Skip to content

chore: clear all npm audit vulnerabilities (17 → 0)#2

Merged
Patel230 merged 1 commit into
mainfrom
chore/security-audit
Jun 8, 2026
Merged

chore: clear all npm audit vulnerabilities (17 → 0)#2
Patel230 merged 1 commit into
mainfrom
chore/security-audit

Conversation

@Patel230

@Patel230 Patel230 commented Jun 8, 2026

Copy link
Copy Markdown
Owner

Resolves all 17 npm audit findings. All affected packages are dev/build tooling — none ship to the browser, so there was no runtime exposure, but this brings the toolchain current and to 0 vulnerabilities.

Two passes

  1. npm audit fix (non-breaking) — patched transitive deps (ws, postcss, rollup, minimatch, lodash, js-cookie, flatted, ajv, brace-expansion, editorconfig). 17 → 7.
  2. Major dev-tooling upgrades for the rest. The "critical" vitest advisory (CVSS 9.8) only affects the vitest --ui server, which this project never runs:
Package From To
vite 5 8
vitest 1 4
vue-tsc 1 3
@vitejs/plugin-vue 5 6
@vue/test-utils 2.4 2.4.11
jsdom 24 29

Required fixes for the majors

  • vite.config.js: Vite 8 uses Rolldown, which requires manualChunks to be a function (object form is rejected). Rewrote to split vue/vue-router into the vendor chunk via id matching.
  • Added minimal tsconfig.json so npm run typecheck actually runs — it was a silent no-op before (no tsconfig ever existed). checkJs:false to avoid flooding the JS codebase. Passes clean.

Verification

npm audit0 vulnerabilities · lint ✅ · format ✅ · tests ✅ 8/8 · build (Vite 8) ✅ · typecheck ✅ · preview serves app/routes/GitHub-snapshots/images ✅

🤖 Generated with Claude Code

Two passes:
1. npm audit fix (non-breaking) — patched transitive deps (ws, postcss,
   rollup, minimatch, lodash, js-cookie, flatted, ajv, brace-expansion,
   editorconfig). 17 -> 7.
2. Major dev-tooling upgrades to clear the rest (all dev/build-only, none
   shipped to the browser; the "critical" vitest advisory only affected the
   `vitest --ui` server, which we never run):
     vite        5 -> 8
     vitest      1 -> 4
     vue-tsc     1 -> 3
     @vitejs/plugin-vue 5 -> 6
     @vue/test-utils    -> 2.4.11
     jsdom       24 -> 29

Required fixes for the majors:
- vite.config.js: Vite 8 uses Rolldown, which requires manualChunks to be a
  FUNCTION (the object form is rejected). Rewrote it to split vue/vue-router
  into the vendor chunk via id matching.
- Added a minimal tsconfig.json so `npm run typecheck` (vue-tsc) actually runs
  — previously a silent no-op since no tsconfig ever existed. checkJs:false to
  avoid flooding the JS codebase; type-checks .vue/.ts. Passes clean.

Verified: npm audit 0 vulnerabilities; lint/format/test(8)/build/typecheck all
pass; vite-8 build preview serves app, routes, GitHub snapshots, and images.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 8, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@Patel230, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 47 minutes and 4 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ca5c7f5f-e965-4d6e-bfa8-e3803826bce6

📥 Commits

Reviewing files that changed from the base of the PR and between 2c8280e and 407ed18.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (3)
  • package.json
  • tsconfig.json
  • vite.config.js
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/security-audit

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@Patel230 Patel230 merged commit 522ceec into main Jun 8, 2026
2 checks passed
@Patel230 Patel230 deleted the chore/security-audit branch June 8, 2026 09:24
Patel230 added a commit that referenced this pull request Jun 8, 2026
Two passes:
1. npm audit fix (non-breaking) — patched transitive deps (ws, postcss,
   rollup, minimatch, lodash, js-cookie, flatted, ajv, brace-expansion,
   editorconfig). 17 -> 7.
2. Major dev-tooling upgrades to clear the rest (all dev/build-only, none
   shipped to the browser; the "critical" vitest advisory only affected the
   `vitest --ui` server, which we never run):
     vite        5 -> 8
     vitest      1 -> 4
     vue-tsc     1 -> 3
     @vitejs/plugin-vue 5 -> 6
     @vue/test-utils    -> 2.4.11
     jsdom       24 -> 29

Required fixes for the majors:
- vite.config.js: Vite 8 uses Rolldown, which requires manualChunks to be a
  FUNCTION (the object form is rejected). Rewrote it to split vue/vue-router
  into the vendor chunk via id matching.
- Added a minimal tsconfig.json so `npm run typecheck` (vue-tsc) actually runs
  — previously a silent no-op since no tsconfig ever existed. checkJs:false to
  avoid flooding the JS codebase; type-checks .vue/.ts. Passes clean.

Verified: npm audit 0 vulnerabilities; lint/format/test(8)/build/typecheck all
pass; vite-8 build preview serves app, routes, GitHub snapshots, and images.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant