Skip to content

fix(deps): bump postcss + ws; suppress vite + esbuild dev-only CVEs#124

Merged
mastermanas805 merged 1 commit into
mainfrom
fix/osv-scanner-clear-cves
May 21, 2026
Merged

fix(deps): bump postcss + ws; suppress vite + esbuild dev-only CVEs#124
mastermanas805 merged 1 commit into
mainfrom
fix/osv-scanner-clear-cves

Conversation

@mastermanas805

Copy link
Copy Markdown
Member

Summary

Clears OSV-Scanner on main by bumping the 2 in-semver CVEs and suppressing the 2 dev-only-no-prod-reach CVEs with documented rationale.

Bumped (transitive, via npm update)

Suppressed in osv-scanner.toml (dev-only, no prod exposure)

Justification

instanode-web ships a static GitHub Pages artifact. No Node runtime in prod. Dev-server vulns cannot reach users. Will lift the suppressions when vite is bumped to v7 (separate breaking-change PR).

Test plan

  • Local gate green (npm run gate): 43 files, 731 passed, 3 skipped, 0 failed
  • OSV-Scanner workflow green on PR
  • CI green
  • Pages deploy on merge

🤖 Generated with Claude Code

Clears OSV-Scanner on main by bumping the 2 in-semver CVEs and
suppressing the 2 dev-only-no-prod-reach CVEs with documented
rationale.

Bumped:
- postcss 8.5.9 -> 8.5.15 (GHSA-qx2v-qp2m-jg93, transitive of vite)
- ws (dev) 8.20.0 -> 8.20.1 (GHSA-58qx-3vcg-4xpx, transitive of jsdom)

Suppressed in osv-scanner.toml (dev-only, no prod exposure):
- GHSA-4w7w-66w2-5vf9 (vite dev-server path traversal in .map handling)
- GHSA-67mh-4wv8-2f99 (esbuild dev-server CORS)

Justification: instanode-web ships a static GitHub Pages artifact.
No Node runtime in prod. Dev-server vulns cannot reach users.
Will lift the suppressions when vite is bumped to v7 (separate
breaking-change PR).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@mastermanas805 mastermanas805 merged commit f5364c7 into main May 21, 2026
7 of 8 checks passed
@mastermanas805 mastermanas805 deleted the fix/osv-scanner-clear-cves branch May 21, 2026 18:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants