chore(deepsec): upgrade scanner

[chaliy]

What

Upgrade the DeepSec workspace dependency from 2.0.8 to 2.0.12 and refresh the pnpm lockfile.

Why

Pre-release maintenance requires running DeepSec on the latest published scanner before reviewing findings.

How

• Ran pnpm update deepsec@latest in .deepsec
• Verified pnpm install --frozen-lockfile and pnpm deepsec --version reports 2.0.12
• Ran DeepSec scan/process/report for project-id bashkit with local Codex
• Created tracking issues for the 24 DeepSec findings: [DeepSec][HIGH] Same-repo pull requests can run repository code with Doppler and LLM secrets #1847 through [DeepSec][BUG] Tool timeout parameter is ignored #1870

Risk

• Low
• Change is isolated to the DeepSec scanning workspace dependency metadata

Checklist

• Tests added or updated
• Backward compatibility considered
• just pre-pr passed

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	bashkit	04b67fd	Commit Preview URL	Jun 05 2026, 12:23 AM

[Copilot]

Pull request overview

Upgrades the .deepsec/ scanning workspace to use the latest published DeepSec scanner, refreshing the pnpm lockfile so the repo’s security/maintenance workflow can run scans with the current toolchain.

Changes:

• Bump .deepsec workspace dependency deepsec from ^2.0.8 to ^2.0.12.
• Regenerate .deepsec/pnpm-lock.yaml to reflect the updated DeepSec dependency graph.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File	Description
.deepsec/package.json	Updates the DeepSec workspace dependency version constraint.
.deepsec/pnpm-lock.yaml	Refreshes resolved versions/transitive dependencies for DeepSec 2.0.12.

Files not reviewed (1)

• .deepsec/pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.