LunaroptAI2

[KalCola]

No description provided.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on enhancing the project's foundational health by introducing a formal security policy and performing a large-scale update of its npm dependencies. The dependency refresh aims to leverage the latest features, bug fixes, and security patches from various libraries, thereby modernizing the codebase and mitigating risks associated with outdated packages. This ensures the project remains robust, secure, and aligned with current development standards.

Highlights

• Security Policy Addition: A new SECURITY.md file was added to the repository, providing clear guidelines on the project's security policy, supported versions, and procedures for reporting vulnerabilities.
• Comprehensive Dependency Updates: Numerous npm dependencies across the project have been updated to their latest stable versions. This includes significant version bumps for core packages like @mermaid-js/parser, langium, marked, package-manager-detector, es-module-lexer, and webpack, ensuring improved compatibility, performance, and security.
• Dependency Tree Optimization: Several direct and nested dependencies, such as @antfu/utils, kolorist, local-pkg, and regenerator-runtime, were removed, contributing to a leaner and more efficient dependency graph. Additionally, redundant nested ajv and schema-utils instances within webpack's node_modules were eliminated.

Changelog

• SECURITY.md
  • Added a new security policy document outlining supported versions and vulnerability reporting procedures.
• package-lock.json
  • Updated @antfu/install-pkg from 1.0.0 to 1.1.0.
  • Removed @antfu/utils dependency.
  • Updated @babel/* packages to newer versions (e.g., @babel/code-frame from 7.26.2 to 7.29.0).
  • Updated @chevrotain/* packages from 11.0.3 to 11.1.2.
  • Updated @iconify/utils from 2.3.0 to 3.1.0, streamlining its internal dependencies.
  • Updated @mermaid-js/parser from 0.3.0 to 1.0.0.
  • Updated acorn from 8.14.0 to 8.16.0 and added acorn-import-phases.
  • Updated ajv from 8.17.1 to 8.18.0.
  • Added baseline-browser-mapping dependency.
  • Updated body-parser from 1.20.3 to 1.20.4, including nested dependency updates.
  • Updated browserslist from 4.24.4 to 4.28.1, along with its related dependencies.
  • Updated caniuse-lite from 1.0.30001699 to 1.0.30001774.
  • Updated chevrotain from 11.0.3 to 11.1.2.
  • Updated compression from 1.7.5 to 1.8.1.
  • Updated core-js-pure from 3.40.0 to 3.48.0.
  • Updated dagre-d3-es from 7.0.11 to 7.0.13.
  • Updated dayjs from 1.11.13 to 1.11.19.
  • Updated dompurify from 3.2.4 to 3.3.1.
  • Updated electron-to-chromium from 1.5.96 to 1.5.302.
  • Updated enhanced-resolve from 5.18.1 to 5.20.0.
  • Updated es-module-lexer from 1.6.0 to 2.0.0.
  • Updated express from 4.21.2 to 4.22.1.
  • Updated js-yaml from 4.1.0 to 4.1.1.
  • Updated katex from 0.16.21 to 0.16.33.
  • Removed kolorist and local-pkg dependencies.
  • Updated langium from 3.0.0 to 4.2.1, including new engine requirements.
  • Updated loader-runner from 4.3.0 to 4.3.1.
  • Updated lodash and lodash-es from 4.17.21 to 4.17.23.
  • Updated marked from 13.0.3 to 16.4.2, with updated Node.js engine requirement.
  • Updated mermaid from 11.4.1 to 11.12.3, including numerous sub-dependency updates.
  • Updated mlly from 1.7.4 to 1.8.0.
  • Updated node-forge from 1.3.1 to 1.3.3.
  • Updated node-releases from 2.0.19 to 2.0.27.
  • Updated on-headers from 1.0.2 to 1.1.0.
  • Updated package-manager-detector from 0.2.9 to 1.6.0.
  • Updated prismjs from 1.29.0 to 1.30.0.
  • Updated qs from 6.13.0 to 6.14.2.
  • Updated raw-body from 2.5.2 to 2.5.3, including nested dependency updates.
  • Removed regenerator-runtime dependency.
  • Updated schema-utils from 4.3.0 to 4.3.3.
  • Updated tapable from 2.2.1 to 2.3.0.
  • Updated terser-webpack-plugin from 5.3.11 to 5.3.16.
  • Updated tinyexec from 0.3.2 to 1.0.2.
  • Updated ufo from 1.5.4 to 1.6.3.
  • Updated update-browserslist-db from 1.1.2 to 1.2.3.
  • Updated vscode-uri from 3.0.8 to 3.1.0.
  • Updated watchpack from 2.4.2 to 2.5.1.
  • Updated webpack from 5.97.1 to 5.105.3, including numerous sub-dependency updates and removal of several nested ajv and schema-utils packages.
  • Updated webpack-sources from 3.2.3 to 3.3.4.

Ignored Files

• Ignored by pattern: .github/workflows/** (3)
  • .github/workflows/dependency-review.yml
  • .github/workflows/ethicalcheck.yml
  • .github/workflows/mobsf.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds a SECURITY.md file and updates project dependencies. The new security policy file is a good addition, but it currently contains placeholder text from a template. It's important to fill this out with your project's specific details for supported versions and the vulnerability reporting process to ensure users and contributors have clear guidance.

In general, the fix is to explicitly declare a restrictive permissions block for the workflow or for the individual job, rather than relying on repository/organization defaults. For a simple CI workflow that only checks out code and runs builds/tests, contents: read is typically sufficient and matches the minimal access CodeQL suggests.

The best fix here is to add a root-level permissions block right under the workflow name (or under on:) so it applies to all jobs that don’t override it. Since the build job only uses actions/checkout and runs local Node.js commands (npm ci, npm run build, npm test) and does not interact with issues, PRs, or packages, it only needs read access to repository contents. Concretely, in .github/workflows/node.js.yml, add:

permissions:
  contents: read

near the top of the file, without changing any existing steps or behavior. No additional imports or methods are needed, as this is purely a YAML configuration change.

[KalCola]

u