chore(deps): consolidated Dependabot batch 2026-06-29

[Weegy]

Consolidated Dependabot batch — 2026-06-29

Bundles all 12 Dependabot updates opened today into one branch. The Dependabot branches were stale relative to main (a naive merge would have reverted the recently added INSTALL_SUBSCRIPTION_CLIS=true in publish-images.yml), so every bump was applied surgically onto fresh main instead of merging the bot branches. Lockfiles were reconciled with npm install on node 22.22.3; @esbuild/@rollup platform entries are preserved (78 → 78 in both lockfiles).

What changed

Docker — node:22.22.3-slim → 22.23.1-slim (root + web-ui Dockerfiles).

GitHub Actions (major bumps, isolated commit e0558dd)

Action	From	To	Files
actions/checkout	v4	v7	auto-release, build, ci, desktop-apps, publish-images, release
actions/upload-artifact	v4	v7	desktop-apps
docker/setup-qemu-action	v3	v4	publish-images

npm — middleware: @anthropic-ai/sdk 0.101→0.106, @aws-sdk/client-s3 3.1057→3.1075 (root + harness-diagrams), @azure/msal-node 5.2.2→5.3.0, bonjour-service 1.3→1.4.2, prettier 3.8.2→3.9.1, vitest 4.1.8→4.1.9 (canvas-core).

npm — web-ui: react/react-dom 19.2.6→19.2.7, @types/react 19.2.15→19.2.17, @xyflow/react 12.11→12.11.1, @tailwindcss/postcss 4.3.0→4.3.1, @types/node 22.10.5→22.20.0, eslint-config-next 16.2.6→16.2.9.

Gates (local, node 22.22.3) — all green

• middleware: typecheck ✅ · lint ✅ (0 errors) · tests 3605 pass / 0 fail / 4 skip
• web-ui: typecheck ✅ · lint ✅ (0 errors) · i18n ✅ (1422 keys) · tests 162/162 · next build ✅

Risk assessment (incl. Codex / GPT-5 review)

All npm + Docker bumps are semver minor/patch within existing major ranges → LOW, confirmed by green gates. The only majors are the three GitHub Actions:

• checkout v4→v7 — LOW in practice. Every affected job runs on GitHub-hosted ubuntu/macos/windows-latest (node24-capable); no self-hosted runners. Codex rated MED only because it could not rule out self-hosted runners — verified none exist.
• upload-artifact v4→v7 — LOW. Uploads use name: omadia-installers-${{ matrix.os }} (unique per matrix OS), so the v4+ immutable / no-overwrite semantics are not hit.
• setup-qemu-action v3→v4 — LOW. Default pre-Buildx setup, no custom platforms/cache.

Known wrinkle (pre-existing): npm warns @omadia/integration-microsoft365 declares peer @azure/msal-node ^2.16.2 while root is now 5.3.0 (was 5.2.2 before). Not newly introduced; build + tests pass.

Highest-risk item: actions/checkout@v7 — the failure mode to watch is a job failing at checkout (before tests) on a runtime-incompatible runner. Mitigated here by all-hosted-latest runners.

Note on PR shape

Codex recommended splitting the three Actions majors into a separate PR (CI-platform regressions surface before project tests and are cleaner to revert in isolation). They are already in a single isolated commit (e0558dd) so they can be reverted on their own, or I can split them into a second PR on request.