chore(deps): bump commander from 12.1.0 to 14.0.2

[dependabot]

Bumps commander from 12.1.0 to 14.0.2.

Release notes

Sourced from commander's releases.

v14.0.2

Changed

• improve negative number auto-detection test (#2428)
• update (dev) dependencies

v14.0.1

Fixed

• broken markdown link in README (#2369)

Changed

• improve code readability by using optional chaining (#2394)
• use more idiomatic code with object spread instead of Object.assign() (#2395)
• improve code readability using string.endsWith() instead of string.slice() (#2396)
• refactor .parseOptions() to process args array in-place (#2409)
• change private variadic support routines from ._concatValue() to ._collectValue() (change code from array.concat() to array.push()) (#2410)
• update (dev) dependencies

v14.0.0

Added

• support for groups of options and commands in the help using low-level .helpGroup() on Option and Command, and higher -level .optionsGroup() and .commandsGroup() which can be used in chaining way to specify group title for following option s/commands (#2328)
• support for unescaped negative numbers as option-arguments and command-arguments (#2339)
• TypeScript: add parseArg property to Argument class (#2359)

Fixed

• remove bogus leading space in help when option has default value but not a description (#2348)
• .configureOutput() now makes copy of settings instead of modifying in-place, fixing side-effects (#2350)

Changed

• Breaking: Commander 14 requires Node.js v20 or higher
• internal refactor of Help class adding .formatItemList() and .groupItems() methods (#2328)

v13.1.0

Added

• support a pair of long option flags to allow a memorable shortened flag, like .option('--ws, --workspace') (#2312)

v13.0.0

Added

• support multiple calls to .parse() with default settings (#2299)
• add .saveStateBeforeParse() and .restoreStateBeforeParse() for use by subclasses (#2299)
• style routines like styleTitle() to add color to help using .configureHelp() or Help subclass (#2251)

... (truncated)

Changelog

Sourced from commander's changelog.

[14.0.2] (2025-10-25)

Changed

• improve negative number auto-detection test (#2428)
• update (dev) dependencies

[14.0.1] (2025-09-12)

Fixed

• broken markdown link in README (#2369)

Changed

• improve code readability by using optional chaining (#2394)
• use more idiomatic code with object spread instead of Object.assign() (#2395)
• improve code readability using string.endsWith() instead of string.slice() (#2396)
• refactor .parseOptions() to process args array in-place (#2409)
• change private variadic support routines from ._concatValue() to ._collectValue() (change code from array.concat() to array.push()) (#2410)
• update (dev) dependencies

[14.0.0] (2025-05-18)

Added

• support for groups of options and commands in the help using low-level .helpGroup() on Option and Command, and higher-level .optionsGroup() and .commandsGroup() which can be used in chaining way to specify group title for following options/commands (#2328)
• support for unescaped negative numbers as option-arguments and command-arguments (#2339)
• TypeScript: add parseArg property to Argument class (#2359)

Fixed

• remove bogus leading space in help when option has default value but not a description (#2348)
• .configureOutput() now makes copy of settings instead of modifying in-place, fixing side-effects (#2350)

Changed

• Breaking: Commander 14 requires Node.js v20 or higher
• internal refactor of Help class adding .formatItemList() and .groupItems() methods (#2328)

[13.1.0] (2025-01-21)

Added

• support a pair of long option flags to allow a memorable shortened flag, like .option('--ws, --workspace') (#2312)

[13.0.0] (2024-12-30)

Added

... (truncated)

Commits

• 0692be5 Prepare for 14.0.2 (#2437)
• 88a348e Bump actions/setup-node from 5 to 6 (#2438)
• 3fe83d6 Bump github/codeql-action from 3 to 4 (#2435)
• 0b7988e Bump globals from 16.3.0 to 16.4.0 (#2429)
• 8005253 Bump typescript-eslint from 8.42.0 to 8.45.0 (#2430)
• 213e679 Bump ts-jest from 29.4.1 to 29.4.4 (#2431)
• 7ede91b Bump jest from 30.1.3 to 30.2.0 (#2432)
• 8c91f34 Bump typescript from 5.9.2 to 5.9.3 (#2433)
• ff1d2ce Improve negative test (#2428)
• 1a6dba5 Clarify deprecated routine (#2427)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

[github-actions]

Smoke Test Results - Claude Engine

Last 2 Merged PRs:

• chore: delete existing firewall tests and migrate smoke tests #229: chore: delete existing firewall tests and migrate smoke tests
• feat(ci): add coverage regression detection #244: feat(ci): add coverage regression detection

Test Results:

• ✅ GitHub MCP: Successfully fetched merged PRs
• ✅ Playwright: Page title contains "GitHub"
• ✅ File Write: Created test file successfully
• ✅ Bash: Verified file contents

Status: PASS

AI generated by Smoke Claude

[github-actions]

Security Review - Node.js Version Incompatibility

I've reviewed PR #280 (commander upgrade from 12.1.0 to 14.0.2) and identified a Node.js version incompatibility that should be addressed:

🔴 Node.js Version Mismatch

Issue: Commander 14.0.2 requires Node.js >=20, but this project's package.json specifies "node": ">=18.0.0"

Evidence:

• package.json line 64: "engines": {"node": ">=18.0.0"}
• package-lock.json commander 14.0.2: "engines": {"node": ">=20"}
• package-lock.json commander 12.1.0 required: "engines": {"node": ">=18"}

Impact:

• Runtime failures on Node 18/19 environments
• CI/CD pipeline failures if using Node 18/19
• Dependency installation warnings/errors for users on older Node versions

Recommended Fix:
Either update package.json to enforce Node 20+:

"engines": {
  "node": ">=20.0.0"
}

Or pin commander to v12.x until Node 20+ is adopted project-wide:

"dependencies": {
  "commander": "^12.1.0"
}

⚠️ Testing Recommendation

Since this is a major version upgrade (12 → 14), please verify:

1. All CLI options work correctly (especially security-critical ones like --allow-domains, --block-domains, --dns-servers)
2. Argument parsing behavior hasn't changed
3. Tests pass with the new version

Summary

No direct security vulnerabilities found in commander 14.0.2, but the Node.js version mismatch could cause runtime issues. Please align the project's Node.js requirement with commander's requirement before merging.

Ahoy! This treasure was crafted by 🏴‍☠️ Security Guard fer issue #280 🗺️

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• chore: delete existing firewall tests and migrate smoke tests #229: chore: delete existing firewall tests and migrate smoke tests
• feat(ci): add coverage regression detection #244: feat(ci): add coverage regression detection

Test Results:

• ✅ GitHub MCP: Retrieved PR data successfully
• ❌ Playwright: System deps installation timeout (libglib missing)
• ✅ File Write: Created /tmp/gh-aw/agent/smoke-test-copilot-21092097227.txt
• ✅ Bash Tool: Verified file content successfully

Overall Status: FAIL (Playwright issue)

cc: @Mossaka

AI generated by Smoke Copilot

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

Smoke Test Results (Claude)

Last 2 merged PRs:

• ci: add agentic documentation preview workflow with Playwright #246: ci: add agentic documentation preview workflow with Playwright
• feat: port plan workflow from gh-aw repository #230: feat: port plan workflow from gh-aw repository

Test Results:

• ✅ GitHub MCP: Listed recent PRs
• ✅ Playwright: Navigated to github.com (title: "GitHub · Change is constant. GitHub keeps you ahead. · GitHub")
• ✅ File Writing: Created test file
• ✅ Bash Tool: Verified file content

Status: PASS

AI generated by Smoke Claude

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• feat: port plan workflow from gh-aw repository #230: feat: port plan workflow from gh-aw repository
• ci: pin GitHub Actions to commit SHAs for supply chain security #266: ci: pin GitHub Actions to commit SHAs for supply chain security

Test Results:
✅ GitHub MCP - Retrieved merged PRs
✅ Playwright - GitHub page navigation
✅ File Writing - Created smoke test file
✅ Bash Tool - Verified file contents

Overall: PASS

cc: @Mossaka @copilot

AI generated by Smoke Copilot

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.