Upgrade Three.js to latest and enforce version via package overrides

[Copilot]

The dependency updater was failing around the Three.js stack due to version drift across direct and transitive dependencies. This change aligns the repo on the latest Three.js line and enforces a single resolved version to avoid updater/runtime mismatch.

• Dependency alignment

  • Bumped three to 0.184.0 in direct dependencies.
  • Bumped @types/three to 0.184.0 to keep typings in lockstep.

• Resolution control

  • Added overrides entries for three and @types/three so transitive packages resolve consistently to the same version.

• Package metadata consistency

  • Updated README version references from 0.183 to 0.184 to match the actual dependency graph.

{
  "devDependencies": {
    "three": "0.184.0",
    "@types/three": "0.184.0"
  },
  "peerDependencies": {
    "three": "0.184.0"
  },
  "overrides": {
    "three": "0.184.0",
    "@types/three": "0.184.0"
  }
}

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/@types/three	0.184.0	🟢 6.6	Details Check Score Reason Code-Review 🟢 9 Found 28/30 approved changesets -- score normalized to 9 Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected License 🟢 9 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 Fuzzing ⚠️ 0 project is not fuzzed
npm/meshoptimizer	1.1.1	🟢 4.5	Details Check Score Reason Code-Review ⚠️ 0 Found 0/20 approved changesets -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/three	0.184.0	🟢 6.5	Details Check Score Reason Code-Review ⚠️ 2 Found 6/26 approved changesets -- score normalized to 2 Maintained 🟢 10 30 commit(s) and 17 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Binary-Artifacts 🟢 5 binaries present in source code Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 10 all dependencies are pinned SAST 🟢 10 SAST tool is run on all commits Fuzzing ⚠️ 0 project is not fuzzed

Scanned Files

• package-lock.json

[Copilot]

Pull request overview

Upgrades the repository’s Three.js stack to r184 and pins resolution to prevent version drift between direct and transitive installs, keeping documentation in sync with the dependency graph.

Changes:

• Bumped three to 0.184.0 (peer + dev) and @types/three to 0.184.0 (dev).
• Added npm overrides to force consistent three / @types/three resolution in this repo.
• Updated README version references from 0.183 → 0.184.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.

File	Description
package.json	Updates Three.js / typings versions and adds npm overrides to enforce a single resolved version.
package-lock.json	Regenerates lockfile to reflect Three.js r184 and deduped transitive three installs.
README.md	Updates displayed Three.js version badges/text to match r184.

[Copilot]

peerDependencies.three is pinned to an exact version (0.184.0). For a published library, this will force consumers to install exactly that version and will fail/ warn for patch releases (e.g. 0.184.1) even if compatible. Consider using a semver range (e.g. ^0.184.0 or >=0.184.0 <0.185.0) to allow compatible patch updates while still keeping devDependencies/overrides pinned for this repo.

Suggested change

	"three": "0.184.0"
	"three": ">=0.184.0 <0.185.0"

[Copilot]

overrides only affects dependency resolution for this repository when it is the install root; npm does not apply a dependency package’s overrides when your package is installed as a dependency. If the goal is to ensure downstream consumers also resolve a single three version, this won’t enforce it—only the peerDependencies contract can. Consider clarifying intent (repo-only) or adjusting version constraints/packaging strategy accordingly.

Suggested change

	"three": "0.184.0",
	"@types/three": "0.184.0"
	"three": "0.184.0"

[github-actions]

📸 Automated UI Screenshots

📋 Screenshots Captured (8)

#	Screenshot
1	01-splash-screen.png - 01 splash screen.png
2	02-intro-screen-menu.png - 02 intro screen menu.png
3	03-intro-screen-archetype-selector.png - 03 intro screen archetype selector.png
4	04-controls-screen.png - 04 controls screen.png
5	05-philosophy-screen.png - 05 philosophy screen.png
6	06-training-screen.png - 06 training screen.png
7	07-combat-screen-practice.png - 07 combat screen practice.png
8	08-combat-screen-versus.png - 08 combat screen versus.png

📦 Download Screenshots

📥 Download all screenshots from workflow artifacts

Screenshots are preserved as workflow artifacts for 30 days.

---

🤖 Generated by Playwright automation