Overview - Devtools

devtools

7 days30 days

Latest CI Pipeline Executions

Fuzzy

Succeeded
main
a57d3540 fix(deps): bump protobufjs to 7.5.8 to patch CVE-2026-44289 (#441)
by Alem Tuzlak
Succeeded
fix/protobufjs-cve-2026-44289
0140421e Merge aac017f97b8d04191dc04e7e868d17876309bc76 into ba9d1d48990a87faa5330526a4062521adb4592d
by Alem Tuzlak
Succeeded
ci/add-zizmor
52cffd78 Update .github/workflows/triage-agent.yml
by Alem Tuzlak
Succeeded
ci/add-zizmor
60ca792c ci: simplify stale skills PR body generation
by Alem Tuzlak
Succeeded
ci/add-zizmor
2e3d1235 ci: add zizmor workflow
by Alem Tuzlak
Succeeded
main
31c194e2 ci(security): harden CI/CD supply chain and bump pnpm to 11.1.1 (#436) * chore(deps): upgrade pnpm to 11.1.1 Bumps the corepack-managed pnpm version across the root and the four Angular example workspaces. pnpm 11 refuses to run install scripts by default; declare a minimal allowBuilds allowlist in pnpm-workspace.yaml so only the two packages whose postinstalls the build actually needs (esbuild, nx) are permitted. The other eight transitively-pulled postinstalls (sharp, lmdb, workerd, etc.) all fall back to JS paths or are unused during build, and are explicitly denied. Also pin the preinstall guard to only-allow@1.2.2 so it no longer resolves a floating tag from npm on every install. * ci(security): pin actions to SHAs and harden CI/CD supply chain Replaces every mutable workflow reference (@main, @v1, @v3, @v4, @v6.0.2) with a 40-char commit SHA + version comment so Renovate can keep them current. Composite actions in TanStack/config — previously pinned to @main — are the highest-impact change: a force-push or compromised commit there would have given an attacker the npm OIDC publishing identity plus contents/issues/PR write tokens on the next push to main. Other changes in this commit: - release.yml: set cancel-in-progress: false so a re-push cannot abort changesets/action mid-publish and leave partial versions on npm. Add environment: release so required reviewers can be configured in repo settings for an explicit human gate before publish. - triage-agent.yml: add a "SECURITY: Untrusted input" preamble to the Warp agent prompt. The agent reads attacker-controlled issue text, so it must treat that text strictly as data and refuse instructions embedded inside it. Also corrected the bug-report template path (bug-report.yml -> bug_report.yml) that the agent was failing to load. - check-skills.yml / validate-skills.yml: pin @tanstack/intent to a specific version; npm install -g without a version was floating. - pr.yml preview job: pin pkg-pr-new to a specific version; pnpx without a version was floating. - .github/renovate.json: drop :automergeMinor. Combined with floating versions this could have landed a malicious patch without review. - .github/CODEOWNERS (new): require owner review on workflows, package manifests, lockfile, .npmrc, and renovate config. Adjust the owner handle to a team once one exists. - .github/workflows/dependency-review.yml (new): runs actions/dependency-review-action on every PR with fail-on-severity: high to block PRs that introduce known-vulnerable transitive dependencies. * ci(security): bump TanStack/config pin to latest main SHA * fix(ci): correct preinstall skip logic for CI The original `||`-chained preinstall printed "Skipping preinstall..." in CI but then ran only-allow anyway because `process.exit(1)` triggers the `||` operator. CI happened to pass when only-allow was unpinned (npx resolved it differently), but pinning to @1.2.2 forced a fresh registry resolve in which only-allow strictly checks npm_config_user_agent — which, when invoked via npx-inside-pnpm, is npm's, not pnpm's — and rejects. The fix matches the script's stated intent: when CI=true, exit 0 so the `||` does not trigger and only-allow is genuinely skipped. Local installs continue to fall through and enforce pnpm via only-allow as before.
by Alem Tuzlak
Succeeded
worktree-cozy-dancing-pebble
1edbce73 Merge f9e93f01ea58e67222065f61a2fe09ad28aee8c4 into 562ad00b61c72c88c9e3f794761774b469a0807b
by Alem Tuzlak
Succeeded
main
40db560c feat: refactor props passing to plugins for improved flexibility (#319) * feat: refactor props passing to plugins for improved flexibility * ci: apply automated fixes * fix tests * ci: apply automated fixes * fix * ci: apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
by Alem Tuzlak
Succeeded
feat/improve-props-passing-to-plugins
f5b555ce fix
by Alem Tuzlak
Succeeded
worktree-polished-cuddling-lark
cbf9ddda docs: mark network transport fallback spec as implemented
by Alem Tuzlak
Succeeded
main
1451124c fix: include skills/ in npm publish for all packages (#379) * fix: include skills/ and bin/intent.js in npm publish for all packages The skills/ directories and intent bin shim were missing from the individual package.json files. The intent scanner requires both "bin": { "intent": ... } and a skills/ directory to detect packages. Without these, npx @tanstack/intent install reports "No intent-enabled packages found." * ci: apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
by Alem Tuzlak
Succeeded
fix/include-skills-in-npm-publish
a4f2634c fix: include skills/ and bin/intent.js in npm publish for all packages The skills/ directories and intent bin shim were missing from the individual package.json files. The intent scanner requires both "bin": { "intent": ... } and a skills/ directory to detect packages. Without these, npx @tanstack/intent install reports "No intent-enabled packages found."
by Alem Tuzlak
Succeeded
fix/include-skills-in-npm-publish
3b29fed3 fix: include skills/ in npm publish for all packages The skills/ directories were missing from the files array in each package.json, so they were excluded from npm publishes. This meant npx @tanstack/intent install could not find any skills.
by Alem Tuzlak
Succeeded
main
644bcb3e feat: add @tanstack/intent agent skills (#377) * feat: add @tanstack/intent agent skills for all packages Scaffold agent-readable SKILL.md files via @tanstack/intent for AI coding agents (Claude Code, Cursor, Copilot, etc.) to generate better code when working with TanStack Devtools. Skills added (9 total across 4 packages): - devtools: app-setup, plugin-panel, production, marketplace - event-bus-client: event-client, instrumentation, bidirectional - devtools-vite: vite-plugin - devtools-utils: framework-adapters (React, Vue, Solid, Preact) Also includes: - CI workflows for skill validation, staleness checks, and intent notifications - Domain map, skill spec, and skill tree artifacts - Intent CLI bin shim and package.json wiring - README note for AI agent users * ci: apply automated fixes * ci: apply automated fixes (attempt 2/3) * chore: add changeset for intent skills * ci: apply automated fixes --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
by Alem Tuzlak
Succeeded
feat/intent-skills
3dd09a1e feat: add @tanstack/intent agent skills for all packages Scaffold agent-readable SKILL.md files via @tanstack/intent for AI coding agents (Claude Code, Cursor, Copilot, etc.) to generate better code when working with TanStack Devtools. Skills added (9 total across 4 packages): - devtools: app-setup, plugin-panel, production, marketplace - event-bus-client: event-client, instrumentation, bidirectional - devtools-vite: vite-plugin - devtools-utils: framework-adapters (React, Vue, Solid, Preact) Also includes: - CI workflows for skill validation, staleness checks, and intent notifications - Domain map, skill spec, and skill tree artifacts - Intent CLI bin shim and package.json wiring - README note for AI agent users
by Alem Tuzlak