Dependencies update

[alessandrobellesia]

fix: dependencies update
fix: add LICENSE

Summary by CodeRabbit

• Chores

  • Updated build workflow configuration and dependency management to ensure a more robust and reliable foundation.
  • Revised licensing details to accurately reflect current information.

• Refactor

  • Improved internal code organization and type handling for a cleaner, more maintainable codebase.

These internal enhancements contribute to overall project stability without affecting the end-user experience.

[coderabbitai]

Walkthrough

This pull request updates several configuration and source files. The GitHub Actions workflow now uses a different SonarCloud scan action. The LICENSE file has been revised to reflect updated copyright information. In addition, the package.json file sees numerous dependency and package manager upgrades along with a new pnpm section. Several source files have been refactored to reorganize import statements and update type declarations, and one file has improved formatting for code clarity. Overall, the changes enhance consistency and maintainability without altering core functionality.

Changes

File(s)	Change Summary
.github/workflows/sonarcloud.yml	Updated SonarCloud scan action from SonarSource/sonarcloud-github-action@master to SonarSource/sonarqube-scan-action@master
LICENSE	Revised copyright notice from "2024 8 Wave" to "2022-present 8 wave S.r.l. and contributors"
package.json	Upgraded package manager (from [email protected] to [email protected]), updated multiple dependencies and devDependencies, and added a new pnpm section
src/HttpClient.ts, src/RepositoryHttp.ts, src/UrlBuilder.ts, src/vue/index.ts, test/components/RepositoryReadUpdate.vue	Reorganized and refined type/value import statements and type declarations to improve clarity and consistency
src/Hash.ts	Adjusted formatting in the mathematical operations within the cyrb53 method for better readability

Poem

I hop through lines of code so neat,
Where imports and versions lightly meet,
Dependencies leap and workflows bound,
In every change, a rhythm is found,
With twitching ears, I celebrate each beat!

✨ Finishing Touches

• 📝 Generate Docstrings (Beta)

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e9cd792 and f9715d8.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (9)

• .github/workflows/sonarcloud.yml (1 hunks)
• LICENSE (1 hunks)
• package.json (2 hunks)
• src/Hash.ts (1 hunks)
• src/HttpClient.ts (2 hunks)
• src/RepositoryHttp.ts (1 hunks)
• src/UrlBuilder.ts (1 hunks)
• src/vue/index.ts (1 hunks)
• test/components/RepositoryReadUpdate.vue (1 hunks)

✅ Files skipped from review due to trivial changes (5)

• test/components/RepositoryReadUpdate.vue
• LICENSE
• src/Hash.ts
• src/RepositoryHttp.ts
• src/UrlBuilder.ts

🔇 Additional comments (5)

src/HttpClient.ts (1)

1-1: LGTM! Import statements are well organized.

The changes improve code organization by consolidating related type imports and removing unused ones.

Also applies to: 10-10

src/vue/index.ts (1)

2-5: LGTM! Import statements are better organized.

The changes improve code organization by importing types directly from their source modules rather than through 'vue'.

package.json (3)

133-137: LGTM! Added pnpm configuration.

The addition of onlyBuiltDependencies for esbuild in pnpm configuration is a good practice for build optimization.

---

107-110:

✅ Verification successful

Verify security of updated dependencies.

Several dependencies have been updated:

• ky: ^1.7.2 → ^1.7.5
• qs: ^6.13.0 → ^6.14.0
• web-streams-polyfill: ^4.0.0 → ^4.1.0
• vue: ^3.5.12 → ^3.5.13

Also applies to: 113-113

---

🏁 Script executed:

#!/bin/bash
# Check for security advisories in updated dependencies

# Check for security advisories in npm registry
for pkg in "ky" "qs" "web-streams-polyfill" "vue"; do
  echo "Checking $pkg..."
  npm audit $pkg
done

# Check GitHub Security Advisories
for pkg in "ky" "qs" "web-streams-polyfill" "vue"; do
  echo "Checking GitHub Security Advisories for $pkg..."
  gh api graphql -f query='{
    securityVulnerabilities(first: 5, ecosystem: NPM, package: "'$pkg'") {
      nodes {
        advisory {
          summary
          severity
          publishedAt
        }
        vulnerableVersionRange
        firstPatchedVersion {
          identifier
        }
      }
    }
  }'
done

Length of output: 5340

---

Security Verification: Dependency Updates Confirmed Secure

• The updated dependencies have been verified against GitHub Security Advisories:

  • ky (v^1.7.5): No advisories detected.
  • qs (v^6.14.0): Although advisories for Prototype Pollution exist, the reported ranges do not affect this updated version.
  • web-streams-polyfill (v^4.1.0): No vulnerabilities found.
  • vue (v^3.5.13): The ReDoS advisory applies only to versions before 3.0.0‑alpha.0, so the current version is not affected.

• Note: The npm audit checks failed due to the absence of a lockfile. For complete local auditing, please generate a lockfile (e.g., with npm i --package-lock-only).

---

5-5:

❓ Verification inconclusive

Verify pnpm version compatibility.

The package manager has been updated to [email protected].

---

🌐 Web query:

What is the latest stable version of pnpm and its compatibility with Node.js?

💡 Result:

The latest stable version of pnpm is v10.4, released on February 13, 2025[4]. Compatibility with Node.js follows these guidelines:

Compatibility Overview

Node.js Version	pnpm 10	pnpm 9	pnpm 8
Node.js 14	❌	❌	❌
Node.js 16	❌	❌	✔️
Node.js 18	✔️	✔️	✔️
Node.js 20	✔️	✔️	✔️
Node.js 22	✔️	✔️	✔️

Key details:

1. Current requirements:

   • pnpm v10 requires Node.js ≥v18.12[2][5][8].
   • Projects using Node.js v16 must use pnpm ≤v8[2][5].

2. Breaking changes in v10:

   • Global store format updated to v10[4]
   • Escaped # characters in .pnpm directories[4]
   • pnpm deploy now requires workspace configuration[4]

To upgrade:

# Update global pnpm
pnpm self-update

# Verify version
pnpm -v  # Should return ≥10.4

Developers encountering "Unsupported Node.js version" errors (common with Node.js <18) must either:

• Upgrade Node.js to ≥v18.12 via tools like nvm or pnpm env use[5][8]
• Downgrade pnpm to v8.x if stuck on Node.js v16[2][5]

Recent updates focus on improved store efficiency and stricter version management[4]. Always check your project's engines.node requirements before upgrading[9].

Citations:

• 1: https://developer.woocommerce.com/2023/04/27/developer-advisory-pnpm-8-update/
• 2: https://pnpm.io/installation
• 3: https://www.milesweb.com/blog/technology-hub/npm-vs-pnpm/
• 4: https://github.com/pnpm/pnpm/releases
• 5: Compatibility Issue between Node.js v16 and pnpm v9 when Using pnpm env Command pnpm/pnpm.io#527
• 6: http://nodesource.com/blog/nodejs-package-manager-comparative-guide-2024/
• 7: https://pnpm.io/cli/update
• 8: https://answers.netlify.com/t/deployment-using-node-js-version-different-from-the-settings/116874
• 9: PNPM is not using the node version set via pnpm env use pnpm/pnpm#4203
• 10: https://pnpm.io/8.x/installation

---

Action Required: Confirm Node.js Compatibility for [email protected]

The update to use "[email protected]" is valid since it is now the latest stable version. However, pnpm v10.4.0 requires Node.js version ≥18.12. Please ensure that your project’s Node.js version is updated accordingly. If your project uses an older Node.js version (like v16), you will need to either upgrade Node.js or revert to a compatible pnpm version.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Verify the SonarCloud scan action change.

The action has been changed from SonarSource/sonarcloud-github-action to SonarSource/sonarqube-scan-action. Let's verify this change.

---

🌐 Web query:

What is the recommended GitHub Action for SonarCloud analysis?

💡 Result:

The recommended GitHub Action for SonarCloud analysis is SonarSource/sonarcloud-github-action, which provides direct integration with SonarCloud's code quality platform[5][10]. This official action handles authentication, analysis execution, and results reporting.

Key Configuration Steps

1. Workflow Setup
   Create a .github/workflows/sonarcloud.yml file with:

   jobs:
     sonarcloud:
       runs-on: ubuntu-latest
       steps:
         - uses: actions/checkout@v4
           with:
             fetch-depth: 0  # Required for accurate analysis
         - name: SonarCloud Scan
           uses: SonarSource/sonarcloud-github-action@master
           env:
             GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # For PR integration
             SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}    # From SonarCloud project

2. Authentication

   • Generate SONAR_TOKEN in your SonarCloud project settings[5][7]
   • Add it as a repository secret in GitHub[1][5]

3. Analysis Parameters
   Include essential properties either via args or sonar-project.properties:

   args: >
     -Dsonar.organization=<your-org>
     -Dsonar.projectKey=<your-project-key>
     -Dsonar.sources=src/
     -Dsonar.exclusions=**/test/**/*

Advanced Features

• Quality Gate Enforcement: Fails workflows if code doesn't meet defined standards[5]
• Monorepo Support: Analyze multiple subprojects by specifying unique keys/paths[5]
• Coverage Integration: Works with tools like llvm-cov (Rust)[6] or lcov (JavaScript)[2]
• Pull Request Analysis: Automatically comments on PRs with quality findings[8][9]

For language-specific setups (Java/Maven/.NET), follow SonarCloud's in-product tutorials[5], which auto-generate workflow configurations tailored to your project type[5][7].

Citations:

• 1: https://www.youtube.com/watch?v=6J0328O-Qzg
• 2: https://github.com/marketplace/actions/test-and-analyze-with-triggers-and-sonarcloud
• 3: https://community.sonarsource.com/t/integrate-sonarcloud-with-github-actions-for-a-swift-project/120069
• 4: https://medium.berkayozcan.com/a-journey-through-automated-code-analysis-using-sonar-cloud-and-github-actions-57db279e6dd3
• 5: https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/github-actions-for-sonarcloud/
• 6: https://richardwbown.com/code-analysis-in-sonarcloud-using-github-actions/
• 7: https://www.youtube.com/watch?v=QzRmsq03Jac
• 8: https://community.sonarsource.com/t/sonar-guidance-for-coverage-in-github-actions-builds/48374
• 9: https://www.youtube.com/watch?v=AYUaIiWZ-_w
• 10: https://github.com/moonfare/action-SonarSource-sonarcloud-github-action

---

Action Mismatch: Use the Recommended SonarCloud Scan Action

The web query confirms that the official and recommended GitHub Action for SonarCloud integration is SonarSource/sonarcloud-github-action@master, not SonarSource/sonarqube-scan-action@master. Please update the workflow file accordingly.

• File: .github/workflows/sonarcloud.yml
• Line: 16
  Current Code:

                uses: SonarSource/sonarqube-scan-action@master

  Suggested Update:

                uses: SonarSource/sonarcloud-github-action@master