chore: update dependencies#116
Conversation
Resolves the vite (GHSA-fx2h-pf6j-xcff high, GHSA-v6wh-96g9-6wx3 moderate) and dompurify (8 advisories, GHSA-cmwh-pvxp-8882 et al.) CVEs from issue #115. Both were confirmed still present on main. npm audit now reports 0 vulnerabilities and the VitePress build succeeds. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Patch bump from the outdated list in issue #115. Build succeeds and mermaid diagrams still render. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@e4a/pg-js is a devDependency that only pins the documented SDK version; it is not imported by the VitePress build (no code imports it, only markdown snippets reference it). The docs already describe 2.0.0+ API behavior (sdk/js-decryption.md, sdk/js-email-helpers.md), so this aligns the pinned version with the documented API. Build succeeds, 0 vulns. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
There was a problem hiding this comment.
Rules Dobby 2 — consolidated gatekeeper review (cycle 1)
Verdict: sign-off / approve. Posted as COMMENT only because GitHub blocks self-approval on a bot-authored PR — treat as approved, not as withholding.
Ran the full per-rule compliance sweep (78 org rules + 3 postguard-docs repo rules) against the diff via parallel Haiku sub-agents: all rules compliant, zero violations. The change is a clean dependency update — mermaid 11.15→11.16, @e4a/pg-js 1.10→2.1 (devDep), plus the security overrides (vite 6.4.3, dompurify 3.4.11) that clear the 10 advisories. It matches the documented postguard-docs override strategy, strict npm ci resolves with 0 vulns, and the docs build renders.
One non-blocking hardening nit inline (optional). It resolves correctly today and CI is green, so it does not block merge — flagged for the maintainer's discretion.
| "esbuild": "^0.25.0", | ||
| "vite": "^6.4.2" | ||
| "vite": "^6.4.3", | ||
| "dompurify": ">=3.4.11" |
There was a problem hiding this comment.
The dompurify override is an unbounded lower-bound range (>=3.4.11). A future dompurify 4.x would satisfy it and be force-resolved into mermaid (which declares ^3.3.3), risking a silent breaking bump on a routine npm install. Prefer ^3.4.11 — it still resolves to the patched 3.4.11 and clears all 10 advisories, but caps the major so mermaid can't be pulled onto an incompatible dompurify. Non-blocking: currently resolves correctly and build/CI pass with 0 vulns, but it's a one-character hardening (>= → ^).
Summary
Resolves the dependency updates from #115. All CVEs were confirmed still present on
mainbefore changing anything; each batch was built and audited.CVEs (severity order) —
overridesinpackage.json^6.4.2→^6.4.3— fixes GHSA-fx2h-pf6j-xcff (high,server.fs.denybypass) and GHSA-v6wh-96g9-6wx3 (moderate, launch-editor NTLM hash disclosure). vite is transitive viavitepress; the existing override was bumped.">=3.4.11"override — fixes 8 advisories (GHSA-cmwh-pvxp-8882, -76mc-f452-cxcm, -hpcv-96wg-7vj8, -r47g-fvhr-h676, -rp9w-3fw7-7cwq, -x4vx-rjvf-j5p4, -vxr8-fq34-vvx9, -gvmj-g25r-r7wr). dompurify is transitive viamermaid.npm audit→ 0 vulnerabilities after these.Minor / patch
^11.15.0→^11.16.0. Diagrams still render (class="mermaid"present in dist).Major (evaluated individually)
^1.10.0→^2.1.0. This is a devDependency used only to pin the documented SDK version — it is not imported by the VitePress build (no code imports it; only markdown snippets reference it). The docs already document 2.0.0+ API behavior (sdk/js-decryption.md,sdk/js-email-helpers.md), so this aligns the pinned version with the documented API.Verification
Replicated CI's exact steps (Dockerfile runs
npm cithennpm run docs:build):npm ci→ exit 0 (lockfile in sync)npm run docs:build→ exit 0, build complete in ~7snpm audit→ 0 vulnerabilitiesCloses #115