fix: use trusted publishing, upgrade node to 22, upgrade pkgs, upgrade TS

[pantajoe]

Summary by cubic

Adopted npm Trusted Publishing with provenance and modernized the toolchain. Upgraded to Node 22 and refreshed TypeScript, ESLint (flat), Jest, and CI for secure releases and a smoother dev setup.

• Dependencies

  • Node 22.22.0 (.nvmrc, mise) and packageManager set to npm 11.7.
  • TypeScript 5.4; migrated to typescript-eslint 8 and ESLint flat config (added eslint.config.mjs, removed .eslintrc.js/.eslintignore); updated lint script.
  • Jest 30; updated tests to use toHaveBeenCalled* matchers.
  • Prettier 3 (.prettierrc) and VSCode formatting settings.
  • semantic-release and @semantic-release/* bumped; added .npmrc and publishConfig with provenance.

• CI/Release

  • GitHub Actions updated (checkout/setup-node v6, cache v5) and reads Node from .nvmrc.
  • Uses npm ci with NPM_TOKEN; runs tests and build.
  • Publishes via semantic-release with NPM_CONFIG_PROVENANCE and id-token permissions; installs latest npm required by Trusted Publishing.
  • Uploads npm logs on failure; removed coverage step.

^{Written for commit c17088b. Summary will update on new commits.}

[wiz-inc-1b28acba9b]

Wiz Scan Summary

Scanner	Findings
Vulnerabilities	-
Sensitive Data	-
Secrets	-
IaC Misconfigurations	1
SAST Findings	-
Software Management Findings	-
Total	1

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

[cubic-dev-ai]

3 issues found across 19 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="eslint.config.mjs">

<violation number="1" location="eslint.config.mjs:34">
P2: `@/no-throw-literal` is an invalid rule name because no "@" plugin is configured, so ESLint will error with an unknown rule. Use the core or TypeScript rule name instead.</violation>
</file>

<file name="package.json">

<violation number="1" location="package.json:113">
P2: ESLint v9 requires Node >=18.18, but the package engine still advertises Node >=12. This upgrade makes linting fail for consumers or CI running Node 12/14/16. Either raise the Node engine range or stay on ESLint v8.x.</violation>
</file>

<file name=".github/workflows/node.yaml">

<violation number="1" location=".github/workflows/node.yaml:30">
P2: The node_modules cache key doesn’t include the Node version, so with Node now sourced from `.nvmrc` (22.22.0), a cache built on an older Node can be restored and break native dependencies. Include the Node version (e.g., hash of `.nvmrc`) in the cache key or avoid caching node_modules.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: @/no-throw-literal is an invalid rule name because no "@" plugin is configured, so ESLint will error with an unknown rule. Use the core or TypeScript rule name instead.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At eslint.config.mjs, line 34:

<comment>`@/no-throw-literal` is an invalid rule name because no "@" plugin is configured, so ESLint will error with an unknown rule. Use the core or TypeScript rule name instead.</comment>

<file context>
@@ -0,0 +1,47 @@
+      '@typescript-eslint/no-unsafe-declaration-merging': 'off',
+      '@typescript-eslint/no-unsafe-function-type': 'off',
+      '@typescript-eslint/no-explicit-any': 'off',
+      '@/no-throw-literal': 'warn',
+      '@typescript-eslint/naming-convention': [
+        'error',
</file context>

[cubic-dev-ai]

P2: ESLint v9 requires Node >=18.18, but the package engine still advertises Node >=12. This upgrade makes linting fail for consumers or CI running Node 12/14/16. Either raise the Node engine range or stay on ESLint v8.x.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At package.json, line 113:

<comment>ESLint v9 requires Node >=18.18, but the package engine still advertises Node >=12. This upgrade makes linting fail for consumers or CI running Node 12/14/16. Either raise the Node engine range or stay on ESLint v8.x.</comment>

<file context>
@@ -107,34 +110,28 @@
-    "eslint-plugin-promise": "^4.2.1",
-    "eslint-plugin-standard": "^5.0.0",
-    "eslint-plugin-vue": "^7.4.1",
+    "eslint": "^9.39.2",
+    "eslint-config-prettier": "^10.1.8",
+    "globals": "^17.0.0",
</file context>

[cubic-dev-ai]

P2: The node_modules cache key doesn’t include the Node version, so with Node now sourced from .nvmrc (22.22.0), a cache built on an older Node can be restored and break native dependencies. Include the Node version (e.g., hash of .nvmrc) in the cache key or avoid caching node_modules.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/node.yaml, line 30:

<comment>The node_modules cache key doesn’t include the Node version, so with Node now sourced from `.nvmrc` (22.22.0), a cache built on an older Node can be restored and break native dependencies. Include the Node version (e.g., hash of `.nvmrc`) in the cache key or avoid caching node_modules.</comment>

<file context>
@@ -2,56 +2,72 @@ name: Node.js CI
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version-file: .nvmrc
+
       - name: Cache node modules
</file context>

[charles-platform]

🎉 This PR is included in version 4.256.0 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀