Skip to content

fix: [SDK-4744] remove stale package-lock.json pinning vulnerable vitest#208

Merged
sherwinski merged 1 commit into
mainfrom
sherwin/sdk-4744-remove-stale-package-lock
Jun 3, 2026
Merged

fix: [SDK-4744] remove stale package-lock.json pinning vulnerable vitest#208
sherwinski merged 1 commit into
mainfrom
sherwin/sdk-4744-remove-stale-package-lock

Conversation

@sherwinski

@sherwinski sherwinski commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

One Line Summary

Remove the leftover package-lock.json that pins a vulnerable vitest@3.0.9, clearing the critical Dependabot alert (CVE-2026-47429).

Motivation

Dependabot flagged a critical vulnerability (CVE-2026-47429 / GHSA-5xrq-8626-4rwp, CVSS 9.8) for vitest < 4.1.0. The repo's package.json already overrides vitest to a patched version (@voidzero-dev/vite-plus-test@0.1.21), but a stale package-lock.json — leftover from before the migration to bun (bun.lock) — still pinned vitest@3.0.9, which is the only source of the vulnerable pin.

Scope

  • Deletes package-lock.json only. bun.lock is the real lockfile and is unchanged.
  • No source/runtime code touched. Nothing references package-lock.json or npm ci in CI.
  • Upstream fix in web-shim-codegen (scripts/patch-repo.sh) stops future syncs from preserving stale lockfiles, so this won't regress.

Testing

  • Confirmed bun.lock is present and is the lockfile used by vp/CI.
  • Verified no references to package-lock.json / npm ci remain in the repo (only user-facing install docs).

Checklist

  • Resolves the critical Dependabot alert for vitest
  • No runtime/source changes

@sherwinski
fix: [SDK-4744] remove stale package-lock.json pinning vulnerable vitest
b1bcd86 
The repo migrated to bun (bun.lock) but a leftover package-lock.json
remained, pinning vitest@3.0.9 and triggering a Dependabot alert for
CVE-2026-47429 (GHSA-5xrq-8626-4rwp, critical). package.json already
overrides vitest to a patched version; the stale lockfile is the only
source of the vulnerable pin.
@sherwinski sherwinski requested a review from fadi-george June 3, 2026 04:09
@sherwinski sherwinski merged commit 817a213 into main Jun 3, 2026
4 checks passed
@onesignal-deploy

onesignal-deploy commented Jun 3, 2026

Copy link
Copy Markdown
Collaborator

🎉 This PR is included in version 3.5.5 🎉

The release is available on:

Your semantic-release bot 📦🚀

@sherwinski sherwinski deleted the sherwin/sdk-4744-remove-stale-package-lock branch June 3, 2026 04:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fadi-george fadi-george fadi-george approved these changes

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sherwinski @onesignal-deploy @fadi-george