chore: replace deprecated standard-version with commit-and-tag-version

[TheLastCicada]

standard-version has been deprecated since May 2022 and its transitive dependency on handlebars@4.7.8 has a known prototype pollution vulnerability (GHSA-2qvq-rjwj-gvw9). commit-and-tag-version is the actively maintained fork with identical CLI and config format.

• Remove standard-version devDependency
• Install commit-and-tag-version@12.7.1
• Update 'release' script to use commit-and-tag-version
• Rename 'standard-version' config key to 'commit-and-tag-version'

---

Note

Low Risk
Low risk: primarily dev tooling upgrades (release script and ESLint 10) plus small refactors/bugfixes in retry logic and variable initialization that should not affect runtime behavior beyond avoiding subtle bugs.

Overview
Replaces deprecated standard-version with commit-and-tag-version for releases (updates the release script, config key, and lockfile dependencies) to drop vulnerable transitive deps.

Upgrades to ESLint 10 (eslint/@eslint/js), simplifies eslint.config.mjs by removing the Babel parser, bumps ecmaVersion to 2025, adds preserve-caught-error as a warning, and refines per-file overrides for .cjs module type and approved dynamic-import exceptions.

Includes a few small code-quality tweaks driven by the lint upgrade (prefer const, remove unnecessary initializers) and fixes retry recursion to use retryCount + 1 (instead of mutating retryCount) in both v1 and v2 default-org-list loaders.

^{Written by Cursor Bugbot for commit bce41bc. This will update automatically on new commits. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	eslint@​9.39.4 ⏵ 10.1.0	+1
	commit-and-tag-version@​12.7.1
	@​eslint/​js@​9.39.4 ⏵ 10.0.1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Potential code anomaly (AI signal): npm yaml is 100.0% likely to have a medium risk anomaly Notes: The code presents a standard, non-malicious NodeBase component used in YAML/JS conversion. The primary risk surface is the optional reviver and onAnchor callbacks provided by the user: if untrusted, these can execute arbitrary code or influence the transformed representation via applyReviver or the reviver itself. This is expected behavior for extensible YAML libraries; ensure callbacks come from trusted sources and sandbox or validate revivers where possible. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/commit-and-tag-version@12.7.1 → npm/yaml@2.8.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/yaml@2.8.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report