deps: update tree-sitter-language-pack requirement from <1.6.3,>=0.6 to >=0.6,<1.8.2

[dependabot]

Updates the requirements on tree-sitter-language-pack to permit the latest version.

Release notes

Sourced from tree-sitter-language-pack's releases.

v1.8.1

[1.8.1] - 2026-05-13

Added

• E2E fixture coverage for: language alias resolution (shell→bash) via has_language / get_language / get_parser (3 fixtures); download edge cases — empty list, multiple-language, and unknown-language error path (3 fixtures); error-handling for 120KB sources and get_language("") (2 fixtures); and TypeScript function parsing (1 fixture). Brings fixture count from 403 to 412, covering 100% of the public download, get_*, and has_language surface across all 10 language bindings.

Fixed

• Node: getLanguage(name) now returns a real tree-sitter Language that new Parser().setLanguage(lang) accepts at runtime. The previous capsule shim used napi::bindgen_prelude::External::new (rejected by node-tree-sitter's UnwrapLanguage), wrote the External to __parser, and did not type-tag the value. Adopts alef v0.15.49 where the napi capsule codegen emits raw napi_create_external + napi_type_tag_object and reads property_name/type_tag from [crates.node.capsule_types].

• Python: PackConfig and ProcessConfig type hints now resolve to the .options dataclasses, fixing mypy --strict errors at every init(...) / process(...) call site (adopts alef #72).

• Python: restore SupportedLanguage as Literal[...] of all 306 grammars at tree_sitter_language_pack.SupportedLanguage. The symbol was dropped during the alef 0.15.x codegen migration and re-importing it raised ImportError in 1.8.0 (#121).

• Python: get_parser("python").parse(b"...") returns a real tree_sitter.Tree again instead of raising AttributeError. get_parser / get_language now return native tree_sitter.Parser / tree_sitter.Language instances via PyO3 capsule pass-through (alef v0.15.39 wires capsule_types through gen_bindings) (#121).

Changed

• CI pinned to Node 22 LTS across all workflows. tree-sitter@0.25.0 (the tree-sitter npm package) ships a binding.cc written against pre-C++20 stdlib (no std::ranges, concept, requires) and fails to compile against Node 24/26's V8 headers. Node 22 is the latest supported runtime until upstream node-tree-sitter updates its cflags_cc or ships prebuilds.
• CPD pre-commit hook and packages/java/pom.xml maven-pmd-plugin minimum-tokens bumped from 100 → 250: alef's java codegen emits ~200-token try/catch cleanup blocks on DownloadManager / LanguageRegistry. Refactoring the codegen to share a helper is tracked separately.

Changelog

Sourced from tree-sitter-language-pack's changelog.

1.8.1 - 2026-05-13

Added

• E2E fixture coverage for: language alias resolution (shell→bash) via has_language / get_language / get_parser (3 fixtures); download edge cases — empty list, multiple-language, and unknown-language error path (3 fixtures); error-handling for 120KB sources and get_language("") (2 fixtures); and TypeScript function parsing (1 fixture). Brings fixture count from 403 to 412, covering 100% of the public download, get_*, and has_language surface across all 10 language bindings.

Fixed

• Node: getLanguage(name) now returns a real tree-sitter Language that new Parser().setLanguage(lang) accepts at runtime. The previous capsule shim used napi::bindgen_prelude::External::new (rejected by node-tree-sitter's UnwrapLanguage), wrote the External to __parser, and did not type-tag the value. Adopts alef v0.15.49 where the napi capsule codegen emits raw napi_create_external + napi_type_tag_object and reads property_name/type_tag from [crates.node.capsule_types].

• Python: PackConfig and ProcessConfig type hints now resolve to the .options dataclasses, fixing mypy --strict errors at every init(...) / process(...) call site (adopts alef #72).

• Python: restore SupportedLanguage as Literal[...] of all 306 grammars at tree_sitter_language_pack.SupportedLanguage. The symbol was dropped during the alef 0.15.x codegen migration and re-importing it raised ImportError in 1.8.0 (#121).

• Python: get_parser("python").parse(b"...") returns a real tree_sitter.Tree again instead of raising AttributeError. get_parser / get_language now return native tree_sitter.Parser / tree_sitter.Language instances via PyO3 capsule pass-through (alef v0.15.39 wires capsule_types through gen_bindings) (#121).

Changed

• CI pinned to Node 22 LTS across all workflows. tree-sitter@0.25.0 (the tree-sitter npm package) ships a binding.cc written against pre-C++20 stdlib (no std::ranges, concept, requires) and fails to compile against Node 24/26's V8 headers. Node 22 is the latest supported runtime until upstream node-tree-sitter updates its cflags_cc or ships prebuilds.
• CPD pre-commit hook and packages/java/pom.xml maven-pmd-plugin minimum-tokens bumped from 100 → 250: alef's java codegen emits ~200-token try/catch cleanup blocks on DownloadManager / LanguageRegistry. Refactoring the codegen to share a helper is tracked separately.

1.8.0 - 2026-05-09

Added

• macOS x86_64 native binaries across all polyglot bindings (Python wheels, npm napi, Ruby gem, Maven JAR, NuGet, C FFI, Go FFI, libts-pack bottle) — restores Intel Mac coverage that was missing under the alef 0.11 transition
• Real Homebrew bottle protocol for both ts-pack (CLI) and libts-pack (FFI library) via brew install --build-bottle + brew bottle --json, replacing the prior synthetic tarball approach. Eight bottles per release across arm64_sequoia, sequoia, arm64_linux, x86_64_linux. brew install now pours instead of source-building
• libts-pack Homebrew formula bundling tree-sitter language pack as a C library (headers + dylib/so + static archive)
• Python sdist published to PyPI alongside the existing platform wheels
• E2E fixtures covering Kotlin package + class structure (kotlin_package_class_intel.json), Java package declarations (java_package_intel.json), and a process call exercising the typed extractions map (process_with_extractions.json)

Changed

• Migrated to alef 0.15.x (Jinja-based codegen) for all polyglot bindings — Python, TypeScript, Ruby, Go, Java, C#, Elixir, PHP, WASM
• WASM now ships the --target nodejs build to npm so consumers no longer hit the bundler-only import * from "env" failure on require()
• WASM coverage scoped to a curated 32-language subset to fit the 16 GB GitHub runner during builds

Fixed

• Intel: emit StructureKind::Module for Kotlin package_header and Java package_declaration so callers can build fully-qualified names for JVM languages (#112)
• Intel: resolve structure names via a fallback chain (name field → type_identifier → identifier → scoped_identifier) so Kotlin classes and Java/Kotlin packages no longer surface with null names (#111)
• Java: ship natives/{rid}/ entries inside the published JAR — actions/download-artifact produces nested artifact paths, and the previous staging loop preserved them, so every platform hit UnsatisfiedLinkError on load. Flatten via find and add presence/jar tf guard steps so the regression cannot ship silently again (#114)
• Bindings: surface extractions as a typed Map<String, ExtractionPattern> / Map<String, PatternResult> across Java, Python, Go, TypeScript, Ruby, PHP, C#, Elixir, FFI, and WASM (was Optional<String> on Java, blocking pattern extractions through the high-level API). Driven by the alef 0.12.4 codegen fix for AHashMap-typed fields (#115)
• C#: strip duplicate { lines emitted by alef 0.14.33 codegen so generated .cs files compile
• Ruby: regenerated native.rb no longer recurses into itself via define_singleton_method — magnus codegen now skips re-export when binding name matches the native module method
• Node: index.js now contains real platform-dispatch logic so require() resolves the correct .darwin-arm64.node/.linux-x64-gnu.node/etc. instead of failing on the un-suffixed bundle name
• WASM: drop bundler-only output, removing spurious 'env' module imports that broke require() from Node consumers
• Maven JAR previously missed linux-x86_64 natives because of stage-loop path mishandling; flatten artifact downloads and add a jar tf guard
• Hex.pm metadata.config size limit — exclude the parser sources tarball from the package
• PHP: fix broken crates/ts-pack-php/README.md links in root README.md — path moved to packages/php/README.md after alef migration (#106)
• PHP: fix .task/php.yml build, build:dev, and clean tasks pointing to removed crates/ts-pack-php/ — corrected to crates/ts-pack-core-php/ (#106)
• PHP: align packages/php/composer.json and packages/php/README.md package name to canonical Packagist vendor slug (kreuzberg/ not kreuzberg-dev/) (#106)

... (truncated)

Commits

• 33602ce ci(publish): re-enable Windows Node MSVC build matrix entries
• d5afc7b chore(alef): bump pin to 0.16.1 + regenerate bindings, docs, e2e
• 460168b fix(ci): use Tree.root_node() + Node.kind() in sdist smoke test
• 4e482d9 fix(ci): repair publish dry-run #2
• 96a1b3e fix(ci): repair publish dry-run failures
• c237625 fix(e2e): skip wolfram smoke across all bindings
• d6ff1e6 test(e2e/rust): run smoke tests serially to surface grammar crashes
• 2f06815 fix(ci): pass tslp ts_pack.h header path to build-go-ffi action
• d7d746c ci(rust): static-link all 305 grammars via TSLP_LANGUAGES=all
• 346298d fix(node): add build.rs to invoke napi_build::setup()
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

Roam Agent Review

Verdict: SAFE (risk_level low)

blast-radius 0/100 · ai-likelihood 14/100 · rule violations 0 · critique high-severity 0

Verdict: SAFE. All structural signals clean at the configured thresholds.

Next steps

• No structural concerns at the configured thresholds. Standard review still recommended.

---

_{Powered by roam-code — Apache 2.0, 100% local. Customize thresholds in .roam/rules.yml. Docs.}

[github-actions]

roam-code Analysis

Mode: incremental (changed-only) — base 7daec26c6a4f60b52c2ad2d9a4b86310b36067b3, 1 changed+dependent files

Health Score: 76/100 FAIR

health: Fair codebase (76/100) — 47 critical, 9 warnings, focus: god_components
pr-risk: Moderate risk (30/100) — review recommended (risk_level medium) (driver: test_coverage_low)

Health Metrics

Metric	Value
Health Score	76/100
Tangle Ratio	0%
Propagation Cost	0.0011
Total Issues	67

PR Risk

Metric	Value
Risk Score	30/100

Quality Gate: PASSED

Gate expression: health_score>=50

SARIF Upload

Metric	Value
Category	roam-code-self-analysis/self-analysis/py3.12
Results Uploaded	77

Full analysis output

health

{
  "_meta": {
    "cache_ttl_s": 300,
    "cacheable": true,
    "index_age_s": 3,
    "latency_ms": null,
    "response_tokens": 3916,
    "roam_version": "13.4",
    "timestamp": "2026-05-25T16:25:28Z"
  },
  "actionable_count": 12,
  "actionable_cycles": 2,
  "agent_contract": {
    "confidence": null,
    "facts": [
      "Fair codebase (76/100) — 47 critical, 9 warnings, focus: god_components",
      "health score 76",
      "tangle ratio 0.0",
      "0.0011 propagation cost findings",
      "issue count 67"
    ],
    "next_commands": [
      "Run `roam debt` to quantify the refactoring effort required",
      "Run `roam trends --days 30` to track the health score over time"
    ],
    "risks": []
  },
  "algebraic_connectivity": null,
  "algebraic_connectivity_available": false,
  "bottleneck_thresholds": {
    "p70": 838.8,
    "p90": 3292.7,
    "population": 855,
    "utility_multiplier": 1.5
  },
  "category_severity": {
    "bottlenecks": {
      "critical": 15,
      "info": 0,
      "warning": 0
    },
    "cycles": {
      "critical": 1,
      "info": 0,
      "warning": 1
    },
    "god_components": {
      "critical": 31,
      "info": 11,
      "warning": 8
    },
    "layer_violations": {
      "critical": 0,
      "info": 0,
      "warning": 0
    }
  },
  "command": "health",
  "cycles_actionable": 2,
  "cycles_total": 12,
  "framework_filtered": 0,
  "health_score": 76,
  "ignored_cycles": 10,
  "imported_coverable_lines": 0,
  "imported_coverage_files": 0,
  "imported_coverage_pct": null,
  "imported_covered_lines": 0,
  "index_status": {
    "dirty_files": 0,
    "fresh": false,
    "head_commit": "18e97fcb176a",
    "hint": "index latest commit 77e0c304d8ae != HEAD 18e97fcb176a — git-derived metrics (commits, churn, co-change, weather) may be stale. Run `roam index --force`.",
    "indexed_commit": "77e0c304d8ae"
  },
  "issue_count": 67,
  "list_counts": {
    "bottlenecks": 15,
    "cycle_break_suggestions": 1,
    "cycles": 12,
    "god_components": 50,
    "layer_violations": 0,
    "next_steps": 2,
    "score_breakdown": 5
  },
  "project": "roam-code",
  "propagation_cost": 0.0011,
  "schema": "roam-envelope-v1",
  "schema_version": "1.1.0",
  "severity": {
    "critical": 47,
    "info": 21,
    "warning": 9
  },
  "summary": {
    "actionable_cycles": 2,
    "algebraic_connectivity": null,
    "algebraic_connectivity_available": false,
    "category_severity": {
      "bottlenecks": {
        "critical": 15,
        "info": 0,
        "warning": 0
      },
      "cycles": {
        "critical": 1,
        "info": 0,
        "warning": 1
      },
      "god_components": {
        "critical": 31,
        "info": 11,
        "warning": 8
      },
      "layer_violations": {
        "critical": 0,
        "info": 0,
        "warning": 0
      }
    },
    "cycles_actionable": 2,
    "cycles_definition": "Cycle counts derived from `roam.graph.cycles.find_cycles(G, min_size=2)` on the symbol graph. `cycles_total` = all SCCs of size >= 2; `cycles_actionable` = SCCs spanning >=2 files AND no test files (same-file and test-only cycles are informational). Run `roam health` for the per-cycle breakdown.",
    "cycles_total": 12,
    "detail_available": true,
    "god_components": 50,
    "god_components_definition": "God components: symbols where `(in_degree + out_degree) > 20` from the `graph_metrics` table, with utility-aware severity bands (standard >50=CRITICAL >30=WARNING; utility >150=CRITICAL >90=WARNING). Run `roam health` for the per-symbol breakdown. Legacy aliases: `god_objects` (fingerprint), `god_classes` (rules).",
    "health_score": 76,
    "health_score_definition": "weighted geometric mean (0-100) of 5 sigmoid health factors: tangle_ratio, god_components, bottlenecks, layer_violations, file_health (+coverage if available).",
    "ignored_cycles": 10,
    "imported_coverage_files": 0,
    "imported_coverage_pct": null,
    "issue_count": 67,
    "partial_success": true,
    "preserved_list_truncations": {},
    "propagation_cost": 0.0011,
    "severity": {
      "critical": 47,
      "info": 21,
      "warning": 9
    },
    "tangle_ratio": 0,
    "tangle_ratio_definition": "fraction of symbols inside non-trivial SCCs; higher = more cyclic coupling.",
    "total_cycles": 12,
    "truncated": true,
    "verdict": "Fair codebase (76/100) — 47 critical, 9 warnings, focus: god_components",
    "warnings_out": [
      "health_algebraic_connectivity_warning:RuntimeWarning:algebraic_connectivity compute failed (ModuleNotFoundError): No module named 'numpy'; returning 0.0 sentinel — value is NOT a legitimate disconnected-graph reading"
    ]
  },
  "tangle_ratio": 0,
  "total_cycles": 12,
  "utility_count": 38,
  "version": "13.4",
  "warnings_out": [
    "health_algebraic_connectivity_warning:RuntimeWarning:algebraic_connectivity compute failed (ModuleNotFoundError): No module named 'numpy'; returning 0.0 sentinel — value is NOT a legitimate disconnected-graph reading"
  ]
}

pr-risk

{
  "_meta": {
    "cache_ttl_s": 60,
    "cacheable": true,
    "index_age_s": 4,
    "latency_ms": null,
    "response_tokens": 789,
    "roam_version": "13.4",
    "timestamp": "2026-05-25T16:25:29Z"
  },
  "actor": null,
  "agent_contract": {
    "confidence": null,
    "facts": [
      "Moderate risk (30/100) — review recommended (risk_level medium) (driver: test_coverage_low)",
      "risk score 30",
      "2 risk rank findings",
      "1 changed files",
      "1 lines added"
    ],
    "next_commands": [],
    "risks": [
      "pr-risk: moderate (30/100) on 7daec26c6a4f60b52c2ad2d9a4b86310b36067b3..HEAD — driver: test_coverage_low"
    ]
  },
  "author": null,
  "blast_radius_pct": 0,
  "bus_factor_risk": 0,
  "change_shape": "mixed",
  "changed_files": 1,
  "closest_historical_pattern": null,
  "closest_similarity": 0,
  "cluster_spread": 0,
  "clusters_touched": 0,
  "command": "pr-risk",
  "coupling_score": 0,
  "dead_code": [],
  "dead_exports": 0,
  "familiarity": {
    "avg_familiarity": 1,
    "files": [],
    "files_assessed": 0
  },
  "findings": [
    {
      "claim": "pr-risk: moderate (30/100) on 7daec26c6a4f60b52c2ad2d9a4b86310b36067b3..HEAD — driver: test_coverage_low",
      "confidence": "heuristic",
      "evidence": {
        "actor": null,
        "author": null,
        "blast_radius_pct": 0,
        "bus_factor_risk": 0,
        "changed_files_count": 1,
        "commit_range": "7daec26c6a4f60b52c2ad2d9a4b86310b36067b3..HEAD",
        "coupling_score": 0,
        "created_at_epoch": 1779726329,
        "diff_id": "229ef972219c",
        "familiarity_risk": 0,
        "file_list": [
          "pyproject.toml"
        ],
        "hotspot_score": 0,
        "label": "7daec26c6a4f60b52c2ad2d9a4b86310b36067b3..HEAD",
        "lines_added": 1,
        "lines_removed": 1,
        "minor_risk": 0,
        "novelty_score": 0,
        "reductive_change": false,
        "risk_level": "moderate",
        "risk_score": 30,
        "staged": false,
        "test_coverage_pct": 0,
        "top_driver": "test_coverage_low"
      },
      "finding_id_str": "pr-risk:composite-risk-score:229ef972219c",
      "kind": "pr-risk:composite-risk-score",
      "severity": "medium",
      "source_detector": "pr-risk",
      "source_version": "1.0.0",
      "subject_id": null,
      "subject_kind": "commit"
    }
  ],
  "hotspot_score": 0,
  "label": "7daec26c6a4f60b52c2ad2d9a4b86310b36067b3..HEAD",
  "layer_spread": 0,
  "layers_touched": 0,
  "lines_added": 1,
  "lines_removed": 1,
  "minor_risk": {
    "files": [],
    "files_assessed": 0,
    "minor_files": 0
  },
  "novelty_score": 0,
  "per_file": [
    {
      "blast": 0,
      "churn": 497,
      "is_test": false,
      "lines_added": 1,
      "lines_removed": 1,
      "path": "pyproject.toml",
      "symbols": 0
    }
  ],
  "project": "roam-code",
  "reductive_change": false,
  "reductive_discount_applied": false,
  "risk_level": "moderate",
  "risk_level_canonical": "medium",
  "risk_rank": 2,
  "risk_score": 30,
  "schema": "roam-envelope-v1",
  "schema_version": "1.1.0",
  "suggested_reviewers": [
    {
      "actor": "Cranot",
      "author": "Cranot",
      "lines": 342
    },
    {
      "actor": "dependabot[bot]",
      "author": "dependabot[bot]",
      "lines": 1
    }
  ],
  "summary": {
    "change_shape": "mixed",
    "changed_files": 1,
    "findings_count": 1,
    "lines_added": 1,
    "lines_removed": 1,
    "partial_success": false,
    "risk_level": "moderate",
    "risk_level_canonical": "medium",
    "risk_rank": 2,
    "risk_score": 30,
    "score_classification": "classified",
    "verdict": "Moderate risk (30/100) — review recommended (risk_level medium) (driver: test_coverage_low)"
  },
  "test_coverage_pct": 0,
  "total_clusters": 10693,
  "total_layers": 22,
  "version": "13.4",
  "warnings_out": []
}

---

roam-code analysis | Commands: health pr-risk