chore: clear all npm audit vulnerabilities (17 → 0)#2
Conversation
Two passes:
1. npm audit fix (non-breaking) — patched transitive deps (ws, postcss,
rollup, minimatch, lodash, js-cookie, flatted, ajv, brace-expansion,
editorconfig). 17 -> 7.
2. Major dev-tooling upgrades to clear the rest (all dev/build-only, none
shipped to the browser; the "critical" vitest advisory only affected the
`vitest --ui` server, which we never run):
vite 5 -> 8
vitest 1 -> 4
vue-tsc 1 -> 3
@vitejs/plugin-vue 5 -> 6
@vue/test-utils -> 2.4.11
jsdom 24 -> 29
Required fixes for the majors:
- vite.config.js: Vite 8 uses Rolldown, which requires manualChunks to be a
FUNCTION (the object form is rejected). Rewrote it to split vue/vue-router
into the vendor chunk via id matching.
- Added a minimal tsconfig.json so `npm run typecheck` (vue-tsc) actually runs
— previously a silent no-op since no tsconfig ever existed. checkJs:false to
avoid flooding the JS codebase; type-checks .vue/.ts. Passes clean.
Verified: npm audit 0 vulnerabilities; lint/format/test(8)/build/typecheck all
pass; vite-8 build preview serves app, routes, GitHub snapshots, and images.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Warning Review limit reached
More reviews will be available in 47 minutes and 4 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Two passes:
1. npm audit fix (non-breaking) — patched transitive deps (ws, postcss,
rollup, minimatch, lodash, js-cookie, flatted, ajv, brace-expansion,
editorconfig). 17 -> 7.
2. Major dev-tooling upgrades to clear the rest (all dev/build-only, none
shipped to the browser; the "critical" vitest advisory only affected the
`vitest --ui` server, which we never run):
vite 5 -> 8
vitest 1 -> 4
vue-tsc 1 -> 3
@vitejs/plugin-vue 5 -> 6
@vue/test-utils -> 2.4.11
jsdom 24 -> 29
Required fixes for the majors:
- vite.config.js: Vite 8 uses Rolldown, which requires manualChunks to be a
FUNCTION (the object form is rejected). Rewrote it to split vue/vue-router
into the vendor chunk via id matching.
- Added a minimal tsconfig.json so `npm run typecheck` (vue-tsc) actually runs
— previously a silent no-op since no tsconfig ever existed. checkJs:false to
avoid flooding the JS codebase; type-checks .vue/.ts. Passes clean.
Verified: npm audit 0 vulnerabilities; lint/format/test(8)/build/typecheck all
pass; vite-8 build preview serves app, routes, GitHub snapshots, and images.
Resolves all 17
npm auditfindings. All affected packages are dev/build tooling — none ship to the browser, so there was no runtime exposure, but this brings the toolchain current and to 0 vulnerabilities.Two passes
npm audit fix(non-breaking) — patched transitive deps (ws,postcss,rollup,minimatch,lodash,js-cookie,flatted,ajv,brace-expansion,editorconfig). 17 → 7.vitestadvisory (CVSS 9.8) only affects thevitest --uiserver, which this project never runs:Required fixes for the majors
vite.config.js: Vite 8 uses Rolldown, which requiresmanualChunksto be a function (object form is rejected). Rewrote to splitvue/vue-routerinto thevendorchunk via id matching.tsconfig.jsonsonpm run typecheckactually runs — it was a silent no-op before (no tsconfig ever existed).checkJs:falseto avoid flooding the JS codebase. Passes clean.Verification
npm audit✅ 0 vulnerabilities · lint ✅ · format ✅ · tests ✅ 8/8 · build (Vite 8) ✅ · typecheck ✅ · preview serves app/routes/GitHub-snapshots/images ✅🤖 Generated with Claude Code