chore: bump deps (v1.0.33)

[MishaKav]

User description

Summary

Combines open Dependabot PRs into one verified bundle, plus pulls remaining patch bumps.

Closes #135, #136, #137.

• typescript 5.9.3 → 6.0.3
• @typescript-eslint/eslint-plugin + parser 8.57.0 → 8.58.2
• eslint-plugin-jest 29.15.0 → 29.15.2
• @types/node, prettier, ts-jest — latest patches
• schneegans/dynamic-badges-action v1.7.0 → v1.8.0 (Node 24 runtime)

Skipped majors: @actions/core v3, @actions/github v9, strip-ansi v7 (ESM-only).

Note: #137 alone fails CI (peer conflict with eslint-plugin-jest@29.15.0); bundling with #136 resolves it.

Test plan

• npm ci clean, 0 vulnerabilities
• npm run all passes locally (build + format + lint + package + test, 67/67 tests)
• CI "Update Coverage in README" green on this branch

🤖 Generated with Claude Code

Summary by cubic

Bumps dev dependencies in one bundle, upgrades to typescript 6, and updates the coverage badge workflow. Rebuilds the dist with transitive fixes and keeps CI green by aligning ESLint/Jest peer deps.

• Dependencies
  • typescript → 6.0.3
  • @typescript-eslint/eslint-plugin + parser → 8.58.2
  • eslint-plugin-jest → 29.15.2
  • @types/node, prettier, ts-jest → latest patches
  • .github workflow: schneegans/dynamic-badges-action → v1.8.0 (Node 24 runtime)
  • Skipped majors: @actions/core v3, @actions/github v9, strip-ansi v7 (ESM-only)

^{Written for commit 2a25780. Summary will update on new commits.}

---

CodeAnt-AI Description

Improve XML decoding and websocket payload handling while updating bundled dependencies

What Changed

• XML input now detects its encoding from the file content, including UTF-8, UTF-16LE, and UTF-16BE, so short or binary XML chunks are decoded correctly
• Strict XML parsing now reports an error when the XML declaration says one encoding but the stream uses another
• WebSocket messages now respect a maximum payload size and close the connection when a message is too large, including compressed messages
• Development dependencies and the coverage badge workflow were updated to current versions

Impact

✅ Fewer XML decoding failures
✅ Clearer strict XML errors
✅ Fewer oversized WebSocket messages

🔄 Retrigger CodeAnt AI Review

Details

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[coderabbitai]

Warning

Rate limit exceeded

@MishaKav has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 37 minutes and 35 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 37 minutes and 35 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a03af06e-e044-480d-a68b-81b881f880da

📥 Commits

Reviewing files that changed from the base of the PR and between c480abe and 2a25780.

⛔ Files ignored due to path filters (3)

• dist/index.js is excluded by !**/dist/**
• dist/index.js.map is excluded by !**/dist/**, !**/*.map
• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (3)

• .github/workflows/update-coverage-in-readme.yml
• CHANGELOG.md
• package.json

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

Review Summary by Qodo

Bump dependencies to v1.0.33 with WebSocket and XML fixes

✨ Enhancement

Walkthroughs

Description

• Bump TypeScript 5.9.3 → 6.0.3 and ESLint plugin dependencies
• Update dev dependencies to latest patches (prettier, ts-jest, @types/node)
• Upgrade schneegans/dynamic-badges-action v1.7.0 → v1.8.0 for Node 24 runtime
• Fix WebSocket payload size validation and XML encoding detection in bundled dependencies

Diagram

flowchart LR
  A["Dev Dependencies"] -->|TypeScript 6.0.3| B["Updated Toolchain"]
  A -->|ESLint Plugins 8.58.2| B
  A -->|prettier, ts-jest patches| B
  C["Bundled Dependencies"] -->|WebSocket payload validation| D["Bug Fixes"]
  C -->|XML encoding detection| D
  E["GitHub Actions"] -->|dynamic-badges v1.8.0| F["Node 24 Support"]
  B --> G["v1.0.33 Release"]
  D --> G
  F --> G

Loading

File Changes

1. package.json Dependencies +8/-8

Update dev dependencies and version bump

• Bump version from 1.0.32 to 1.0.33
• Upgrade TypeScript from 5.9.3 to 6.0.3 (major version)
• Update @typescript-eslint/eslint-plugin and parser from 8.57.0 to 8.58.2
• Update eslint-plugin-jest from 29.15.0 to 29.15.2
• Patch updates for @types/node, prettier, and ts-jest to latest versions

package.json

---

2. .github/workflows/update-coverage-in-readme.yml ⚙️ Configuration changes +1/-1

Update dynamic-badges-action to v1.8.0

• Upgrade schneegans/dynamic-badges-action from v1.7.0 to v1.8.0
• Enables Node 24 runtime support for badge generation workflow

.github/workflows/update-coverage-in-readme.yml

---

3. CHANGELOG.md 📝 Documentation +8/-0

Add v1.0.33 release notes

• Add new entry for v1.0.33 release dated 2026-04-18
• Document bump of dev dependencies as the main change

CHANGELOG.md

---

View more (2)

4. dist/index.js 🐞 Bug fix +339/-93

Fix WebSocket, XML encoding, and JSON serialization bugs

• Add XML encoding detection with BOM-based and pattern-based heuristics in SAX parser
• Implement TextDecoder-based buffer handling for proper charset detection in WebSocket streams
• Add WebSocket payload size validation to prevent oversized messages
• Fix PerMessageDeflate decompression with configurable max payload size instead of hardcoded 4MB
 limit
• Add ByteParser fragment tracking and validation for WebSocket message assembly
• Improve JSON.stringify/parse with better BigInt handling and context.source feature detection
• Fix Agent, Client, and DispatcherBase constructor call ordering for proper options propagation

dist/index.js

---

5. dist/index.js.map Additional files +1/-1

...

dist/index.js.map

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Inflate stream not destroyed 🐞 Bug ☼ Reliability

Description

In PerMessageDeflate.decompress(), when the decompressed payload exceeds #maxPayloadSize, the
code calls the callback and drops the #inflate reference but never destroys the underlying
InflateRaw stream. This can retain native zlib resources longer than necessary and is a behavioral
regression in the oversized-message path.

Code

dist/index.js[R33345-33349]

+        if (this.#maxPayloadSize > 0 && this.#inflate[kLength] > this.#maxPayloadSize) {
+          callback(new MessageSizeExceededError())
          this.#inflate.removeAllListeners()
-          this.#inflate.destroy()
          this.#inflate = null
-
-          if (this.#currentCallback) {
-            const cb = this.#currentCallback
-            this.#currentCallback = null
-            cb(new MessageSizeExceededError())
-          }
          return

Evidence

The oversize branch calls callback(...), removes listeners, and sets this.#inflate = null
without calling a cleanup method like .destroy(), even though #inflate is a zlib stream created
via createInflateRaw(...) with event listeners attached.

dist/index.js[33321-33358]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`PerMessageDeflate.decompress()` nulls out `this.#inflate` when the output exceeds `maxPayloadSize`, but it does not destroy/close the underlying `InflateRaw` stream.

### Issue Context
This logic lives in the bundled undici WebSocket permessage-deflate implementation inside `dist/index.js`.

### Fix Focus Areas
- Ensure the inflate stream is properly cleaned up in the oversize branch (e.g., call `this.#inflate.destroy()` before dropping the reference).
- Avoid leaving a live zlib stream running with all listeners removed.

### Fix Focus Areas (locations)
- dist/index.js[33321-33358]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[Copilot]

Pull request overview

This PR bundles several Dependabot updates into a single release (v1.0.33), updating the project’s TypeScript/tooling stack and refreshing the packaged dist/ output used by the GitHub Action.

Changes:

• Bump dev tooling dependencies (TypeScript 6.x, typescript-eslint, eslint-plugin-jest, prettier, ts-jest, @types/node, and related lockfile updates).
• Regenerate dist/index.js to reflect updated transitive dependencies.
• Update the “Update Coverage in README” workflow to use schneegans/dynamic-badges-action@v1.8.0 and record the release in CHANGELOG.md.

Reviewed changes

Copilot reviewed 3 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
package.json	Version bump to 1.0.33 and devDependency upgrades (TS 6, eslint tooling, prettier, ts-jest, etc.).
package-lock.json	Lockfile refresh to align resolved versions with the updated dependency set.
dist/index.js	Rebuilt bundled output incorporating updated transitive deps (e.g., sax/undici-related code paths).
CHANGELOG.md	Add 1.0.33 release entry noting dependency bumps.
.github/workflows/update-coverage-in-readme.yml	Bump schneegans/dynamic-badges-action to v1.8.0 (Node 24 runtime).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codeant-ai]

CodeAnt AI is running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI finished running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI is running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI finished running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI is running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[codeant-ai]

CodeAnt AI finished running the review.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn