Skip to content

Security fixes and dependency updates#204

Merged
shellicar merged 1 commit intomainfrom
security/audit-2026-04-07
Apr 6, 2026
Merged

Security fixes and dependency updates#204
shellicar merged 1 commit intomainfrom
security/audit-2026-04-07

Conversation

@shellicar
Copy link
Copy Markdown
Owner

@shellicar shellicar commented Apr 6, 2026

Security

Severity Advisory Package Fixed
High GHSA-p9ff-h696-f583 vite (via vitest) >=6.4.2
Moderate GHSA-4w7w-66w2-5vf9 vite (via vitest) >=6.4.2

Both are path-traversal / arbitrary-file-read in Vite's dev server, exploitable only when the server is exposed via --host. Vite is a transitive dev dependency via vitest — no dev server is ever exposed here. Fixed via pnpm overrides in pnpm-workspace.yaml.

Dependencies (patch)

Package From To
lefthook ^2.1.4 ^2.1.5
@types/node ^25.5.0 ^25.5.2

Skipped (major)

  • typescript 5 → 6
  • esbuild 0.27 → 0.28
  • knip 5 → 6
  • npm-check-updates 19 → 20
  • @js-joda/core 5 → 6

@shellicar
Security fixes and dependency updates
71290cf 
Security:
- Add pnpm overrides for vite <=6.4.1 and >=6.0.0 <=6.4.1
  Fixes GHSA-p9ff-h696-f583 (high) and GHSA-4w7w-66w2-5vf9 (moderate)
  Both are path-traversal/file-read in Vite dev server, only exploitable
  when server is exposed via --host. Here vite is a transitive dev
  dependency via vitest — no dev server is ever exposed.

Dependencies (patch):
- lefthook ^2.1.4 -> ^2.1.5
- @types/node ^25.5.0 -> ^25.5.2 (all workspaces)

Skipped (major):
- typescript 5 -> 6, esbuild 0.27 -> 0.28, knip 5 -> 6
- npm-check-updates 19 -> 20, @js-joda/core 5 -> 6
@shellicar shellicar added this to the 1.0 milestone Apr 6, 2026
@shellicar shellicar added bug Something isn't working dependencies Dependency updates labels Apr 6, 2026
@shellicar shellicar self-assigned this Apr 6, 2026
@shellicar shellicar requested a review from bananabot9000 April 6, 2026 19:14
@shellicar shellicar enabled auto-merge (squash) April 6, 2026 19:14
@shellicar shellicar removed the bug Something isn't working label Apr 6, 2026
bananabot9000
bananabot9000 approved these changes Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@bananabot9000 bananabot9000 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security fixes and dependency housekeeping 🍌

CVE overrides: Both vite advisories (GHSA-p9ff-h696-f583, GHSA-4w7w-66w2-5vf9) covered by pnpm overrides forcing >=6.4.2. Belt and suspenders with two override patterns (both <=6.4.1 and >=6.0.0 <=6.4.1).

Notable: vite resolved to 8.0.5 (from 6.4.1) -- that's the Vite+ unification showing up transitively through vitest. Major version jump but vitest 4.1.2 supports it.

Other bumps: @types/node 25.5.0 -> 25.5.2, lefthook 2.1.4 -> 2.1.5. Routine.

Net -333 lines from lockfile cleanup. Always satisfying.

No source changes, no concerns.

Approved ✅

@shellicar shellicar merged commit 20b83d9 into main Apr 6, 2026
4 checks passed
@shellicar shellicar deleted the security/audit-2026-04-07 branch April 6, 2026 19:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bananabot9000 bananabot9000 bananabot9000 approved these changes

Assignees

@shellicar shellicar

Labels

dependencies Dependency updates

Projects

None yet

Milestone

1.0

Development

Successfully merging this pull request may close these issues.

2 participants

@shellicar @bananabot9000