* fix: bump npm deps to resolve Dependabot advisories
Resolve 8 open Dependabot alerts (all npm, in pnpm-lock.yaml) by bumping
the affected packages in pnpm-workspace.yaml and regenerating the lockfile:
- axios 1.15.2 -> 1.16.0 (catalog): CVE-2026-44494/44492/44490/44489
- tmp -> 0.2.6 (override): CVE-2026-44705 path traversal
- ws 8.x -> 8.20.1 (catalog + scoped override): CVE-2026-45736
- qs 6.14.2 -> 6.15.2 (override): CVE-2026-8723 DoS
- brace-expansion 5.0.5 -> 5.0.6 (override): CVE-2026-45149 DoS
brace-expansion and qs were pinned to their vulnerable versions in the
overrides block, so the pins had to be bumped directly. ws is scoped to
the 8.x major (ws@7.5.10 is below the vulnerable >=8.0.0 floor). All bumps
are semver-compatible patch/minor upgrades; no source changes required.
* fix: use named axios `create` import after 1.16.0 bump
axios 1.16.0 newly exposes `create` as a named export, so oxlint's
import/no-named-as-default-member rule now flags `axios.create(...)`.
That added one warning to @plane/services (7 > its --max-warnings=6
baseline) and to apps/web and apps/live, failing check:lint — surfaced
on this PR because the lockfile change busts Turbo's lint cache.
Switch the three `axios.create(...)` call sites to a named `{ create }`
import. `create` is a real value+type export in axios 1.16.0 (verified
via tsc). isCancel/CancelToken are left as `axios.*`: CancelToken is
only a type export (cannot be a value import under verbatimModuleSyntax)
and both were already counted within the existing baselines.
Verified locally: full `pnpm check:lint` (16/16) and `check:types`
(15/15) pass.
* chore(deps): replace dotenvx with dotenv and update dependency overrides
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: sort devDependencies in package.json files
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* refactor: replace isomorphic-dompurify with sanitize-html
* dompurify fixes
* more fixes with fallback and title
* build
---------
Co-authored-by: Prateek Shourya <prateekshourya29@gmail.com>
* fix: robust way to handle socket connection and read from indexeddb cache when reqd
* fix: realtime sync working with failure handling
* fix: title editor added
* merge preview into fix/realtime-sync
* check
* page renderer props
* lint errors
* lint errors
* lint errors
* sanitize html
* sanitize html
* format fix
* fix lint
* chore: fix lint
* fix: constants check:lint command
* chore(lint): permit unused vars which begin w/ _
* chore: rm dead code
* fix(lint): more lint fixes to constants pkg
* fix(lint): lint the live server
- fix lint issues
* chore: improve clean script
* fix(lint): more lint
* chore: set live server process title
* chore(deps): update to turbo@2.5.5
* chore(live): target node22
* fix(dev): add missing ui pkg dependency
* fix(dev): lint decorators
* fix(dev): lint space app
* fix(dev): address lint issues in types pkg
* fix(dev): lint editor pkg
* chore(dev): moar lint
* fix(dev): live server exit code
* chore: address PR feedback
* fix(lint): better TPageExtended type
* chore: refactor
* chore: revert most live server changes
* fix: few more lint issues
* chore: enable ci checks
Ensure we can build + confirm that lint is not getting worse.
* chore: address PR feedback
* fix: web lint warning added to package.json
* fix: ci:lint command
---------
Co-authored-by: sriram veeraghanta <veeraghanta.sriram@gmail.com>