Skip to content

chore(deps): fix all high-severity Dependabot alerts (vite, rollup, undici, flatted)#414

Closed
timdittler wants to merge 1 commit into
mainfrom
chore/fix-high-dependabot-vulns
Closed

chore(deps): fix all high-severity Dependabot alerts (vite, rollup, undici, flatted)#414
timdittler wants to merge 1 commit into
mainfrom
chore/fix-high-dependabot-vulns

Conversation

@timdittler

Copy link
Copy Markdown
Contributor

What

Resolves all 7 open high-severity Dependabot alerts in one PR by adding pnpm.overrides that force the patched version of each vulnerable transitive dependency. Ranges are capped to the current major line to avoid breaking-change major bumps.

Package From To (override) Alerts fixed
vite 7.1.12 >=7.3.2 <8 → 7.3.5 GHSA-p9ff-h696-f583 (arbitrary file read via dev-server WS), GHSA-v2wj-q39q-566r (server.fs.deny bypass)
rollup 4.52.5 >=4.59.0 <5 → 4.61.1 GHSA-mw96-cpmx-2vgc (arbitrary file write / path traversal)
undici 6.23.0 >=6.24.0 <7 → 6.26.0 GHSA-vrm6-8vpv-qv8q, GHSA-v9p9-hfj2-hcw8, GHSA-f269-vfmq-vjvj (WebSocket DoS / crash)
flatted 3.3.3 >=3.4.2 <4 → 3.4.2 GHSA-rf6f-7fwh-wjgh (prototype pollution)

All are transitive deps (vite/rollup via vitest, undici via @actions/github, flatted via eslint).

Why overrides

pnpm update was a no-op — parent packages keep the old versions satisfiable. pnpm.overrides is the clean single-PR way to force patched minimums across the tree. Ranges capped to current major so no behavioral major bumps slip in.

Changes

  • package.json — add pnpm.overrides
  • pnpm-lock.yaml — regenerated (also refreshes other in-range transitives)
  • dist/ — rebuilt via ncc; undici ships in the bundle through @actions/github, so the dist artifact must carry the fix

Verification

  • pnpm run lint — clean
  • pnpm test — 10/10 pass
  • pnpm run package — dist rebuilt, bundled undici is 6.26.0

🤖 Generated with Claude Code

Resolves all 7 open high-severity Dependabot alerts via pnpm overrides,
constrained to the current major line of each transitive dependency:

- vite    >=7.3.2 (GHSA-p9ff-h696-f583 arbitrary file read,
                   GHSA-v2wj-q39q-566r server.fs.deny bypass)
- rollup  >=4.59.0 (GHSA-mw96-cpmx-2vgc arbitrary file write/path traversal)
- undici  >=6.24.0 (GHSA-vrm6-8vpv-qv8q, GHSA-v9p9-hfj2-hcw8,
                    GHSA-f269-vfmq-vjvj WebSocket DoS/crash)
- flatted >=3.4.2 (GHSA-rf6f-7fwh-wjgh prototype pollution)

Lockfile regenerated and dist bundle rebuilt (undici ships in dist via
@actions/github). Lint clean, all tests pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@timdittler

Copy link
Copy Markdown
Contributor Author

Not needed. Did close the vulnerabilities instead

@timdittler timdittler closed this Jun 5, 2026
@github-actions github-actions Bot locked and limited conversation to collaborators Jun 5, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant