From c387756a887329f8147c4f2344e6eeea0f1eda4f Mon Sep 17 00:00:00 2001 From: Pablo Zaidenvoren Date: Thu, 21 May 2026 18:11:54 +0000 Subject: [PATCH 1/6] chore(deps): update typescript to version 6.0.3 across multiple packages --- .../foundry-agent-service/package-lock.json | 8 +-- .../foundry-agent-service/package.json | 2 +- .../openai-agents-sdk/package-lock.json | 8 +-- .../typescript/openai-agents-sdk/package.json | 2 +- .../typescript/react/package-lock.json | 72 +++++++++++++++++-- .../frontend/typescript/react/package.json | 2 +- 6 files changed, 79 insertions(+), 15 deletions(-) diff --git a/reference-architectures/app/api/typescript/foundry-agent-service/package-lock.json b/reference-architectures/app/api/typescript/foundry-agent-service/package-lock.json index a8da79f7..2a621438 100644 --- a/reference-architectures/app/api/typescript/foundry-agent-service/package-lock.json +++ b/reference-architectures/app/api/typescript/foundry-agent-service/package-lock.json @@ -18,7 +18,7 @@ }, "devDependencies": { "@types/node": "^22", - "typescript": "^5.9.3" + "typescript": "^6.0.3" }, "engines": { "node": ">=24.0.0" @@ -4409,9 +4409,9 @@ "license": "0BSD" }, "node_modules/typescript": { - "version": "5.9.3", - "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz", - "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==", + "version": "6.0.3", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.3.tgz", + "integrity": "sha512-y2TvuxSZPDyQakkFRPZHKFm+KKVqIisdg9/CZwm9ftvKXLP8NRWj38/ODjNbr43SsoXqNuAisEf1GdCxqWcdBw==", "dev": true, "license": "Apache-2.0", "bin": { diff --git a/reference-architectures/app/api/typescript/foundry-agent-service/package.json b/reference-architectures/app/api/typescript/foundry-agent-service/package.json index 8aae8fe5..2e571547 100644 --- a/reference-architectures/app/api/typescript/foundry-agent-service/package.json +++ b/reference-architectures/app/api/typescript/foundry-agent-service/package.json @@ -25,7 +25,7 @@ }, "devDependencies": { "@types/node": "^22", - "typescript": "^5.9.3" + "typescript": "^6.0.3" }, "engines": { "node": ">=24.0.0" diff --git a/reference-architectures/app/api/typescript/openai-agents-sdk/package-lock.json b/reference-architectures/app/api/typescript/openai-agents-sdk/package-lock.json index 458a6ac1..c876e59b 100644 --- a/reference-architectures/app/api/typescript/openai-agents-sdk/package-lock.json +++ b/reference-architectures/app/api/typescript/openai-agents-sdk/package-lock.json @@ -19,7 +19,7 @@ }, "devDependencies": { "@types/node": "^22", - "typescript": "^5.9.3" + "typescript": "^6.0.3" }, "engines": { "node": ">=24.0.0" @@ -5384,9 +5384,9 @@ } }, "node_modules/typescript": { - "version": "5.9.3", - "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz", - "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==", + "version": "6.0.3", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.3.tgz", + "integrity": "sha512-y2TvuxSZPDyQakkFRPZHKFm+KKVqIisdg9/CZwm9ftvKXLP8NRWj38/ODjNbr43SsoXqNuAisEf1GdCxqWcdBw==", "dev": true, "license": "Apache-2.0", "bin": { diff --git a/reference-architectures/app/api/typescript/openai-agents-sdk/package.json b/reference-architectures/app/api/typescript/openai-agents-sdk/package.json index b3aa76ba..279d0a7a 100644 --- a/reference-architectures/app/api/typescript/openai-agents-sdk/package.json +++ b/reference-architectures/app/api/typescript/openai-agents-sdk/package.json @@ -26,7 +26,7 @@ }, "devDependencies": { "@types/node": "^22", - "typescript": "^5.9.3" + "typescript": "^6.0.3" }, "engines": { "node": ">=24.0.0" diff --git a/reference-architectures/app/frontend/typescript/react/package-lock.json b/reference-architectures/app/frontend/typescript/react/package-lock.json index 16d4240a..54cd899c 100644 --- a/reference-architectures/app/frontend/typescript/react/package-lock.json +++ b/reference-architectures/app/frontend/typescript/react/package-lock.json @@ -24,7 +24,7 @@ "@types/react-dom": "^19", "@vitejs/plugin-react": "^4", "tailwindcss": "^4", - "typescript": "~5.8", + "typescript": "^6.0.3", "vite": "^6" }, "engines": { @@ -4348,6 +4348,70 @@ "node": ">=14.0.0" } }, + "node_modules/@tailwindcss/oxide-wasm32-wasi/node_modules/@emnapi/core": { + "version": "1.8.1", + "dev": true, + "inBundle": true, + "license": "MIT", + "optional": true, + "dependencies": { + "@emnapi/wasi-threads": "1.1.0", + "tslib": "^2.4.0" + } + }, + "node_modules/@tailwindcss/oxide-wasm32-wasi/node_modules/@emnapi/runtime": { + "version": "1.8.1", + "dev": true, + "inBundle": true, + "license": "MIT", + "optional": true, + "dependencies": { + "tslib": "^2.4.0" + } + }, + "node_modules/@tailwindcss/oxide-wasm32-wasi/node_modules/@emnapi/wasi-threads": { + "version": "1.1.0", + "dev": true, + "inBundle": true, + "license": "MIT", + "optional": true, + "dependencies": { + "tslib": "^2.4.0" + } + }, + "node_modules/@tailwindcss/oxide-wasm32-wasi/node_modules/@napi-rs/wasm-runtime": { + "version": "1.1.1", + "dev": true, + "inBundle": true, + "license": "MIT", + "optional": true, + "dependencies": { + "@emnapi/core": "^1.7.1", + "@emnapi/runtime": "^1.7.1", + "@tybys/wasm-util": "^0.10.1" + }, + "funding": { + "type": "github", + "url": "https://github.com/sponsors/Brooooooklyn" + } + }, + "node_modules/@tailwindcss/oxide-wasm32-wasi/node_modules/@tybys/wasm-util": { + "version": "0.10.1", + "dev": true, + "inBundle": true, + "license": "MIT", + "optional": true, + "dependencies": { + "tslib": "^2.4.0" + } + }, + "node_modules/@tailwindcss/oxide-wasm32-wasi/node_modules/tslib": { + "version": "2.8.1", + "dev": true, + "inBundle": true, + "license": "0BSD", + "optional": true + }, "node_modules/@tailwindcss/oxide-win32-arm64-msvc": { "version": "4.2.1", "resolved": "https://registry.npmjs.org/@tailwindcss/oxide-win32-arm64-msvc/-/oxide-win32-arm64-msvc-4.2.1.tgz", @@ -7305,9 +7369,9 @@ "license": "0BSD" }, "node_modules/typescript": { - "version": "5.8.3", - "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.8.3.tgz", - "integrity": "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ==", + "version": "6.0.3", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.3.tgz", + "integrity": "sha512-y2TvuxSZPDyQakkFRPZHKFm+KKVqIisdg9/CZwm9ftvKXLP8NRWj38/ODjNbr43SsoXqNuAisEf1GdCxqWcdBw==", "dev": true, "license": "Apache-2.0", "bin": { diff --git a/reference-architectures/app/frontend/typescript/react/package.json b/reference-architectures/app/frontend/typescript/react/package.json index d448a611..14b0e420 100644 --- a/reference-architectures/app/frontend/typescript/react/package.json +++ b/reference-architectures/app/frontend/typescript/react/package.json @@ -32,7 +32,7 @@ "@types/react-dom": "^19", "@vitejs/plugin-react": "^4", "tailwindcss": "^4", - "typescript": "~5.8", + "typescript": "^6.0.3", "vite": "^6" }, "engines": { From dd9a37d60c457bae8937923d3f4d822070e160cc Mon Sep 17 00:00:00 2001 From: Pablo Zaidenvoren Date: Thu, 21 May 2026 18:23:27 +0000 Subject: [PATCH 2/6] chore(deps): update dependencies across multiple packages --- .devcontainer/devcontainer-lock.json | 8 +++---- .devcontainer/devcontainer.json | 2 +- .github/workflows/codeql.yml | 8 +++---- .github/workflows/pr.yml | 10 ++++---- .github/workflows/skill-test.yml | 4 ++-- .../Caira.Api.MicrosoftAgentFramework.csproj | 6 ++--- .../foundry-agent-service/package-lock.json | 24 +++++++++---------- .../foundry-agent-service/package.json | 4 ++-- .../openai-agents-sdk/package-lock.json | 24 +++++++++---------- .../typescript/openai-agents-sdk/package.json | 4 ++-- .../typescript/react/package-lock.json | 16 ++++++------- .../frontend/typescript/react/package.json | 2 +- 12 files changed, 56 insertions(+), 56 deletions(-) diff --git a/.devcontainer/devcontainer-lock.json b/.devcontainer/devcontainer-lock.json index d3d275dc..34f1984a 100644 --- a/.devcontainer/devcontainer-lock.json +++ b/.devcontainer/devcontainer-lock.json @@ -20,10 +20,10 @@ "resolved": "ghcr.io/devcontainers/features/github-cli@sha256:d22f50b70ed75339b4eed1ba9ecde3a1791f90e88d37936517e3bace0bbad671", "integrity": "sha256:d22f50b70ed75339b4eed1ba9ecde3a1791f90e88d37936517e3bace0bbad671" }, - "ghcr.io/devcontainers/features/node:1": { - "version": "1.7.1", - "resolved": "ghcr.io/devcontainers/features/node@sha256:8c0de46939b61958041700ee89e3493f3b2e4131a06dc46b4d9423427d06e5f6", - "integrity": "sha256:8c0de46939b61958041700ee89e3493f3b2e4131a06dc46b4d9423427d06e5f6" + "ghcr.io/devcontainers/features/node:2": { + "version": "2.0.0", + "resolved": "ghcr.io/devcontainers/features/node@sha256:fedd4c11f7adfb64283b578dddc7da906728daa25fa293351c9d913231acf12f", + "integrity": "sha256:fedd4c11f7adfb64283b578dddc7da906728daa25fa293351c9d913231acf12f" }, "ghcr.io/devcontainers/features/terraform:1": { "version": "1.4.3", diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 58c010c5..162de7c0 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -5,7 +5,7 @@ "ghcr.io/devcontainers/features/azure-cli:1": {}, "ghcr.io/devcontainers/features/docker-in-docker:3": {}, "ghcr.io/devcontainers/features/github-cli:1": {}, - "ghcr.io/devcontainers/features/node:1": { + "ghcr.io/devcontainers/features/node:2": { "version": "24" }, "ghcr.io/devcontainers/features/dotnet:2": { diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index aecc4021..7ccc2054 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -37,16 +37,16 @@ jobs: build-mode: manual steps: - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup .NET if: ${{ matrix.language == 'csharp' }} - uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 with: dotnet-version: "10.0.x" - name: Initialize CodeQL - uses: github/codeql-action/init@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3 + uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 with: config-file: ./.github/linters/.codeql.yml languages: ${{ matrix.language }} @@ -61,7 +61,7 @@ jobs: dotnet build "${project}" --configuration Release --no-restore - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3 + uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 with: category: "/language:${{ matrix.category }}" upload: ${{ github.event_name == 'merge_group' && 'never' || 'always' }} diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index f28c8e9a..12de096c 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run Dependency Review uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0 @@ -47,10 +47,10 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Node - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: "24" cache: npm @@ -58,7 +58,7 @@ jobs: reference-architectures/app/**/package-lock.json - name: Setup .NET - uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 with: dotnet-version: "10.0.x" @@ -68,7 +68,7 @@ jobs: repo-token: ${{ github.token }} - name: Setup Terraform - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 + uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e # v4.0.1 - name: Validate PR run: task validate diff --git a/.github/workflows/skill-test.yml b/.github/workflows/skill-test.yml index dee1d3d1..7e791c47 100644 --- a/.github/workflows/skill-test.yml +++ b/.github/workflows/skill-test.yml @@ -20,10 +20,10 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Node - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: "24" diff --git a/reference-architectures/app/api/csharp/microsoft-agent-framework/Caira.Api.MicrosoftAgentFramework.csproj b/reference-architectures/app/api/csharp/microsoft-agent-framework/Caira.Api.MicrosoftAgentFramework.csproj index f1d545d2..f56c3dcc 100644 --- a/reference-architectures/app/api/csharp/microsoft-agent-framework/Caira.Api.MicrosoftAgentFramework.csproj +++ b/reference-architectures/app/api/csharp/microsoft-agent-framework/Caira.Api.MicrosoftAgentFramework.csproj @@ -11,12 +11,12 @@ - + - + - + diff --git a/reference-architectures/app/api/typescript/foundry-agent-service/package-lock.json b/reference-architectures/app/api/typescript/foundry-agent-service/package-lock.json index 2a621438..f0335e44 100644 --- a/reference-architectures/app/api/typescript/foundry-agent-service/package-lock.json +++ b/reference-architectures/app/api/typescript/foundry-agent-service/package-lock.json @@ -14,10 +14,10 @@ "@opentelemetry/api": "^1.9.1", "fastify": "^5", "jose": "^6.2.3", - "openai": "^6.37" + "openai": "^6.38.0" }, "devDependencies": { - "@types/node": "^22", + "@types/node": "^25.9.1", "typescript": "^6.0.3" }, "engines": { @@ -2470,12 +2470,12 @@ } }, "node_modules/@types/node": { - "version": "22.19.19", - "resolved": "https://registry.npmjs.org/@types/node/-/node-22.19.19.tgz", - "integrity": "sha512-dyh/xO2Fh5bYrfWaaqGrRQQGkNdmYw6AmaAUvYeUMNTWQtvb796ikLdmTchRmOlOiIJ1TDXfWgVx1QkUlQ6Hew==", + "version": "25.9.1", + "resolved": "https://registry.npmjs.org/@types/node/-/node-25.9.1.tgz", + "integrity": "sha512-xfrlY7UD5rMJk3ZVJP8BNzS28J36YJg+xp+LPXV1TdWxr8uMH5A860QNxYDGQe/ylDSgjxE52Q9VnO7p75tJxg==", "license": "MIT", "dependencies": { - "undici-types": "~6.21.0" + "undici-types": ">=7.24.0 <7.24.7" } }, "node_modules/@types/pg": { @@ -3805,9 +3805,9 @@ } }, "node_modules/openai": { - "version": "6.37.0", - "resolved": "https://registry.npmjs.org/openai/-/openai-6.37.0.tgz", - "integrity": "sha512-0H5dEGFmmLv6KSd0W1w2nyL8WsLkX6yoLeQpU+dZAOuGcany5qkYQMmj35ZrKgb6yiyYqpUzFOpR8mZQkgqeEQ==", + "version": "6.38.0", + "resolved": "https://registry.npmjs.org/openai/-/openai-6.38.0.tgz", + "integrity": "sha512-AoMplt2UalrpgUDMh3L09QWjNRlgJPipclQvA6sYAaeF6nHNBMgmikAZGmcYLn8on4d9sQY9Q8bOLfrBS7Lc8g==", "license": "Apache-2.0", "bin": { "openai": "bin/cli" @@ -4432,9 +4432,9 @@ } }, "node_modules/undici-types": { - "version": "6.21.0", - "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.21.0.tgz", - "integrity": "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==", + "version": "7.24.6", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.24.6.tgz", + "integrity": "sha512-WRNW+sJgj5OBN4/0JpHFqtqzhpbnV0GuB+OozA9gCL7a993SmU+1JBZCzLNxYsbMfIeDL+lTsphD5jN5N+n0zg==", "license": "MIT" }, "node_modules/util-deprecate": { diff --git a/reference-architectures/app/api/typescript/foundry-agent-service/package.json b/reference-architectures/app/api/typescript/foundry-agent-service/package.json index 2e571547..f4ab6854 100644 --- a/reference-architectures/app/api/typescript/foundry-agent-service/package.json +++ b/reference-architectures/app/api/typescript/foundry-agent-service/package.json @@ -18,13 +18,13 @@ "@opentelemetry/api": "^1.9.1", "fastify": "^5", "jose": "^6.2.3", - "openai": "^6.37" + "openai": "^6.38.0" }, "overrides": { "@opentelemetry/sdk-node": "0.218.0" }, "devDependencies": { - "@types/node": "^22", + "@types/node": "^25.9.1", "typescript": "^6.0.3" }, "engines": { diff --git a/reference-architectures/app/api/typescript/openai-agents-sdk/package-lock.json b/reference-architectures/app/api/typescript/openai-agents-sdk/package-lock.json index c876e59b..04adddb8 100644 --- a/reference-architectures/app/api/typescript/openai-agents-sdk/package-lock.json +++ b/reference-architectures/app/api/typescript/openai-agents-sdk/package-lock.json @@ -14,11 +14,11 @@ "@opentelemetry/api": "1.9.1", "fastify": "5.8.5", "jose": "6.2.3", - "openai": "6.37.0", + "openai": "6.38.0", "zod": "4.4.3" }, "devDependencies": { - "@types/node": "^22", + "@types/node": "^25.9.1", "typescript": "^6.0.3" }, "engines": { @@ -2556,12 +2556,12 @@ } }, "node_modules/@types/node": { - "version": "22.19.19", - "resolved": "https://registry.npmjs.org/@types/node/-/node-22.19.19.tgz", - "integrity": "sha512-dyh/xO2Fh5bYrfWaaqGrRQQGkNdmYw6AmaAUvYeUMNTWQtvb796ikLdmTchRmOlOiIJ1TDXfWgVx1QkUlQ6Hew==", + "version": "25.9.1", + "resolved": "https://registry.npmjs.org/@types/node/-/node-25.9.1.tgz", + "integrity": "sha512-xfrlY7UD5rMJk3ZVJP8BNzS28J36YJg+xp+LPXV1TdWxr8uMH5A860QNxYDGQe/ylDSgjxE52Q9VnO7p75tJxg==", "license": "MIT", "dependencies": { - "undici-types": "~6.21.0" + "undici-types": ">=7.24.0 <7.24.7" } }, "node_modules/@types/pg": { @@ -4500,9 +4500,9 @@ } }, "node_modules/openai": { - "version": "6.37.0", - "resolved": "https://registry.npmjs.org/openai/-/openai-6.37.0.tgz", - "integrity": "sha512-0H5dEGFmmLv6KSd0W1w2nyL8WsLkX6yoLeQpU+dZAOuGcany5qkYQMmj35ZrKgb6yiyYqpUzFOpR8mZQkgqeEQ==", + "version": "6.38.0", + "resolved": "https://registry.npmjs.org/openai/-/openai-6.38.0.tgz", + "integrity": "sha512-AoMplt2UalrpgUDMh3L09QWjNRlgJPipclQvA6sYAaeF6nHNBMgmikAZGmcYLn8on4d9sQY9Q8bOLfrBS7Lc8g==", "license": "Apache-2.0", "bin": { "openai": "bin/cli" @@ -5407,9 +5407,9 @@ } }, "node_modules/undici-types": { - "version": "6.21.0", - "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.21.0.tgz", - "integrity": "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==", + "version": "7.24.6", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.24.6.tgz", + "integrity": "sha512-WRNW+sJgj5OBN4/0JpHFqtqzhpbnV0GuB+OozA9gCL7a993SmU+1JBZCzLNxYsbMfIeDL+lTsphD5jN5N+n0zg==", "license": "MIT" }, "node_modules/unpipe": { diff --git a/reference-architectures/app/api/typescript/openai-agents-sdk/package.json b/reference-architectures/app/api/typescript/openai-agents-sdk/package.json index 279d0a7a..a7dc9b26 100644 --- a/reference-architectures/app/api/typescript/openai-agents-sdk/package.json +++ b/reference-architectures/app/api/typescript/openai-agents-sdk/package.json @@ -18,14 +18,14 @@ "@opentelemetry/api": "1.9.1", "fastify": "5.8.5", "jose": "6.2.3", - "openai": "6.37.0", + "openai": "6.38.0", "zod": "4.4.3" }, "overrides": { "@opentelemetry/sdk-node": "0.218.0" }, "devDependencies": { - "@types/node": "^22", + "@types/node": "^25.9.1", "typescript": "^6.0.3" }, "engines": { diff --git a/reference-architectures/app/frontend/typescript/react/package-lock.json b/reference-architectures/app/frontend/typescript/react/package-lock.json index 54cd899c..6bca5ab5 100644 --- a/reference-architectures/app/frontend/typescript/react/package-lock.json +++ b/reference-architectures/app/frontend/typescript/react/package-lock.json @@ -19,7 +19,7 @@ }, "devDependencies": { "@tailwindcss/vite": "^4", - "@types/node": "^22", + "@types/node": "^25.9.1", "@types/react": "^19", "@types/react-dom": "^19", "@vitejs/plugin-react": "^4", @@ -4532,12 +4532,12 @@ } }, "node_modules/@types/node": { - "version": "22.19.15", - "resolved": "https://registry.npmjs.org/@types/node/-/node-22.19.15.tgz", - "integrity": "sha512-F0R/h2+dsy5wJAUe3tAU6oqa2qbWY5TpNfL/RGmo1y38hiyO1w3x2jPtt76wmuaJI4DQnOBu21cNXQ2STIUUWg==", + "version": "25.9.1", + "resolved": "https://registry.npmjs.org/@types/node/-/node-25.9.1.tgz", + "integrity": "sha512-xfrlY7UD5rMJk3ZVJP8BNzS28J36YJg+xp+LPXV1TdWxr8uMH5A860QNxYDGQe/ylDSgjxE52Q9VnO7p75tJxg==", "license": "MIT", "dependencies": { - "undici-types": "~6.21.0" + "undici-types": ">=7.24.0 <7.24.7" } }, "node_modules/@types/pg": { @@ -7401,9 +7401,9 @@ } }, "node_modules/undici-types": { - "version": "6.21.0", - "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.21.0.tgz", - "integrity": "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==", + "version": "7.24.6", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.24.6.tgz", + "integrity": "sha512-WRNW+sJgj5OBN4/0JpHFqtqzhpbnV0GuB+OozA9gCL7a993SmU+1JBZCzLNxYsbMfIeDL+lTsphD5jN5N+n0zg==", "license": "MIT" }, "node_modules/update-browserslist-db": { diff --git a/reference-architectures/app/frontend/typescript/react/package.json b/reference-architectures/app/frontend/typescript/react/package.json index 14b0e420..d382879f 100644 --- a/reference-architectures/app/frontend/typescript/react/package.json +++ b/reference-architectures/app/frontend/typescript/react/package.json @@ -27,7 +27,7 @@ }, "devDependencies": { "@tailwindcss/vite": "^4", - "@types/node": "^22", + "@types/node": "^25.9.1", "@types/react": "^19", "@types/react-dom": "^19", "@vitejs/plugin-react": "^4", From f1cbc404b297d6d547d3a24a7f70bb030d2bd1cf Mon Sep 17 00:00:00 2001 From: Pablo Zaidenvoren Date: Fri, 22 May 2026 00:56:12 +0000 Subject: [PATCH 3/6] docs(skill): add identity and security scan guidance --- skills/caira/SKILL.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/skills/caira/SKILL.md b/skills/caira/SKILL.md index 21294e71..5754214d 100644 --- a/skills/caira/SKILL.md +++ b/skills/caira/SKILL.md @@ -27,6 +27,8 @@ Ask only what is needed to choose components: - Prefer small component references over full-stack copying. - For scenarios that need OpenAI-compatible endpoints, prefer the Foundry IaC reference unless the user already has endpoints or asks for a different approach. - Determine what the user already has before proposing new infrastructure. +- When possible, prefer managed identities or other passwordless identity patterns over API keys, static credentials, or secrets, unless the user explicitly asks for an API-key- or secret-based approach. +- Before proposing repository security scans, check whether the target repository already has Gitleaks, Trivy, or comparable secret, dependency, container, or IaC scanning. If similar scanning is missing, ask whether the user wants to add Gitleaks and/or Trivy scans before implementing them. - Keep recommendations focused on the current reference components listed below. - Explain which CAIRA paths influenced the recommendation or generated files. - Always ask follow-up questions to narrow down the user's needs and avoid unnecessary copying of reference code. From 08fb2ba2afe026b10916fbfd2a71105b95921904 Mon Sep 17 00:00:00 2001 From: Pablo Zaidenvoren <2192882+PabloZaiden@users.noreply.github.com> Date: Thu, 21 May 2026 21:20:58 -0400 Subject: [PATCH 4/6] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- skills/caira/SKILL.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/skills/caira/SKILL.md b/skills/caira/SKILL.md index 5754214d..a6327974 100644 --- a/skills/caira/SKILL.md +++ b/skills/caira/SKILL.md @@ -28,7 +28,7 @@ Ask only what is needed to choose components: - For scenarios that need OpenAI-compatible endpoints, prefer the Foundry IaC reference unless the user already has endpoints or asks for a different approach. - Determine what the user already has before proposing new infrastructure. - When possible, prefer managed identities or other passwordless identity patterns over API keys, static credentials, or secrets, unless the user explicitly asks for an API-key- or secret-based approach. -- Before proposing repository security scans, check whether the target repository already has Gitleaks, Trivy, or comparable secret, dependency, container, or IaC scanning. If similar scanning is missing, ask whether the user wants to add Gitleaks and/or Trivy scans before implementing them. +- Before proposing repository security scans, check whether the target repository already uses or has configured Gitleaks, Trivy, or similar tools for secret, dependency, container, or IaC scanning. If similar scanning is missing, ask whether the user wants to add Gitleaks and/or Trivy scans before implementing them. - Keep recommendations focused on the current reference components listed below. - Explain which CAIRA paths influenced the recommendation or generated files. - Always ask follow-up questions to narrow down the user's needs and avoid unnecessary copying of reference code. From 12ab8f7cd7b844e7c2aedfa76cde1885be2381e1 Mon Sep 17 00:00:00 2001 From: Pablo Zaidenvoren Date: Fri, 22 May 2026 11:46:31 +0000 Subject: [PATCH 5/6] Add Trivy security scanning Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- scripts/security.sh | 46 +++++++++++++++++++++++++++ scripts/validate-containers.sh | 57 +++++++++++++++++++++++++++++++--- 2 files changed, 98 insertions(+), 5 deletions(-) diff --git a/scripts/security.sh b/scripts/security.sh index d1584e66..a4419b07 100755 --- a/scripts/security.sh +++ b/scripts/security.sh @@ -3,6 +3,7 @@ set -euo pipefail ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" GITLEAKS_VERSION="8.30.0" +TRIVY_VERSION="0.67.2" install_gitleaks() { local os arch archive url install_dir @@ -30,12 +31,57 @@ install_gitleaks() { export PATH="${install_dir}:${PATH}" } +install_trivy() { + local os arch archive url install_dir + + os="$(uname -s)" + case "${os}" in + Linux | Darwin) ;; + *) + echo "Unsupported OS for automatic Trivy install: ${os}" >&2 + exit 1 + ;; + esac + + arch="$(uname -m)" + case "${arch}" in + x86_64 | amd64) arch="64bit" ;; + aarch64 | arm64) arch="ARM64" ;; + *) + echo "Unsupported architecture for automatic Trivy install: ${arch}" >&2 + exit 1 + ;; + esac + + install_dir="${HOME}/.local/bin" + mkdir -p "${install_dir}" + + archive="$(mktemp)" + url="https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_${os}-${arch}.tar.gz" + curl --location --fail --silent --show-error --output "${archive}" "${url}" + tar -xzf "${archive}" -C "${install_dir}" trivy + rm -f "${archive}" + chmod +x "${install_dir}/trivy" + export PATH="${install_dir}:${PATH}" +} + if ! command -v gitleaks >/dev/null 2>&1; then install_gitleaks fi +if ! command -v trivy >/dev/null 2>&1; then + install_trivy +fi + gitleaks detect \ --config "${ROOT_DIR}/.github/linters/.gitleaks.toml" \ --redact=90 \ --source "${ROOT_DIR}" \ --no-banner + +trivy fs \ + --scanners vuln,secret,misconfig \ + --severity HIGH,CRITICAL \ + --exit-code 1 \ + --ignore-unfixed \ + "${ROOT_DIR}" diff --git a/scripts/validate-containers.sh b/scripts/validate-containers.sh index d493ad97..4dceebd0 100755 --- a/scripts/validate-containers.sh +++ b/scripts/validate-containers.sh @@ -2,16 +2,63 @@ set -euo pipefail ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" +TRIVY_VERSION="0.67.2" + +install_trivy() { + local os arch archive url install_dir + + os="$(uname -s)" + case "${os}" in + Linux | Darwin) ;; + *) + echo "Unsupported OS for automatic Trivy install: ${os}" >&2 + exit 1 + ;; + esac + + arch="$(uname -m)" + case "${arch}" in + x86_64 | amd64) arch="64bit" ;; + aarch64 | arm64) arch="ARM64" ;; + *) + echo "Unsupported architecture for automatic Trivy install: ${arch}" >&2 + exit 1 + ;; + esac + + install_dir="${HOME}/.local/bin" + mkdir -p "${install_dir}" + + archive="$(mktemp)" + url="https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_${os}-${arch}.tar.gz" + curl --location --fail --silent --show-error --output "${archive}" "${url}" + tar -xzf "${archive}" -C "${install_dir}" trivy + rm -f "${archive}" + chmod +x "${install_dir}/trivy" + export PATH="${install_dir}:${PATH}" +} + +if ! command -v trivy >/dev/null 2>&1; then + install_trivy +fi build_container() { local name="$1" local dir="$2" + local image="$3" echo "Building ${name} container..." - docker build --quiet "${dir}" >/dev/null + docker build --quiet --tag "${image}" "${dir}" >/dev/null + + echo "Scanning ${name} container..." + trivy image \ + --severity HIGH,CRITICAL \ + --exit-code 1 \ + --ignore-unfixed \ + "${image}" } -build_container "OpenAI Agents SDK API" "${ROOT_DIR}/reference-architectures/app/api/typescript/openai-agents-sdk" -build_container "Foundry Agent Service API" "${ROOT_DIR}/reference-architectures/app/api/typescript/foundry-agent-service" -build_container "React frontend" "${ROOT_DIR}/reference-architectures/app/frontend/typescript/react" -build_container "Microsoft Agent Framework API" "${ROOT_DIR}/reference-architectures/app/api/csharp/microsoft-agent-framework" +build_container "OpenAI Agents SDK API" "${ROOT_DIR}/reference-architectures/app/api/typescript/openai-agents-sdk" "caira/openai-agents-sdk-api:validation" +build_container "Foundry Agent Service API" "${ROOT_DIR}/reference-architectures/app/api/typescript/foundry-agent-service" "caira/foundry-agent-service-api:validation" +build_container "React frontend" "${ROOT_DIR}/reference-architectures/app/frontend/typescript/react" "caira/react-frontend:validation" +build_container "Microsoft Agent Framework API" "${ROOT_DIR}/reference-architectures/app/api/csharp/microsoft-agent-framework" "caira/microsoft-agent-framework-api:validation" From ca1e1a92d6b55e4136accebb9767522055dfb49d Mon Sep 17 00:00:00 2001 From: Pablo Zaidenvoren Date: Fri, 22 May 2026 11:58:13 +0000 Subject: [PATCH 6/6] Fix Trivy installer version Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- scripts/security.sh | 2 +- scripts/validate-containers.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/security.sh b/scripts/security.sh index a4419b07..b4e1efe3 100755 --- a/scripts/security.sh +++ b/scripts/security.sh @@ -3,7 +3,7 @@ set -euo pipefail ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" GITLEAKS_VERSION="8.30.0" -TRIVY_VERSION="0.67.2" +TRIVY_VERSION="0.70.0" install_gitleaks() { local os arch archive url install_dir diff --git a/scripts/validate-containers.sh b/scripts/validate-containers.sh index 4dceebd0..0d74346e 100755 --- a/scripts/validate-containers.sh +++ b/scripts/validate-containers.sh @@ -2,7 +2,7 @@ set -euo pipefail ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" -TRIVY_VERSION="0.67.2" +TRIVY_VERSION="0.70.0" install_trivy() { local os arch archive url install_dir