fix(deps): sweep non-breaking transitive CVE fixes + bump react-router-dom#476
Merged
Conversation
…r-dom Clears the bulk of the open Dependabot alerts that were stuck because they sit in TRANSITIVE dependencies — Dependabot's security updates can't bump those without a compatible parent release, but `npm audit fix` (lockfile-only, no package.json change) resolves them. Ran it in both npm workspaces: - apps/frontend: 10 -> 4 advisories. Cleared undici, form-data, js-yaml, @babel/core (all transitive). Remaining 4 are eslint / jsdom / ws — dev/test tooling only, never shipped. - docs-site: cleared undici, js-yaml, dompurify, http-proxy-middleware, joi, @babel/core (transitive). Remaining are the Docusaurus build chain (serialize-javascript, webpack-dev-server, sockjs, uuid) whose only fixes are breaking-major bumps of Docusaurus internals — build tooling, not shipped, to be dismissed with a reason rather than risk the docs build. Plus the one genuinely runtime-facing fix, applied explicitly (not a lockfile-only transitive): react-router-dom 6.30.3 -> 6.30.4 (GHSA-2j2x-hqr9-3h42, a within-6.x patch). Verified: frontend typecheck + production build clean; docs-site build succeeds. Frontend unit tests are validated by CI (the suite does not run in the local sandbox — it fails identically on clean main).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Clears the bulk of the 30 open Dependabot alerts. Most were stuck because they live in transitive dependencies — Dependabot's security updates can't bump those without a compatible parent release, but
npm audit fix(lockfile-only, nopackage.jsonchange) resolves them.Changes
apps/frontend—npm audit fix(10 → 4 advisories). Cleared undici, form-data, js-yaml, @babel/core (transitive). The remaining 4 are eslint / jsdom / ws — dev/test tooling, never shipped.docs-site—npm audit fix. Cleared undici, js-yaml, dompurify, http-proxy-middleware, joi, @babel/core (transitive). What remains is the Docusaurus build chain (serialize-javascript, webpack-dev-server, sockjs, uuid) whose only fixes are breaking-major bumps of Docusaurus internals — build tooling, not shipped.react-router-dom6.30.3 → 6.30.4 — the one genuinely runtime-facing fix (GHSA-2j2x-hqr9-3h42), applied explicitly; a within-6.x patch.Net: undici (13 alerts) + ~9 other transitive + react-router resolved.
Not in this PR (handled separately)
Verification
Frontend typecheck + production build clean; docs-site build succeeds. Frontend unit tests are validated by CI — the suite does not run in the local sandbox (fails identically on clean
main).