fix(grafana-datasource): resolve catalog review blockers (serialize-javascript + version stamp)

Grafana’s catalog review of 0.1.1 failed with two hard errors. This fixes both (the remaining unsigned-plugin is expected pre-review; provenance/sponsorship are non-blocking 💡).

1. osv-scanner high severity — serialize-javascript

The review flagged serialize-javascript 6.0.2 (a build-only transitive dep of terser-webpack-plugin). 6.x has no patched release — GHSA-5c6j-r48x-rmvq (RCE) is fixed in 7.0.3, CVE-2026-34043 (DoS) in 7.0.5.

Forces serialize-javascript to 7.0.5 via an npm override. The lockfile change is surgical (only serialize-javascript upgraded, its transitive randombytes dropped; no new packages). npm run build verified green with 7.0.5.

2. packagecode-version-mismatch

The review reported source package.json (0.1.0) ≠ published plugin.json (0.1.1). Root cause: the release stamps the version (npm version) into the build only; the committed source stays 0.1.0 and src/plugin.json is the %VERSION% template, so the tagged source never matched the artifact.

Fix: the release now commits the stamped package.json + package-lock.json before tagging, and pushes only the tag (not main). The tag points at a commit whose package.json version equals the published plugin.json — exactly what the validator compares — while main stays free of release commits (per the existing convention). No recurring manual version bump.

Validation

• npm run build green with serialize-javascript 7.0.5; lockfile diff is only that package.
• mise run release:check grafana-datasource => next: grafana-datasource@0.1.2, release? true.
• actionlint clean.

Effect

Merging auto-cuts 0.1.2. The tagged source will have package.json = 0.1.2 and the patched lockfile; the binaries are still go1.26.4 with the provenance attestation (from #11283). Resubmit 0.1.2 with source URL https://github.com/tuist/tuist/tree/grafana-datasource@0.1.2/grafana-datasource.

🤖 Generated with Claude Code

No GitHub comments yet.