chore(deps-dev): bump typescript from 5.9.3 to 6.0.3 in /app

[dependabot]

Bumps typescript from 5.9.3 to 6.0.3.

Release notes

Sourced from typescript's releases.

TypeScript 6.0.3

For release notes, check out the release announcement blog post.

• fixed issues query for TypeScript 6.0.0 (Beta).
• fixed issues query for TypeScript 6.0.1 (RC).
• fixed issues query for TypeScript 6.0.2 (Stable).
• fixed issues query for TypeScript 6.0.3 (Stable).

Downloads are available on:

• npm

TypeScript 6.0

For release notes, check out the release announcement blog post.

• fixed issues query for TypeScript 6.0.0 (Beta).
• fixed issues query for TypeScript 6.0.1 (RC).
• fixed issues query for TypeScript 6.0.2 (Stable).

Downloads are available on:

• npm

TypeScript 6.0 Beta

For release notes, check out the release announcement.

• fixed issues query for Typescript 6.0.0 (Beta).

Downloads are available on:

• npm

Commits

• 050880c Bump version to 6.0.3 and LKG
• eeae9dd 🤖 Pick PR #63401 (Also check package name validity in...) into release-6.0 (#...
• ad1c695 🤖 Pick PR #63368 (Harden ATA package name filtering) into release-6.0 (#63372)
• 0725fb4 🤖 Pick PR #63310 (Mark class property initializers as...) into release-6.0 (#...
• 607a22a Bump version to 6.0.2 and LKG
• 9e72ab7 🤖 Pick PR #63239 (Fix missing lib files in reused pro...) into release-6.0 (#...
• 35ff23d 🤖 Pick PR #63163 (Port anyFunctionType subtype fix an...) into release-6.0 (#...
• e175b69 Bump version to 6.0.1-rc and LKG
• af4caac Update LKG
• 8efd7e8 Merge remote-tracking branch 'origin/main' into release-6.0
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[overcut-ai]

Completed Working on "Code Review"

✅ Review publishing complete. Posted comments from all chunks and submitted final review: COMMENT. Total comments: 2 across 1 files.

✅ Workflow completed successfully.

---

👉 View complete log

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/brace-expansion	5.0.6	🟢 7.3	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 11 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 4 Found 9/22 approved changesets -- score normalized to 4 Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/minimatch	10.2.5	🟢 5.9	Details Check Score Reason Code-Review ⚠️ 0 Found 1/28 approved changesets -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 8 6 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 8 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy 🟢 10 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/semver	7.8.2	🟢 6.3	Details Check Score Reason Code-Review 🟢 7 Found 14/19 approved changesets -- score normalized to 7 Security-Policy 🟢 10 security policy file detected Maintained 🟢 8 10 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 8 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST 🟢 9 SAST tool detected but not run on all commits
npm/typescript	6.0.3	🟢 8.1	Details Check Score Reason Maintained 🟢 10 24 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Dependency-Update-Tool 🟢 10 update tool detected Security-Policy 🟢 10 security policy file detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. License 🟢 10 license file detected Vulnerabilities 🟢 3 7 existing vulnerabilities detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(release-5.9): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration Binary-Artifacts 🟢 10 no binaries found in the repo SAST 🟢 10 SAST tool is run on all commits Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Fuzzing 🟢 10 project is fuzzed CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 38 contributing companies or organizations

Scanned Files

• app/package-lock.json

[overcut-ai]

Summary of posted review findings:

• 2 MAJOR issues identified (0 BLOCKER, 0 CRITICAL, 0 MINOR, 0 SUGGESTION, 0 PRAISE)
• Affected file(s): app/package-lock.json

Key themes:

1. Dependency compatibility risk: TypeScript was upgraded to 6.0.3 while resolved @typescript-eslint peer ranges still indicate <6.0.0, creating an unsupported lint/tooling combination.
2. Lockfile reproducibility drift across Linux environments: removal of explicit libc selectors on optional native packages may reduce deterministic binary resolution between glibc and musl systems.

Recommended next steps:

• Upgrade the typescript-eslint stack to versions that explicitly support TypeScript 6 (or keep TypeScript below 6 until that is done), then regenerate the lockfile.
• Regenerate package-lock.json with pinned npm/toolchain versions and validate clean installs in both glibc and musl environments to confirm reproducible native package resolution.

[overcut-ai]

[major]: Multiple findings report the same issue: lockfile installs TypeScript 6.0.3 while resolved @typescript-eslint packages still require peer "typescript": ">=4.8.4 <6.0.0" (including nested relocation under typescript-eslint). This is an unsupported toolchain combination that can cause lint/parser instability and CI failures.

Upgrade the typescript-eslint stack (and related @typescript-eslint packages) to versions that explicitly support TypeScript 6, or keep TypeScript below 6 until that upgrade; then regenerate package-lock.json so peer ranges align.

[overcut-ai]

[major]: Lockfile changes remove explicit libc constraints from optional native package entries (glibc vs musl), which can make binary resolution less reproducible between environments (e.g., CI vs Alpine runtime) and increase risk of native binary mismatch.

Regenerate lockfile with a pinned npm/toolchain version that preserves stable libc-aware metadata (or otherwise enforce deterministic install tooling), and validate clean installs on both glibc and musl environments.