Skip to content

fix(deps): sweep non-breaking transitive CVE fixes + bump react-router-dom#476

Merged
haksungjang merged 1 commit into
mainfrom
fix/dependabot-transitive-sweep
Jul 7, 2026
Merged

fix(deps): sweep non-breaking transitive CVE fixes + bump react-router-dom#476
haksungjang merged 1 commit into
mainfrom
fix/dependabot-transitive-sweep

Conversation

@haksungjang

Copy link
Copy Markdown
Contributor

What

Clears the bulk of the 30 open Dependabot alerts. Most were stuck because they live in transitive dependencies — Dependabot's security updates can't bump those without a compatible parent release, but npm audit fix (lockfile-only, no package.json change) resolves them.

Changes

  • apps/frontendnpm audit fix (10 → 4 advisories). Cleared undici, form-data, js-yaml, @babel/core (transitive). The remaining 4 are eslint / jsdom / ws — dev/test tooling, never shipped.
  • docs-sitenpm audit fix. Cleared undici, js-yaml, dompurify, http-proxy-middleware, joi, @babel/core (transitive). What remains is the Docusaurus build chain (serialize-javascript, webpack-dev-server, sockjs, uuid) whose only fixes are breaking-major bumps of Docusaurus internals — build tooling, not shipped.
  • react-router-dom 6.30.3 → 6.30.4 — the one genuinely runtime-facing fix (GHSA-2j2x-hqr9-3h42), applied explicitly; a within-6.x patch.

Net: undici (13 alerts) + ~9 other transitive + react-router resolved.

Not in this PR (handled separately)

  • weasyprint — no patched version published yet; nothing to bump. Track.
  • pytest (dev) — only fix is a major 8 → 9 bump; deferred to its own PR to absorb any test-suite breakage rather than ride this sweep.
  • Docs-site build-chain leftovers — to be dismissed with a reason (build tooling, no runtime exposure) rather than risk the docs build on breaking-major Docusaurus bumps.

Verification

Frontend typecheck + production build clean; docs-site build succeeds. Frontend unit tests are validated by CI — the suite does not run in the local sandbox (fails identically on clean main).

…r-dom

Clears the bulk of the open Dependabot alerts that were stuck because they sit
in TRANSITIVE dependencies — Dependabot's security updates can't bump those
without a compatible parent release, but `npm audit fix` (lockfile-only, no
package.json change) resolves them. Ran it in both npm workspaces:

- apps/frontend: 10 -> 4 advisories. Cleared undici, form-data, js-yaml,
  @babel/core (all transitive). Remaining 4 are eslint / jsdom / ws — dev/test
  tooling only, never shipped.
- docs-site: cleared undici, js-yaml, dompurify, http-proxy-middleware, joi,
  @babel/core (transitive). Remaining are the Docusaurus build chain
  (serialize-javascript, webpack-dev-server, sockjs, uuid) whose only fixes are
  breaking-major bumps of Docusaurus internals — build tooling, not shipped, to
  be dismissed with a reason rather than risk the docs build.

Plus the one genuinely runtime-facing fix, applied explicitly (not a
lockfile-only transitive): react-router-dom 6.30.3 -> 6.30.4 (GHSA-2j2x-hqr9-3h42,
a within-6.x patch).

Verified: frontend typecheck + production build clean; docs-site build succeeds.
Frontend unit tests are validated by CI (the suite does not run in the local
sandbox — it fails identically on clean main).
@haksungjang haksungjang merged commit 4b4d972 into main Jul 7, 2026
20 checks passed
@haksungjang haksungjang deleted the fix/dependabot-transitive-sweep branch July 7, 2026 06:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant