chore(deps-dev): bump tree-sitter-go from 0.23.4 to 0.25.0

[dependabot]

Bumps tree-sitter-go from 0.23.4 to 0.25.0.

Release notes

Sourced from tree-sitter-go's releases.

v0.25.0

NOTE: Download tree-sitter-go.tar.gz for the complete source code.

Commits

• 1547678 0.25.0
• 3f912e9 chore: generate
• 179ca03 feat: expose statement list
• e25214e fix: allow the terminator to be omitted for the last element
• edea6bf fix: give index expressions a dynamic precedence of 1
• e1076e5 feat: support generic type aliases
• 00a299e ci: update test failures, use macos-15
• 93c2bb6 build: update bindings
• 1496eb7 feat: use the new reserved rules api
• c350fa5 ci: bump actions/checkout from 4 to 5
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[greptile-apps]

Greptile Summary

This is a routine Dependabot bump of the tree-sitter-go dev dependency from 0.23.4 to 0.25.0. The version bump itself is straightforward — both package.json and package-lock.json are updated with the new version, and sub-dependencies (node-addon-api, node-gyp-build) are bumped accordingly.

However, the package-lock.json diff contains a noteworthy side effect: seven @optave/codegraph-* platform binary entries have their "integrity": "" placeholder fields removed. While empty strings were already invalid SRI hashes, removing them entirely means npm ci will now skip checksum verification for these packages. These changes are unrelated to the tree-sitter-go bump and should be tracked separately with proper SHA-512 hashes populated once the packages are correctly published to the registry.

Confidence Score: 3/5

• Safe to merge once the unrelated integrity-field removal is understood and confirmed intentional; the core dependency bump itself is low-risk.
• The tree-sitter-go bump itself is a standard dev-dependency upgrade with passing Dependabot compatibility. Score is reduced from 5 because the lockfile contains unrelated changes (removal of integrity fields for 7 internal platform binary packages) that weaken supply-chain verification and should not be bundled silently into a dependency bump PR.
• package-lock.json — the removal of empty integrity fields for @optave/codegraph-* packages is unrelated to the stated purpose of this PR and warrants explicit acknowledgement.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[npm install] --> B[tree-sitter-go 0.25.0 installed]
    B --> C[node-addon-api v8.3.1]
    B --> D[node-gyp-build v4.8.4]
    A --> E[optave codegraph platform binaries]
    E -->|integrity field removed| F[No checksum verification by npm ci]

Loading

Comments Outside Diff (1)

1. package-lock.json, line 1649-1731 (link)

   Unrelated integrity-field removal bundled in dependency bump

   This PR removes the "integrity": "" field from seven @optave/codegraph-* platform binary packages (darwin-arm64, darwin-x64, linux-arm64-gnu, linux-arm64-musl, linux-x64-gnu, linux-x64-musl, win32-x64-msvc). These changes are completely unrelated to the tree-sitter-go version bump.

   While empty integrity strings were already incorrect (they are not valid SRI hashes), silently removing them means npm ci will now skip integrity verification for all these packages entirely. For packages resolved from a public registry, the integrity field is the primary tamper-protection mechanism.

   These packages should either have proper SHA-512 integrity hashes populated (by running npm install after the packages are correctly published to the registry with integrity hashes), or the reason these hashes are absent should be documented. Shipping a package-lock.json to production/CI without integrity hashes on your own native binaries weakens supply-chain security.

   Consider separating this cleanup into its own PR and ensuring the @optave/codegraph-* packages are published to npm with valid integrity hashes so the lockfile can reflect them correctly.

   Rule Used: CLAUDE.md (source)

_{Last reviewed commit: af80f68}