Skip to content

chore(deps): bump geohash-kit from 1.5.1 to 1.6.0 in the production-dependencies group across 1 directory#2

Merged
TheCryptoDonkey merged 1 commit intomainfrom
dependabot/npm_and_yarn/production-dependencies-fc2bd25362
Apr 12, 2026
Merged

chore(deps): bump geohash-kit from 1.5.1 to 1.6.0 in the production-dependencies group across 1 directory#2
TheCryptoDonkey merged 1 commit intomainfrom
dependabot/npm_and_yarn/production-dependencies-fc2bd25362

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 12, 2026
edited
Loading

Bumps the production-dependencies group with 1 update in the / directory: geohash-kit.

Updates geohash-kit from 1.5.1 to 1.6.0

Release notes

Sourced from geohash-kit's releases.

v1.6.0

Changed

  • migrate release tooling from semantic-release to forgesworn/release-action. Removes hundreds of transitive devDependencies, hardens the pre-publish path with gated secret scanning, exports-map verification, frozen-vector gating, and runtime-only npm audit, and replaces the workflow-env NPM_CONFIG_PROVENANCE=true pattern (fragile on npm 11.6+) with publishConfig.provenance: true in package.json. No runtime or API changes for consumers.

Why

semantic-release's bundled npm CLI brings chronic Dependabot noise that does not affect published artefacts, and its transitive devDependency graph is large enough to conflict with the supply-chain posture a cryptography-adjacent library should hold itself to. The replacement is a pure-bash release tool with hard pre-publish gates. The existing frozen-vector check (npm run vectors:check) is now a release-blocking gate rather than a CI-only check — a drift in encoded output will refuse the publish until either the vectors or the implementation are explicitly updated.

geohash-kit is the second consumer of forgesworn/release-action after nsec-tree@1.5.0. This migration validates that the pattern generalises beyond a single library.

Artefact integrity

file:      geohash-kit-1.6.0.tgz
size:      30374 bytes
sha256:    ce02d07ccbc25a1a3a000e59b093e9c9e5bc61dea31b1c4f496ba238935f51b1
sha512-ksdw2ahCaJVTLYpCYS7RFq316BWSOiHxiWTGJewSNza9sdy9gepWJxVxNzgc/AgQtvxLDPyf30x0lbfHKMZRAg==

Verify against the registry tarball:

curl -sLO https://registry.npmjs.org/geohash-kit/-/geohash-kit-1.6.0.tgz
shasum -a 256 geohash-kit-1.6.0.tgz

v1.5.3

1.5.3 (2026-03-20)

Bug Fixes

  • correct copyright to TheCryptoDonkey (8c18561)

v1.5.2

1.5.2 (2026-03-18)

Bug Fixes

  • repair broken tags and update CHANGELOG URLs after org transfer (aeab662)
Changelog

Sourced from geohash-kit's changelog.

1.6.0 (2026-04-11)

Changed

  • migrate release tooling from semantic-release to forgesworn/release-action. Removes hundreds of transitive devDependencies, hardens the pre-publish path with gated secret scanning, exports-map verification, frozen-vector gating, and runtime-only npm audit, and replaces the workflow-env NPM_CONFIG_PROVENANCE=true pattern (fragile on npm 11.6+) with publishConfig.provenance: true in package.json. No runtime or API changes for consumers.

Why

semantic-release's bundled npm CLI brings chronic Dependabot noise that does not affect published artefacts, and its transitive devDependency graph is large enough to conflict with the supply-chain posture a cryptography-adjacent library should hold itself to. The replacement is a pure-bash release tool with hard pre-publish gates. The existing frozen-vector check (npm run vectors:check) is now a release-blocking gate rather than a CI-only check — a drift in encoded output will refuse the publish until either the vectors or the implementation are explicitly updated.

geohash-kit is the second consumer of forgesworn/release-action after nsec-tree@1.5.0. This migration validates that the pattern generalises beyond a single library.

1.5.3 (2026-03-20)

Bug Fixes

  • correct copyright to TheCryptoDonkey (8c18561)

1.5.2 (2026-03-18)

Bug Fixes

  • repair broken tags and update CHANGELOG URLs after org transfer (aeab662)
Commits
  • 2976007 chore: enable Dependabot and secret scanning
  • 96a5b7d chore: migrate release tooling to forgesworn/release-action
  • 0d33169 docs: fix llms.txt coordinate-order warning, context7.json metadata, package....
  • 1c65f9f docs: add rendezvous-kit to ecosystem table
  • 2085cde chore: update .gitignore with local tool directories
  • bc21f2c docs: add AI discoverability files
  • 7180944 docs: update context7.json for library claim
  • 6b30870 docs: add context7.json for AI discoverability
  • 5d67e30 docs: add ecosystem cross-links, subpath exports, and coordinate order warning
  • ebf0d46 docs: add SECURITY.md
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 12, 2026
@dependabot dependabot Bot changed the title chore(deps): bump geohash-kit from 1.5.1 to 1.6.0 in the production-dependencies group chore(deps): bump geohash-kit from 1.5.1 to 1.6.0 in the production-dependencies group across 1 directory Apr 12, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/production-dependencies-fc2bd25362 branch from b11f1b5 to 4e8d6c8 Compare April 12, 2026 11:31
@dependabot
chore(deps): bump geohash-kit in the production-dependencies group
d40e059 
Bumps the production-dependencies group with 1 update: [geohash-kit](https://github.com/forgesworn/geohash-kit).


Updates `geohash-kit` from 1.5.1 to 1.6.0
- [Release notes](https://github.com/forgesworn/geohash-kit/releases)
- [Changelog](https://github.com/forgesworn/geohash-kit/blob/main/CHANGELOG.md)
- [Commits](forgesworn/geohash-kit@v1.5.1...v1.6.0)

---
updated-dependencies:
- dependency-name: geohash-kit
  dependency-version: 1.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/production-dependencies-fc2bd25362 branch from 4e8d6c8 to d40e059 Compare April 12, 2026 20:10
@TheCryptoDonkey TheCryptoDonkey merged commit 6acd687 into main Apr 12, 2026
1 check passed
@TheCryptoDonkey TheCryptoDonkey deleted the dependabot/npm_and_yarn/production-dependencies-fc2bd25362 branch April 12, 2026 20:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TheCryptoDonkey