build(deps): clear cli/ npm advisories (postcss, vite, esbuild)#117
Merged
build(deps): clear cli/ npm advisories (postcss, vite, esbuild)#117
Conversation
…npm advisories Closes the three npm-side Dependabot alerts on cli/package-lock.json: | Severity | Package | Before -> After | Advisory | | -------- | -------- | ------------------- | ------------------------------------------ | | MEDIUM | postcss | 8.5.8 -> 8.5.14 | XSS via Unescaped </style> (GHSA-qx2v-qp2m-jg93) | | MEDIUM | vite | 5.4.21 -> 6.4.2 | Dev-server response leak (GHSA-4w7w-66w2-5vf9) | | MEDIUM | esbuild | 0.21.5 -> 0.25.12 | Dev-server CORS bypass (GHSA-67mh-4wv8-2f99) | ## Approach - vitest direct: ^2 -> ^3. vitest@3 supports vite ^5/^6/^7; the override below pins it onto v6 transitively. Smaller migration than vitest@4 (which would force a major-major jump from v2). The test surface uses only describe/it/expect/beforeEach/vi.fn -- no v3 breaking changes exercised by this CLI's 101 tests. - npm `overrides`: - `vite: ^6.4.2` -- forces vitest@3's transitive vite up from v5 to v6 (clears the vite advisory and pulls esbuild 0.25.x as a side effect). - `postcss: ^8.5.10` -- forces both tsup's and vite's transitive postcss onto a fixed line (8.5.14 ends up resolved). Without the override, tsup pins postcss@8.5.8 indirectly via postcss-load-config. esbuild needs no explicit override -- vite@6.4.2 already pulls esbuild@0.25.12, well past the 0.24.2 advisory ceiling. ## Scope - `cli/package.json` + `cli/package-lock.json` only. - No src changes -- pure build-tool dependency update. - Independent of #114 (jwx v4) and #115 (Go-side deps); both are Go-only. ## Test plan - [x] `npm install` -- clean, 0 vulnerabilities. - [x] `npm test` -- 101/101 passing (~590ms). - [x] `npm run typecheck` -- clean. - [x] `npm run build` (tsup) -- ESM + d.ts artifacts produced. - [x] `npm run lint` (eslint) -- clean. - [x] `npm audit` -- 0 vulnerabilities found.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request upgrades the testing framework vitest from version 2 to version 3 and updates its associated ecosystem. Key changes include upgrading vite to version 6 and postcss to version 8.5.14 via package overrides to ensure compatibility and security. The update also involves a significant refresh of internal dependencies such as esbuild, pathe, and various @vitest utility packages, while introducing new type definitions and helper libraries. Node.js engine requirements for several build tools have been bumped to version 18 or higher. I have no feedback to provide.
jalbrethsen-highflame
approved these changes
May 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes the three remaining MEDIUM npm-side Dependabot alerts on
cli/package-lock.json:</style>(GHSA-qx2v-qp2m-jg93)Pure dependency-manifest update — two files touched (
cli/package.json,cli/package-lock.json), no src changes.Approach
^2→^3. vitest@3 still allows vite^5 || ^6 || ^7as a peer; the override below pins the resolution to v6. Going to vitest@3 instead of vitest@4 keeps this a single major jump rather than two — the CLI's 101 tests use onlydescribe/it/expect/beforeEach/vi.fn, none of which see breaking changes between v2 and v3.overridesinpackage.json:vite: ^6.4.2— forces vitest@3's transitive vite up from v5 (the vulnerable line) to v6.4.2+. Pulls a safe esbuild as a side effect (vite@6.4.2 ships with esbuild@0.25.12, well past the 0.24.2 advisory ceiling).postcss: ^8.5.10— forces bothtsup's (viapostcss-load-config) andvite's transitive postcss onto the fixed line. Without it,tsupresolves to postcss@8.5.8.esbuild does not need its own override entry — bumping vite already lifts it past the advisory.
Final resolved tree:
Scope
cli/package.json+cli/package-lock.jsononly.Test plan
npm install— clean install, 0 vulnerabilities.npm test(vitest run) — 101/101 passing (~590ms).npm run typecheck(tsc --noEmit) — clean.npm run build(tsup) — ESM +.d.tsartifacts produced.npm run lint(eslint) — clean.npm audit— 0 vulnerabilities found.After merge
Three of the eight outstanding default-branch Dependabot alerts will close. The remaining five are the four already addressed by #115 (mapstructure ×2, pgdriver, plus auto-clear once that PR merges) and the one HIGH
docker/dockeradvisory documented in #115 as unactionable viago get.