Skip to content

fix(deps): resolve Dependabot security alerts#14

Merged
siracusa5 merged 1 commit into
mainfrom
c/stoic-ride-224a2a
Jun 5, 2026
Merged

fix(deps): resolve Dependabot security alerts#14
siracusa5 merged 1 commit into
mainfrom
c/stoic-ride-224a2a

Conversation

@siracusa5

Copy link
Copy Markdown
Collaborator

Resolves all 7 open Dependabot alerts across both standalone projects.

Changes

Manifest Fix Alerts
website/pnpm-lock.yaml next 15.5.15 → 15.5.19 (direct, ^15.5.18) #29, #30, #31, #32
website/pnpm-lock.yaml fast-xml-builder 1.1.5 → 1.2.0 (pnpm override @1) #25
website/pnpm-lock.yaml brace-expansion 5.0.5 → 5.0.6 (pnpm override @5, leaves 2.x untouched) #40
eval/pnpm-lock.yaml postcss 8.5.8 → 8.5.15 (pnpm override @8) #48

Notes

  • Both projects use standalone lockfiles (no root workspace); each was regenerated with pnpm install --lockfile-only --ignore-workspace and overrides live in each project's own package.json.
  • brace-expansion override is scoped to the v5 line so the unaffected brace-expansion@2.1.0 copy is left as-is.
  • Out of scope (not Dependabot alerts): pnpm audit surfaces additional transitive findings Dependabot did not open alerts for — qs/ws/fast-xml-parser/next>postcss in website, and vite/esbuild/vitest/yaml in eval. The eval set would require a major vitest bump (1.x → 3.x) with breaking-change risk, so it's deliberately left for a separate change.

Verification

  • pnpm audit --audit-level=moderate --ignore-workspace (both projects): none of the 7 Dependabot-targeted packages remain flagged
  • pnpm install --frozen-lockfile --ignore-workspace (both projects): passes
  • Relying on CI for build/test

🤖 Generated with Claude Code

website/ (standalone lockfile):
- next 15.5.15 → 15.5.19 (direct bump to ^15.5.18) — alerts #29, #30, #31, #32
- fast-xml-builder 1.1.5 → 1.2.0 (pnpm override) — alert #25
- brace-expansion 5.0.5 → 5.0.6 (pnpm override, v5 only) — alert #40

eval/ (standalone lockfile):
- postcss 8.5.8 → 8.5.15 (pnpm override) — alert #48

All seven open Dependabot alerts resolved; targeted packages no longer
appear in `pnpm audit`. Additional, non-Dependabot transitive findings
(qs/ws/fast-xml-parser in website; vite/esbuild/vitest/yaml in eval —
the latter requiring a major vitest bump) are out of scope for this
sweep and left unfixed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@siracusa5 siracusa5 merged commit 04dd1eb into main Jun 5, 2026
2 checks passed
@siracusa5 siracusa5 deleted the c/stoic-ride-224a2a branch June 5, 2026 05:04
siracusa5 added a commit that referenced this pull request Jun 5, 2026
…15)

Resolves the non-Dependabot vulnerabilities surfaced by `pnpm audit` after
the Dependabot sweep (PR #14). Both projects use standalone lockfiles.

website/ (all transitive, via pnpm overrides):
- postcss        >=8.5.10  (next > postcss)
- fast-xml-parser >=5.7.0  (@opennextjs/cloudflare > @aws-sdk)
- ws             >=8.20.1  (wrangler > miniflare > ws)
- qs             >=6.15.2  (@opennextjs/cloudflare > express > qs)

eval/:
- vitest 1.6 -> 4.1 (direct dev dep, major) — fixes bundled vite/esbuild;
  added explicit `vite@^7` devDep so the peer resolves (auto-installed peer
  was landing on a stale vite@5.4.21, unmet against vitest 4's ^6||^7||^8)
- yaml ^2.4 -> ^2.8.3 (direct) — CVE patched in 2.8.3
- fast-uri >=3.1.2 (override; ajv > fast-uri)

Verification:
- `pnpm audit --audit-level=low` (both): No known vulnerabilities found
- eval: 253 tests pass, `tsc --noEmit` clean
- website: production `next build` succeeds (36/36 pages)
- frozen-lockfile installs pass for both

The large eval lockfile diff is the expected churn from the vitest 1->4
major bump.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant