Skip to content

Bump @scalar/openapi-to-markdown from 0.5.12 to 0.5.14 in the ci-cd group#902

Open
dependabot[bot] wants to merge 1 commit into
productionfrom
dependabot/npm_and_yarn/ci-cd-5897b1c291
Open

Bump @scalar/openapi-to-markdown from 0.5.12 to 0.5.14 in the ci-cd group#902
dependabot[bot] wants to merge 1 commit into
productionfrom
dependabot/npm_and_yarn/ci-cd-5897b1c291

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 9, 2026
edited
Loading

Bumps the ci-cd group with 1 update: @scalar/openapi-to-markdown.

Updates @scalar/openapi-to-markdown from 0.5.12 to 0.5.14

Changelog

Sourced from @​scalar/openapi-to-markdown's changelog.

0.5.14

0.5.13

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump @scalar/openapi-to-markdown in the ci-cd group
ef0f295 
Bumps the ci-cd group with 1 update: [@scalar/openapi-to-markdown](https://github.com/scalar/scalar/tree/HEAD/packages/openapi-to-markdown).


Updates `@scalar/openapi-to-markdown` from 0.5.12 to 0.5.14
- [Release notes](https://github.com/scalar/scalar/releases)
- [Changelog](https://github.com/scalar/scalar/blob/main/packages/openapi-to-markdown/CHANGELOG.md)
- [Commits](https://github.com/scalar/scalar/commits/HEAD/packages/openapi-to-markdown)

---
updated-dependencies:
- dependency-name: "@scalar/openapi-to-markdown"
  dependency-version: 0.5.14
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: ci-cd
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels May 9, 2026
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 9, 2026

⚠️ No Changeset found

Latest commit: ef0f295

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 9, 2026

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details
PackageVersionScoreDetails
npm/@headlessui/tailwindcss 0.2.2 🟢 4.5
Details
CheckScoreReason
Code-Review🟢 4Found 12/30 approved changesets -- score normalized to 4
Maintained🟢 34 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 3
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Security-Policy⚠️ 0security policy file not detected
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@scalar/components 0.24.2 UnknownUnknown
npm/@scalar/helpers 0.6.0 UnknownUnknown
npm/@scalar/json-magic 0.12.12 UnknownUnknown
npm/@scalar/openapi-to-markdown 0.5.14 UnknownUnknown
npm/@scalar/snippetz 0.9.6 UnknownUnknown
npm/@scalar/types 0.9.6 UnknownUnknown
npm/@scalar/workspace-store 0.49.3 UnknownUnknown
npm/@vue/compiler-core 3.5.34 🟢 5.6
Details
CheckScoreReason
Code-Review🟢 5Found 9/18 approved changesets -- score normalized to 5
Maintained🟢 1030 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Binary-Artifacts🟢 10no binaries found in the repo
Signed-Releases⚠️ -1no releases found
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Branch-Protection🟢 3branch protection is not maximal on development and all release branches
Fuzzing⚠️ 0project is not fuzzed
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@vue/compiler-dom 3.5.34 🟢 5.6
Details
CheckScoreReason
Code-Review🟢 5Found 9/18 approved changesets -- score normalized to 5
Maintained🟢 1030 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Binary-Artifacts🟢 10no binaries found in the repo
Signed-Releases⚠️ -1no releases found
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Branch-Protection🟢 3branch protection is not maximal on development and all release branches
Fuzzing⚠️ 0project is not fuzzed
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@vue/compiler-sfc 3.5.34 🟢 5.6
Details
CheckScoreReason
Code-Review🟢 5Found 9/18 approved changesets -- score normalized to 5
Maintained🟢 1030 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Binary-Artifacts🟢 10no binaries found in the repo
Signed-Releases⚠️ -1no releases found
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Branch-Protection🟢 3branch protection is not maximal on development and all release branches
Fuzzing⚠️ 0project is not fuzzed
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@vue/compiler-ssr 3.5.34 🟢 5.6
Details
CheckScoreReason
Code-Review🟢 5Found 9/18 approved changesets -- score normalized to 5
Maintained🟢 1030 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Binary-Artifacts🟢 10no binaries found in the repo
Signed-Releases⚠️ -1no releases found
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Branch-Protection🟢 3branch protection is not maximal on development and all release branches
Fuzzing⚠️ 0project is not fuzzed
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@vue/reactivity 3.5.34 🟢 5.6
Details
CheckScoreReason
Code-Review🟢 5Found 9/18 approved changesets -- score normalized to 5
Maintained🟢 1030 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Binary-Artifacts🟢 10no binaries found in the repo
Signed-Releases⚠️ -1no releases found
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Branch-Protection🟢 3branch protection is not maximal on development and all release branches
Fuzzing⚠️ 0project is not fuzzed
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@vue/runtime-core 3.5.34 🟢 5.6
Details
CheckScoreReason
Code-Review🟢 5Found 9/18 approved changesets -- score normalized to 5
Maintained🟢 1030 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Binary-Artifacts🟢 10no binaries found in the repo
Signed-Releases⚠️ -1no releases found
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Branch-Protection🟢 3branch protection is not maximal on development and all release branches
Fuzzing⚠️ 0project is not fuzzed
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@vue/runtime-dom 3.5.34 🟢 5.6
Details
CheckScoreReason
Code-Review🟢 5Found 9/18 approved changesets -- score normalized to 5
Maintained🟢 1030 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Binary-Artifacts🟢 10no binaries found in the repo
Signed-Releases⚠️ -1no releases found
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Branch-Protection🟢 3branch protection is not maximal on development and all release branches
Fuzzing⚠️ 0project is not fuzzed
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@vue/server-renderer 3.5.34 🟢 5.6
Details
CheckScoreReason
Code-Review🟢 5Found 9/18 approved changesets -- score normalized to 5
Maintained🟢 1030 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Binary-Artifacts🟢 10no binaries found in the repo
Signed-Releases⚠️ -1no releases found
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Branch-Protection🟢 3branch protection is not maximal on development and all release branches
Fuzzing⚠️ 0project is not fuzzed
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@vue/shared 3.5.34 🟢 5.6
Details
CheckScoreReason
Code-Review🟢 5Found 9/18 approved changesets -- score normalized to 5
Maintained🟢 1030 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Binary-Artifacts🟢 10no binaries found in the repo
Signed-Releases⚠️ -1no releases found
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Branch-Protection🟢 3branch protection is not maximal on development and all release branches
Fuzzing⚠️ 0project is not fuzzed
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/postcss 8.5.14 🟢 6
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
Packaging⚠️ -1packaging workflow not detected
Security-Policy🟢 10security policy file detected
Code-Review⚠️ 1Found 3/29 approved changesets -- score normalized to 1
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Pinned-Dependencies🟢 10all dependencies are pinned
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 3branch protection is not maximal on development and all release branches
SAST🟢 6SAST tool is not run on all commits -- score normalized to 6
npm/vue 3.5.34 🟢 5.6
Details
CheckScoreReason
Code-Review🟢 5Found 9/18 approved changesets -- score normalized to 5
Maintained🟢 1030 commit(s) and 15 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
License🟢 10license file detected
Binary-Artifacts🟢 10no binaries found in the repo
Signed-Releases⚠️ -1no releases found
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Branch-Protection🟢 3branch protection is not maximal on development and all release branches
Fuzzing⚠️ 0project is not fuzzed
Packaging🟢 10packaging workflow detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/@scalar/openapi-to-markdown ^0.5.14 UnknownUnknown

Scanned Files

  • package-lock.json
  • workers/api/package.json

@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 9, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updated@​scalar/​openapi-to-markdown@​0.5.12 ⏵ 0.5.1499100100100 +1100

View full report

@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 9, 2026

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Block Low
Potential code anomaly (AI signal): npm @scalar/snippetz is 74.0% likely to have a medium risk anomaly

Notes: The JavaScript module is a request-to-Dart code generator. It does not itself execute requests or perform exfiltration, but it embeds largely untrusted request components directly into generated Dart source code without robust escaping and includes a special-case pathway that can inject raw Dart expressions when header values contain utf8.encode. Additionally, it always prints the response body in the generated program. Net: low direct malware likelihood in this JS code, but a meaningful supply-chain/code-generation injection and sensitive-data exposure risk if attacker-controlled inputs can reach the generator or if generated artifacts are handled in unsafe contexts.

Confidence: 0.74

Severity: 0.60

From: package-lock.jsonnpm/@scalar/openapi-to-markdown@0.5.14npm/@scalar/snippetz@0.9.6

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@scalar/snippetz@0.9.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code semver-patch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants