Skip to content

fix(deps): mitigate 4 dev-scope Dependabot alerts#574

Merged
Gregable merged 1 commit into
mainfrom
worktree-dependabot-mitigations
Jul 6, 2026
Merged

fix(deps): mitigate 4 dev-scope Dependabot alerts#574
Gregable merged 1 commit into
mainfrom
worktree-dependabot-mitigations

Conversation

@Gregable

@Gregable Gregable commented Jul 6, 2026

Copy link
Copy Markdown
Owner

Resolves the 4 open Dependabot alerts (all development-scope — build tooling, nothing in the shipped client bundle).

Changes

Why the esbuild override is scoped

esbuild was on 0.25.10, below the vulnerable >=0.27.3, <0.28.1 range. Bumping vite to 7.3.6 pulls esbuild ^0.27.0 || ^0.28.0, which would otherwise land inside that window. The nested override pins vite's esbuild to the patched 0.28.1 while leaving storybook's unaffected 0.25.10 untouched (smallest blast radius).

Verification

  • npm test — 2045/2045 pass
  • npm run build — production build clean
  • npm run quality — biome + svelte-check, 0 errors
  • npm run build-storybook — confirms the uuid 9→11 major bump doesn't break storybook

Out of scope

npm audit surfaces 6 unrelated dev-dep issues (ws, cookie, ajv, brace-expansion, js-yaml, mostly via @sveltejs/kit) that are not in the Dependabot alert list. Left for a separate change.

https://claude.ai/code/session_017vg38CgQtBeoseFnkVtoXz

All four alerts are development-scope (build tooling, not shipped bundle):

- vite 7.3.2 -> ^7.3.6 (GHSA-fx2h-pf6j-xcff high, GHSA-v6wh-96g9-6wx3 med)
- uuid -> ^11.1.1 override (GHSA-w5hq-g745-h8pq med; transitive via storybook)
- vite's esbuild -> ^0.28.1 scoped override (GHSA-g7r4-m6w7-qqqr low)

The esbuild override is scoped to vite only: bumping vite drags esbuild
into the vulnerable >=0.27.3 window, so we pin vite's copy to the patched
0.28.1 while leaving storybook's unaffected 0.25.10 untouched.

Verified: 2045 tests pass, prod build + storybook build clean, biome +
svelte-check report 0 errors.

Claude-Session: https://claude.ai/code/session_017vg38CgQtBeoseFnkVtoXz
@cloudflare-workers-and-pages

Copy link
Copy Markdown

Deploying social-security-tools with  Cloudflare Pages  Cloudflare Pages

Latest commit: a96ba73
Status: ✅  Deploy successful!
Preview URL: https://a375dc4c.social-security-tools.pages.dev
Branch Preview URL: https://worktree-dependabot-mitigati.social-security-tools.pages.dev

View logs

@Gregable Gregable merged commit 3b01001 into main Jul 6, 2026
6 checks passed
@Gregable Gregable deleted the worktree-dependabot-mitigations branch July 6, 2026 17:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant