Skip to content

chore(deps): bump the dependencies group with 2 updates#351

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/dependencies-67fd44e4db
Open

chore(deps): bump the dependencies group with 2 updates#351
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/dependencies-67fd44e4db

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 8, 2026

Copy link
Copy Markdown
Contributor

Bumps the dependencies group with 2 updates: @earendil-works/pi-ai and oxlint-tsgolint.

Updates @earendil-works/pi-ai from 0.80.2 to 0.80.3

Release notes

Sourced from @​earendil-works/pi-ai's releases.

v0.80.3

New Features

  • Anthropic Claude Sonnet 5 support - Claude Sonnet 5 is available through inherited Anthropic-compatible and Bedrock provider catalogs with adaptive thinking enabled. See Providers and Model Options.
  • Configurable output spacing - outputPad controls horizontal padding for user messages, assistant messages, and thinking blocks. See Settings.
  • External editor configuration - externalEditor lets Ctrl+G use a configured editor before $VISUAL/$EDITOR fallbacks. See Settings and Keybindings.
  • Richer RPC session tree access - RPC clients can inspect session entries and tree snapshots with get_entries and get_tree. See get_entries and get_tree.
  • Extension session metadata updates - Extensions can observe session name changes through session_info_changed. See session_info_changed.
  • Modern Azure Foundry endpoint support - Azure OpenAI Responses provider setup supports current Microsoft Foundry endpoint URLs. See Azure OpenAI.

Added

  • Added inherited Anthropic Claude Sonnet 5 model support.
  • Added get_entries and get_tree RPC commands for reading session entries and tree snapshots over RPC (#6078 by @​geraschenko).
  • Added a package ./rpc-entry export for launching Pi directly in RPC mode.
  • Added session-name change events for extensions (#6175 by @​xl0).
  • Added inherited Azure OpenAI Responses support for modern Microsoft Foundry endpoint URLs (#6004 by @​gukoff).
  • Added inherited Usage.reasoning token counts for providers that report reasoning/thinking token usage (#6057).
  • Added an externalEditor settings.json override for Ctrl+G external editor commands, with default fallbacks to Notepad on Windows and nano elsewhere (#6122).
  • Added an outputPad setting for user message, assistant message, and thinking horizontal padding (#6168).

Changed

  • Changed the default OpenAI model to gpt-5.5.
  • Changed inherited OpenAI Codex Responses SSE response-header waits to use the configured HTTP timeout instead of the previous fixed 20 second timeout, reducing false timeouts on slow connections (#4945).

Fixed

  • Fixed inherited Claude Sonnet 5 metadata to use adaptive thinking payloads for Anthropic-compatible and Bedrock requests.
  • Fixed inherited generated Xiaomi MiMo model pricing to match current pay-as-you-go pricing from models.dev (#6138).
  • Fixed inherited provider HTTP errors to include response bodies instead of opaque SDK messages (#5832 by @​stephanmck).
  • Fixed inherited streamSimple() max-token caps so providers that count input and output against one context window do not reject long requests (#5595).
  • Fixed inherited OpenAI Responses streams to preserve reasoning replay state when output items finish out of order (#6009).
  • Fixed inherited Z.AI preserved thinking requests to send thinking.clear_thinking: false when thinking is enabled, allowing replayed reasoning_content to participate in provider caching (#6083).
  • Fixed pre-prompt compaction to stop after compaction instead of continuing immediately (#6074 by @​yzhg1983).
  • Fixed resource notifications to stay before messages when resuming sessions (#6048 by @​haoqixu).
  • Fixed startup benchmark timing output to print after TUI shutdown, preserve extension timings, and drain terminal-query replies before stopping benchmark mode (#6030 by @​xl0, #6063 by @​xl0).
  • Fixed extension tool changes to apply before the next provider request in the same agent run without dropping before_agent_start system-prompt overrides (#6162).
  • Fixed a crash when undici emits an internal client error while terminating a mid-stream HTTP response (#6133).
  • Fixed the compaction event regression test to cover status indicator cleanup and keep CI passing.
  • Fixed interactive status indicators so ending work, retry, compaction, or branch-summary indicators no longer shrink the TUI when clear-on-shrink is enabled (#6026).
  • Fixed --session and SessionManager.open() to reject non-empty invalid session files without overwriting them (#6002).
  • Fixed user-message transcript rendering to keep visible backslashes in Markdown escape sequences such as \" (#6105).
  • Fixed assistant messages stopped by output length to show a visible incomplete-response error (#4290).
  • Fixed --no-session --session-id so ephemeral CLI runs can use deterministic session IDs for provider cache affinity (#6070).
  • Fixed disk BMP image files to be detected, converted to PNG, and attached through read and CLI @file inputs (#6047).
  • Fixed auto-retry for provider stream errors that explicitly tell callers to retry the request (#6019).
Changelog

Sourced from @​earendil-works/pi-ai's changelog.

[0.80.3] - 2026-06-30

Added

  • Added Anthropic Claude Sonnet 5 model metadata for Anthropic-compatible, Bedrock, OpenRouter, and Vercel AI Gateway providers.
  • Added Azure OpenAI Responses support for modern Microsoft Foundry endpoint URLs (#6004 by @​gukoff).
  • Added an optional reasoning field to Usage reporting reasoning/thinking token counts as a subset of output. Populated for Anthropic (output_tokens_details.thinking_tokens), OpenAI Responses/Codex/Azure (output_tokens_details.reasoning_tokens), OpenAI Completions (completion_tokens_details.reasoning_tokens), and Google Generative AI / Vertex (thoughtsTokenCount). Bedrock Converse and Mistral are not populated because those APIs do not return a reasoning token breakdown (#6057).

Changed

  • Changed OpenAI Codex Responses SSE response-header waits to use the configured HTTP timeout instead of the previous fixed 20 second timeout, reducing false timeouts on slow connections (#4945).

Fixed

  • Fixed Claude Sonnet 5 metadata to use adaptive thinking payloads for Anthropic-compatible and Bedrock requests.
  • Fixed generated Xiaomi MiMo model pricing to match current pay-as-you-go pricing from models.dev (#6138).
  • Fixed provider HTTP errors to include response bodies instead of opaque SDK messages (#5832 by @​stephanmck).
  • Fixed streamSimple() to send a context-aware max-token cap so providers that count input and output against one context window do not reject long requests (#5595).
  • Fixed OpenAI Responses streams to preserve reasoning replay state when output items finish out of order (#6009).
  • Fixed retry classification for provider errors that explicitly tell callers to retry the request (#6019).
  • Fixed Z.AI preserved thinking requests to send thinking.clear_thinking: false when thinking is enabled, allowing replayed reasoning_content to participate in provider caching (#6083).
Commits
  • a23abe4 Release v0.80.3
  • f98a154 docs: audit changelog entries
  • 5c1a297 fix(ai): update generated model catalogue
  • 3d6acb3 fix(ai): regenerate model catalog
  • 6fbeba5 Merge pull request #5832 from stephanmck/fix/provider-error-body-passthrough-...
  • b91bdd5 fix(ai): preserve Z.AI thinking content
  • 5411373 fix(ai): use HTTP timeout for Codex SSE headers
  • 09f1059 fix(ai): clamp streamSimple max tokens
  • f78b163 fix(ai): revert minimax max token clamp
  • 62fad94 fix(ai): surface provider HTTP error body instead of opaque SDK message
  • Additional commits viewable in compare view

Updates oxlint-tsgolint from 0.23.0 to 0.24.0

Release notes

Sourced from oxlint-tsgolint's releases.

v0.24.0

What's Changed

... (truncated)

Commits
  • 5a37e89 fix(dot-notation): determine the relevant accessor (#1028)
  • 67a281f perf(consistent-return): defer per-function type resolution (#1031)
  • a5e2ff0 perf(no-unnecessary-qualifier): skip symbol resolution outside namespaces. (#...
  • a8fc668 perf(no-confusing-void-expression): check ancestor position before type query...
  • 03158cc perf(no-unnecessary-type-conversion): hoist constant builtin-name slices (#1040)
  • d9e645c perf(prefer-optional-chain): lazily allocate chain-processor caches (#1041)
  • 63f578a refactor(no-unnecessary-condition): remove dead containsUnguardedElementAcces...
  • f174876 chore(deps): update gomod (#1035)
  • 47de9cf chore(deps): update github actions (#1036)
  • e209b5b chore(deps): update actions/cache action to v6 (#1037)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the dependencies group with 2 updates: [@earendil-works/pi-ai](https://github.com/earendil-works/pi/tree/HEAD/packages/ai) and [oxlint-tsgolint](https://github.com/oxc-project/tsgolint).


Updates `@earendil-works/pi-ai` from 0.80.2 to 0.80.3
- [Release notes](https://github.com/earendil-works/pi/releases)
- [Changelog](https://github.com/earendil-works/pi/blob/main/packages/ai/CHANGELOG.md)
- [Commits](https://github.com/earendil-works/pi/commits/v0.80.3/packages/ai)

Updates `oxlint-tsgolint` from 0.23.0 to 0.24.0
- [Release notes](https://github.com/oxc-project/tsgolint/releases)
- [Commits](oxc-project/tsgolint@v0.23.0...v0.24.0)

---
updated-dependencies:
- dependency-name: "@earendil-works/pi-ai"
  dependency-version: 0.80.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
- dependency-name: oxlint-tsgolint
  dependency-version: 0.24.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 8, 2026
@clawsweeper

clawsweeper Bot commented Jul 8, 2026

Copy link
Copy Markdown

Codex review: needs maintainer review before merge. Reviewed July 8, 2026, 1:29 AM ET / 05:29 UTC.

Summary
The PR bumps @earendil-works/pi-ai from 0.80.2 to 0.80.3 and oxlint-tsgolint from 0.23.0 to 0.24.0 in package.json and pnpm-lock.yaml.

Reproducibility: not applicable. This PR is a dependency refresh, not a reported bug. Source inspection shows the runtime and lint surfaces affected by the updated packages.

Review metrics: 2 noteworthy metrics.

  • Changed files: 2 modified. The diff is limited to the root manifest and lockfile, which keeps review focused on dependency impact.
  • Dependency updates: 1 production patch, 1 development minor. The production pi-ai update can affect runtime LLM behavior, while oxlint-tsgolint affects lint tooling.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🌊 off-meta tidepool
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

  • Wait for the in-progress CI jobs to complete before merging.

Risk before merge

  • [P1] CI jobs for test (24) and extension-e2e were still in progress at review time, so merge should wait for their final result.
  • [P1] The production dependency participates in LLM request and streaming paths, so live provider behavior remains normal dependency-review risk even though no concrete regression is visible in the diff.

Maintainer options:

  1. Decide the mitigation before merge
    Let CI finish and merge the narrow dependency refresh if checks stay green; otherwise recreate or rebase Dependabot after addressing any real failures.
  2. Pause or close
    Do not merge this PR until maintainers decide whether the risk is worth taking.

Next step before merge

  • No ClawSweeper repair lane is needed because the diff is a routine Dependabot update with no concrete code defect.

Security
Cleared: Reviewed the dependency and lockfile changes; no concrete security or supply-chain issue was found beyond normal dependency CI gating.

Review details

Best possible solution:

Let CI finish and merge the narrow dependency refresh if checks stay green; otherwise recreate or rebase Dependabot after addressing any real failures.

Do we have a high-confidence way to reproduce the issue?

Not applicable; this PR is a dependency refresh, not a reported bug. Source inspection shows the runtime and lint surfaces affected by the updated packages.

Is this the best way to solve the issue?

Yes, the dependency refresh is narrow and maintainable: it updates only package.json and pnpm-lock.yaml, with merge gated by CI and normal dependency review.

AGENTS.md: found and applied where relevant.

Codex review notes: model internal, reasoning high; reviewed against 206a6f844764.

Label changes

Label changes:

  • add P3: This is a routine dependency maintenance PR with limited diff scope and no confirmed user-facing regression.
  • add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: This is a Dependabot bot dependency update, so the external contributor real-behavior proof gate does not apply.

Label justifications:

  • P3: This is a routine dependency maintenance PR with limited diff scope and no confirmed user-facing regression.
  • rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🌊 off-meta tidepool and patch quality is 🐚 platinum hermit.
  • status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Not applicable: This is a Dependabot bot dependency update, so the external contributor real-behavior proof gate does not apply.
Evidence reviewed

What I checked:

  • Repository policy applied: AGENTS.md was read fully; its dependency policy requires stable releases to wait 7 days before adoption, which was checked for both updated packages. (AGENTS.md:1, 206a6f844764)
  • PR diff scope: The PR changes only package.json and pnpm-lock.yaml, updating one direct production dependency and one direct dev dependency plus lockfile transitive resolution. (package.json:83, 1d3913858377)
  • Runtime dependency surface: @earendil-works/pi-ai is imported by the LLM generation path, including completeSimple in generate-text and streamSimple in generate-text-stream. (src/llm/generate-text.ts:1, 206a6f844764)
  • Lint dependency surface: oxlint-tsgolint is paired with the repository's oxlint lint command through the root dev dependency and lockfile resolution. (package.json:49, 206a6f844764)
  • Stabilization check: Both upstream releases are stable, non-prerelease releases published on 2026-06-30, satisfying the 7-day stabilization rule on 2026-07-08.
  • Area history: Recent dependency and LLM provider history points primarily to steipete, with adjacent Anthropic/provider work from wangwllu. (src/llm/generate-text.ts:1, 152d47307c2f)

Likely related people:

  • steipete: Recent package/dependency updates and the pi-ai compatibility import change are authored under this handle in current main history. (role: recent area contributor; confidence: high; commits: 288bec056698, 2506a2ab718b, 152d47307c2f; files: package.json, pnpm-lock.yaml, src/llm/generate-text.ts)
  • wangwllu: Recent Anthropic/provider changes touch the same pi-ai-backed provider adapter area that this production dependency can affect. (role: recent provider contributor; confidence: medium; commits: 81db08c9cc8d, f495679c7a85; files: src/llm/providers/anthropic.ts, src/llm/generate-text.ts)
What the crustacean ranks mean
  • 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
  • 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
  • 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
  • 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
  • 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
  • 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
  • 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works
  • ClawSweeper keeps one durable marker-backed review comment per issue or PR.
  • Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
  • A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
  • PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
  • Maintainers can also comment @clawsweeper review to request a fresh review only.
  • Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
  • Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
  • Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

@clawsweeper clawsweeper Bot added rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR. P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. labels Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code P3 Low-risk cleanup, docs, polish, ergonomics, or speculative feature. rating: 🐚 platinum hermit Good normal PR readiness with ordinary maintainer review expected. status: 👀 ready for maintainer look ClawSweeper has no concrete contributor-facing blocker left for this PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants