fix(deps): mitigate 4 dev-scope Dependabot alerts#574
Merged
Conversation
All four alerts are development-scope (build tooling, not shipped bundle): - vite 7.3.2 -> ^7.3.6 (GHSA-fx2h-pf6j-xcff high, GHSA-v6wh-96g9-6wx3 med) - uuid -> ^11.1.1 override (GHSA-w5hq-g745-h8pq med; transitive via storybook) - vite's esbuild -> ^0.28.1 scoped override (GHSA-g7r4-m6w7-qqqr low) The esbuild override is scoped to vite only: bumping vite drags esbuild into the vulnerable >=0.27.3 window, so we pin vite's copy to the patched 0.28.1 while leaving storybook's unaffected 0.25.10 untouched. Verified: 2045 tests pass, prod build + storybook build clean, biome + svelte-check report 0 errors. Claude-Session: https://claude.ai/code/session_017vg38CgQtBeoseFnkVtoXz
Deploying social-security-tools with
|
| Latest commit: |
a96ba73
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://a375dc4c.social-security-tools.pages.dev |
| Branch Preview URL: | https://worktree-dependabot-mitigati.social-security-tools.pages.dev |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves the 4 open Dependabot alerts (all development-scope — build tooling, nothing in the shipped client bundle).
Changes
^7.3.2→^7.3.6— fixes GHSA-fx2h-pf6j-xcff (high) and GHSA-v6wh-96g9-6wx3 (medium)^11.1.1— fixes GHSA-w5hq-g745-h8pq (medium); transitive via@storybook/addon-actions(onlyv4used, so not exploitable, but this clears it)vite > esbuild: ^0.28.1— fixes GHSA-g7r4-m6w7-qqqr (low)Why the esbuild override is scoped
esbuild was on
0.25.10, below the vulnerable>=0.27.3, <0.28.1range. Bumping vite to 7.3.6 pulls esbuild^0.27.0 || ^0.28.0, which would otherwise land inside that window. The nested override pins vite's esbuild to the patched0.28.1while leaving storybook's unaffected0.25.10untouched (smallest blast radius).Verification
npm test— 2045/2045 passnpm run build— production build cleannpm run quality— biome + svelte-check, 0 errorsnpm run build-storybook— confirms the uuid 9→11 major bump doesn't break storybookOut of scope
npm auditsurfaces 6 unrelated dev-dep issues (ws,cookie,ajv,brace-expansion,js-yaml, mostly via@sveltejs/kit) that are not in the Dependabot alert list. Left for a separate change.https://claude.ai/code/session_017vg38CgQtBeoseFnkVtoXz