% (+0.40%)	86.0% → 86.5% (+0.40%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

Updates the repository’s npm dependency set (including major-version upgrades) and adjusts production/test code to accommodate breaking changes—most notably migrating execa usage and adding Jest handling for ESM-only packages.

Changes:

• Bumped core dependencies/devDependencies (e.g., chalk v5, commander v14, execa v9, TypeScript v6).
• Migrated execa usage from default/CJS patterns to v9 named exports (execa, execaSync) across source and tests.
• Added Jest ESM support enhancements (custom resolver + broader transformIgnorePatterns) and updated ESM validation tests.

Show a summary per file

File	Description
tsconfig.json	Adds TS 6 deprecation suppression; compiler output remains CJS.
package.json	Updates dependency ranges (chalk/commander/execa) and dev dependency versions.
package-lock.json	Locks updated dependency graph for the new versions and transitive deps.
jest.config.js	Expands ESM transform allowlist and enables a custom Jest resolver.
jest-resolver.js	Adds resolver fallback intended to support ESM-only exports maps.
src/docker-manager.ts	Switches to execa/execaSync named exports and replaces execa.sync() usage.
src/docker-manager.test.ts	Updates Jest mocking to match execa v9 named exports.
src/commands/predownload.ts	Switches to execa named export.
src/commands/predownload.test.ts	Updates Jest mocking/assertions for execa v9 named export.
src/ssl-bump.ts	Switches to execa named export.
src/ssl-bump.test.ts	Switches to execa named export in tests.
src/host-iptables.ts	Switches to execa named export.
src/host-iptables.test.ts	Switches to execa named export in tests.
src/logs/log-streamer.ts	Switches to execa named export.
src/logs/log-streamer.test.ts	Switches to execa named export in tests.
src/logs/log-discovery.ts	Switches to execa named export.
src/logs/log-discovery.test.ts	Switches to execa named export in tests.
src/logs/log-aggregator.ts	Switches to execa named export.
src/logs/log-aggregator.test.ts	Switches to execa named export in tests.
src/jest-esm-config.test.ts	Updates Jest ESM validation to import/use chalk v5 + execa v9.
tests/integration/ipv6.test.ts	Updates execa import style for integration test usage.
tests/fixtures/awf-runner.ts	Updates execa types to v9 (Result) and normalizes stdout/stderr handling.
tests/fixtures/cleanup.ts	Updates execa import style and adds explicit callback typings in parsing logic.
tests/fixtures/docker-helper.ts	Updates execa import style; minor typing adjustments.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 21/24 changed files
• Comments generated: 3

[Copilot]

Bumping commander to v14 and execa to v9 increases the minimum Node requirements (commander v14 requires Node >=20; execa v9 is ESM-only). This repo’s release pipeline uses pkg (see package.json pkg.targets) which currently targets Node 18; that binary build/runtime will likely break after these bumps. Align the pkg targets (and any CI/release workflow expectations) with the new Node/runtime requirements.

[Copilot]

jest-resolver.js retries resolution with an added "import" condition for any resolver error. This can mask unrelated resolution problems (typos, missing files, etc.) and make failures harder to diagnose. Consider only retrying for export-condition related errors (e.g., ERR_PACKAGE_PATH_NOT_EXPORTED / exports resolution failures) and rethrowing the original error when the fallback also fails.

Suggested change

	module.exports = (path, options) => {
	try {
	return options.defaultResolver(path, options);
	} catch (error) {
	// If default resolution fails, retry with "import" condition added
	return options.defaultResolver(path, {
	...options,
	conditions: [...(options.conditions || []), 'import'],
	});
	const isExportsResolutionError = (error) => {
	if (!error) {
	return false;
	}
	if (error.code === 'ERR_PACKAGE_PATH_NOT_EXPORTED') {
	return true;
	}
	const message = typeof error.message === 'string' ? error.message : '';
	return (
	message.includes('Package subpath') ||
	message.includes('package exports') ||
	message.includes('conditional exports') ||
	message.includes('No "exports" main defined')
	);
	};
	module.exports = (path, options) => {
	try {
	return options.defaultResolver(path, options);
	} catch (error) {
	if (!isExportsResolutionError(error)) {
	throw error;
	}
	try {
	return options.defaultResolver(path, {
	...options,
	conditions: [...(options.conditions || []), 'import'],
	});
	} catch (_fallbackError) {
	throw error;
	}

[Copilot]

line.trim().split(/\s+/)[0] ?? '0' is misleading because the [0] element is always a string (often ''), so the nullish coalescing fallback will never apply. If the intent is to avoid NaN when parsing, use a non-empty check (e.g., fallback on '') or validate the parsed number before sorting/using it.

Suggested change

	.map((line: string) => parseInt(line.trim().split(/\s+/)[0] ?? '0'))
	.map((line: string) => Number.parseInt(line.trim().split(/\s+/)[0] || '', 10))
	.filter((lineNum: number) => !Number.isNaN(lineNum))

[Mossaka]

@copilot please fix all the integration tests CI failures.

[Copilot]

@copilot please fix all the integration tests CI failures.

Fixed in 1c3f40c. The integration test failures were caused by tests/setup/jest.integration.config.js missing the ESM-only package handling that was added to the unit test jest.config.js. The integration config now has:

• Expanded transformIgnorePatterns covering all execa v9 transitive ESM deps
• Reference to the custom jest-resolver.js for exports map resolution

Also addressed the code review feedback: improved jest-resolver.js to only retry exports-related errors, fixed cleanup.ts parseInt safety, and updated pkg targets from node18 to node20.

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	all passed	✅ PASS
Node.js	execa	✅	all passed	✅ PASS
Node.js	p-limit	✅	all passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Notes

• Java: Default ~/.m2/repository was not writable; used -Dmaven.repo.local=/tmp/gh-aw/agent/m2-repo to redirect the local Maven repository.
• Deno (oak): Dependencies fetched from deno.land/std@0.208.0 at test time.
• All other ecosystems ran without issues.

Generated by Build Test Suite for issue #1810 · ● 659.2K · ◷

[Mossaka]

@copilot please fix: https://github.com/github/gh-aw-firewall/actions/runs/24157022166/job/70505869787?pr=1810

[Copilot]

@copilot please fix: https://github.com/github/gh-aw-firewall/actions/runs/24157022166/job/70505869787?pr=1810

Fixed in 2cf874f. The root cause: babel-jest passes Jest's rootDir as Babel's root directory. Since the integration config lives in tests/setup/ (making rootDir = tests/setup/), Babel couldn't find babel.config.js in the project root — so ESM-only packages (execa, chalk) were never transformed.

Fix: ['babel-jest', { rootMode: 'upward' }] in the integration config's transform, which tells Babel to walk upward from rootDir to find the config file.

Note: The "Dependency Vulnerability Audit" failure is unrelated — it's about the docs site's transitive deps (defu, vite, lodash-es, yaml).

[github-actions]

Smoke Test: GitHub Actions Services Connectivity ✅

All checks passed:

Check	Result
Redis PING (host.docker.internal:6379)	✅ PONG
PostgreSQL ready (host.docker.internal:5432)	✅ accepting connections
PostgreSQL SELECT 1 (smoketest db, user postgres)	✅ returned 1

Note: redis-cli was unavailable and could not be installed (no apt), so Redis was tested via bash /dev/tcp socket — same RESP protocol, same result.

🔌 Service connectivity validated by Smoke Services

[github-actions]

Smoke Test Results ✅ PASS

• ✅ GitHub MCP: Redesign cli-proxy: connect to external DIFC proxy started by compiler #1809 "Redesign cli-proxy: connect to external DIFC proxy started by compiler", fix: include Gemini in api-proxy validation, add 503 fallback #1808 "fix: include Gemini in api-proxy validation, add 503 fallback"
• ✅ Playwright: github.com title contains "GitHub"
• ✅ File Write: /tmp/gh-aw/agent/smoke-test-claude-24161014883.txt created
• ✅ Bash: File verified via cat

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🔥 Smoke Test Results

Test	Status
GitHub MCP connectivity	✅
GitHub.com HTTP	✅
File write/read	✅

PR: chore(deps): bump the all-npm-dependencies group with 14 updates
Author: @Copilot | Assignees: @Mossaka, @Copilot

Overall: PASS

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke Test (Codex) run 24161014851
PR titles: "Redesign cli-proxy: connect to external DIFC proxy started by compiler"; "fix: move codex exec subcommand before model flag in lock files"
GitHub MCP merged PR check: ✅ | safeinputs-gh PR query: ❌ (tool unavailable)
Playwright title check: ❌ (EACCES in MCP log path)
Tavily web search: ❌ (tool unavailable)
File write check: ✅ | Bash cat verify: ✅
Discussion oracle comment: ✅
Build (npm ci && npm run build): ✅
Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌
Node.js	v24.14.1	v20.20.2	❌
Go	go1.22.12	go1.22.12	✅

Overall: ❌ Not all tests passed

Python and Node.js versions differ between host and chroot environments. Go matches.

Tested by Smoke Chroot