fix(deps): revert TypeScript 6.0 upgrade, ignore pygments CVE, block major bumps

GenerQAQ · GenerQAQ · commit 1641d491e637 · 2026-03-25T12:19:30.000+08:00
- Revert TypeScript from ^6.0.2 to ^5.9.3 in openclaw and claude-code (ts-jest requires TypeScript <6, TS6 breaks @types/node resolution) - Ignore CVE-2026-4539 (pygments ReDoS, low severity, no fix available) - Add ignore semver-major to all npm dependabot entries missing it (sandbox/cloudflare, sandbox-cloudflare, openclaw, claude-code)
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -96,6 +96,9 @@ updates:
       dependencies:
         patterns:
           - "*"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
 
   - package-ecosystem: "npm"
     directory: "/src/packages/sandbox-cloudflare"
@@ -109,6 +112,9 @@ updates:
       dependencies:
         patterns:
           - "*"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
 
   - package-ecosystem: "npm"
     directory: "/src/packages/openclaw"
@@ -122,6 +128,9 @@ updates:
       dependencies:
         patterns:
           - "*"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
 
   - package-ecosystem: "npm"
     directory: "/src/packages/claude-code"
@@ -135,6 +144,9 @@ updates:
       dependencies:
         patterns:
           - "*"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major"]
 
   - package-ecosystem: "npm"
     directory: "/docs"
diff --git a/.github/workflows/security-reusable.yaml b/.github/workflows/security-reusable.yaml
@@ -58,7 +58,7 @@ jobs:
             echo "🔍 Auditing $dir..."
             cd $dir
             uv export --format requirements-txt --no-hashes --no-dev > reqs.txt
-            pip-audit -r reqs.txt
+            pip-audit -r reqs.txt --ignore-vuln CVE-2026-4539  # pygments ReDoS (low severity), no fix available yet
             rm reqs.txt
             cd - > /dev/null
           done
diff --git a/src/packages/claude-code/package-lock.json b/src/packages/claude-code/package-lock.json
diff --git a/src/packages/claude-code/package.json b/src/packages/claude-code/package.json
@@ -23,7 +23,7 @@
     "@types/node": "^25.5.0",
     "esbuild": "^0.27.4",
     "tsx": "^4.21.0",
-    "typescript": "^6.0.2",
+    "typescript": "^5.9.3",
     "vitest": "^4.1.1"
   }
 }
diff --git a/src/packages/openclaw/package.json b/src/packages/openclaw/package.json
@@ -39,7 +39,7 @@
 		"@types/jest": "^30.0.0",
 		"jest": "^30.3.0",
 		"ts-jest": "^29.4.6",
-		"typescript": "^6.0.2"
+		"typescript": "^5.9.3"
 	},
 	"openclaw": {
 		"extensions": [
diff --git a/src/server/core/uv.lock b/src/server/core/uv.lock

Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,7 @@`
`23`	`23`	`"@types/node": "^25.5.0",`
`24`	`24`	`"esbuild": "^0.27.4",`
`25`	`25`	`"tsx": "^4.21.0",`
`26`		`- "typescript": "^6.0.2",`
	`26`	`+ "typescript": "^5.9.3",`
`27`	`27`	`"vitest": "^4.1.1"`
`28`	`28`	`}`
`29`	`29`	`}`