☕ chore (deps): bump actions and npm dependencies

[warengonzaga]

This pull request updates several dependencies and configuration files to improve security, maintainability, and ensure compatibility with the latest tools. The main changes include updating GitHub Actions workflow versions, specifying the target branch for Dependabot updates, and upgrading key package dependencies across the project.

Dependency and configuration updates:

• Updated GitHub Actions workflows to use specific, latest versions for improved security and reliability:

  • .github/workflows/codeql.yml: Upgraded codeql-action steps to v4 with commit SHA references.
  • .github/workflows/landing.yml: Updated actions/upload-pages-artifact to v4 with a commit SHA reference.
  • .github/workflows/package.yml: Updated actions/setup-node to v6 with a commit SHA reference.

• Dependabot configuration improvements:

  • .github/dependabot.yml: Set target-branch to dev for npm, GitHub Actions, and Docker updates to ensure dependency updates are proposed against the correct branch. [1] [2] [3]

Package dependency upgrades:

• Root and workspace dependency updates:
  • package.json: Upgraded @types/node from ^22.10.0 to ^25.3.0.
  • src/landing/package.json: Upgraded @sveltejs/vite-plugin-svelte from ^6.1.4 to ^7.0.0.
  • src/web/package.json: Upgraded marked from ^12.0.2 to ^17.0.3 and @sveltejs/vite-plugin-svelte from ^6.1.4 to ^7.0.0.

[github-actions]

📦 Package Build Flow — Monorepo Build

🔀 Pull Request Build — Pre-release package for testing PR changes

Package	Version	Status	Install
@tinyclaw/plugins	2.0.0-dev.ac5c5a7	✅ Published	npm i @tinyclaw/plugins@2.0.0-dev.ac5c5a7
@tinyclaw/types	2.0.0-dev.ac5c5a7	✅ Published	npm i @tinyclaw/types@2.0.0-dev.ac5c5a7
tinyclaw	2.0.0-dev.ac5c5a7	✅ Published	npm i tinyclaw@2.0.0-dev.ac5c5a7
@tinyclaw/plugin-channel-discord	2.0.0-dev.ac5c5a7	✅ Published	npm i @tinyclaw/plugin-channel-discord@2.0.0-dev.ac5c5a7
@tinyclaw/plugin-channel-friends	2.0.0-dev.ac5c5a7	✅ Published	npm i @tinyclaw/plugin-channel-friends@2.0.0-dev.ac5c5a7
@tinyclaw/plugin-provider-openai	2.0.0-dev.ac5c5a7	✅ Published	npm i @tinyclaw/plugin-provider-openai@2.0.0-dev.ac5c5a7

📥 Quick Install (changed packages)

npm i @tinyclaw/types@2.0.0-dev.ac5c5a7 @tinyclaw/plugins@2.0.0-dev.ac5c5a7 @tinyclaw/plugin-channel-discord@2.0.0-dev.ac5c5a7 @tinyclaw/plugin-channel-friends@2.0.0-dev.ac5c5a7 @tinyclaw/plugin-provider-openai@2.0.0-dev.ac5c5a7 tinyclaw@2.0.0-dev.ac5c5a7

---

This package was built automatically by the Package Build Flow action.

[github-actions]

📦 Package Build Flow — Monorepo Build

🔀 Pull Request Build — Pre-release package for testing PR changes

Package	Version	Status	Install
@tinyclaw/plugins	2.0.0-dev.8d17315	✅ Published	npm i @tinyclaw/plugins@2.0.0-dev.8d17315
@tinyclaw/types	2.0.0-dev.8d17315	✅ Published	npm i @tinyclaw/types@2.0.0-dev.8d17315
tinyclaw	2.0.0-dev.8d17315	✅ Published	npm i tinyclaw@2.0.0-dev.8d17315
@tinyclaw/plugin-channel-discord	2.0.0-dev.8d17315	✅ Published	npm i @tinyclaw/plugin-channel-discord@2.0.0-dev.8d17315
@tinyclaw/plugin-channel-friends	2.0.0-dev.8d17315	✅ Published	npm i @tinyclaw/plugin-channel-friends@2.0.0-dev.8d17315
@tinyclaw/plugin-provider-openai	2.0.0-dev.8d17315	✅ Published	npm i @tinyclaw/plugin-provider-openai@2.0.0-dev.8d17315

📥 Quick Install (changed packages)

npm i @tinyclaw/types@2.0.0-dev.8d17315 @tinyclaw/plugins@2.0.0-dev.8d17315 @tinyclaw/plugin-channel-discord@2.0.0-dev.8d17315 @tinyclaw/plugin-channel-friends@2.0.0-dev.8d17315 @tinyclaw/plugin-provider-openai@2.0.0-dev.8d17315 tinyclaw@2.0.0-dev.8d17315

---

This package was built automatically by the Package Build Flow action.

[Copilot]

Pull request overview

This PR updates CI/dependency automation configuration and bumps several JavaScript/GitHub Actions dependencies to newer versions as part of routine maintenance for the repo’s monorepo tooling and Svelte/Vite apps.

Changes:

• Bump GitHub Actions used in workflows (CodeQL, Pages artifact upload, setup-node) and pin to specific SHAs.
• Configure Dependabot to target the dev branch for npm, GitHub Actions, and Docker updates.
• Upgrade selected npm dependencies across root and workspace packages (notably @types/node, marked, and @sveltejs/vite-plugin-svelte) and refresh bun.lock.

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
src/web/package.json	Bumps marked and @sveltejs/vite-plugin-svelte for the web UI workspace.
src/landing/package.json	Bumps @sveltejs/vite-plugin-svelte for the landing page workspace.
package.json	Updates root @types/node.
bun.lock	Lockfile refresh reflecting the dependency upgrades and new resolutions.
.github/workflows/package.yml	Pins actions/setup-node to a newer SHA.
.github/workflows/landing.yml	Updates actions/upload-pages-artifact to a newer pinned SHA.
.github/workflows/codeql.yml	Updates CodeQL action steps to a newer pinned SHA.
.github/dependabot.yml	Sets Dependabot target-branch: dev across ecosystems.

Comments suppressed due to low confidence (1)

src/web/package.json:35

• @sveltejs/vite-plugin-svelte@^7.0.0 declares peer deps for vite ^8 and svelte ^5.46.4 (as resolved in bun.lock), but this workspace is still on vite ^7.2.4 and svelte ^5.20.1. That version mismatch is likely to cause build/runtime issues; either revert the plugin upgrade to a Vite 7-compatible version or upgrade Vite/Svelte and verify compatibility with @tailwindcss/vite and the rest of the toolchain.

    "@sveltejs/vite-plugin-svelte": "^7.0.0",
    "@tailwindcss/vite": "^4.1.18",
    "@types/qrcode": "^1.5.6",
    "tailwindcss": "^4.1.18",
    "vite": "^7.2.4"

[github-actions]

🛠️ Container Build Complete - Dev Build

Build Status: ✅ Success
Flow Type: dev
Description: Development and testing

---

📦 Pull Image

Docker Hub: docker pull warengonzaga/tinyclaw:dev-414a285

GHCR: docker pull ghcr.io/warengonzaga/tinyclaw:dev-414a285

---

📋 Build Details

Property	Value
Flow Type	dev
Commit	414a285
Registry	Docker Hub + GHCR

🏷️ Image Tags

• warengonzaga/tinyclaw:dev-414a285
• ghcr.io/warengonzaga/tinyclaw:dev-414a285

---

🔍 Testing Your Changes

1. Pull the image using one of the commands above
2. Run the container with your test configuration
3. Verify the changes work as expected
4. Report any issues in this PR

---

🚀 Quick Start

# Pull and run the container
Docker Hub: docker pull warengonzaga/tinyclaw:dev-414a285
docker run <your-options> <image>

---

---

🔒 Security Scan Results

📋 Pre-Build Security Checks

✅ Source Code Scan: 0 vulnerabilities found
✅ Dockerfile Scan: 0 misconfigurations found

🐳 Container Image Vulnerabilities

Severity	Count
Total	0

📊 Detailed Security Reports

View detailed vulnerability reports in the GitHub Security tab.

---

_{🤖 Powered by Container Build Flow Action v1.2.0
💻 with ❤️ by Waren Gonzaga under WG Technology Labs, and Him 🙏}

[github-actions]

📦 Package Build Flow — Monorepo Build

🔀 Pull Request Build — Pre-release package for testing PR changes

Package	Version	Status	Install
@tinyclaw/plugins	2.0.0-dev.edd6d07	⚠️ Built (not published)	—
@tinyclaw/types	2.0.0-dev.edd6d07	⚠️ Built (not published)	—
tinyclaw	2.0.0-dev.edd6d07	✅ Published	npm i tinyclaw@2.0.0-dev.edd6d07
@tinyclaw/plugin-channel-discord	2.0.0-dev.edd6d07	⚠️ Built (not published)	—
@tinyclaw/plugin-channel-friends	2.0.0-dev.edd6d07	✅ Published	npm i @tinyclaw/plugin-channel-friends@2.0.0-dev.edd6d07
@tinyclaw/plugin-provider-openai	2.0.0-dev.edd6d07	⚠️ Built (not published)	—

📥 Quick Install (changed packages)

npm i @tinyclaw/plugin-channel-friends@2.0.0-dev.edd6d07 tinyclaw@2.0.0-dev.edd6d07

---

This package was built automatically by the Package Build Flow action.