Commit 6f28a77
Fix all Dependabot vulnerabilities (vitest 4, qs pin)
Two open advisories on the default branch:
- GHSA-5xrq-8626-4rwp (critical): vitest UI server arbitrary file
read/execute, fixed in 4.1.0. Bump `vitest`, `@vitest/coverage-v8`,
and `@vitest/ui` from ^3.2.4 to ^4.1.0 across all four manifests
(resolves to 4.1.8).
- GHSA-q8mj-m7cp-5q26 (moderate): `qs.stringify` DoS, fixed in 6.15.2.
Pin the transitive `qs` (via express/body-parser in the mcp-server)
through a yarn `resolutions` entry, matching the existing
`ip-address` pin.
vitest 4 now declares `vite` as a direct dependency (^6 || ^7 || ^8),
which led yarn 1 to resolve a second vite major and fail linking with
"could not find a copy of vite to link". Pin `vite` to ^6.0.1 in
`resolutions` so the whole tree shares the single hoisted vite 6.4.2
(in range for vitest and what the build already used).
vitest 4's `vitest/globals` no longer transitively pulls in @types/node,
so the core package's `types: ["vitest/globals"]` broke type-checking of
test files (`import assert from 'assert'`). Add "node", matching the
datetime and mcp-server tsconfigs which already list it.
Lint, type-check, and the full test suite (2215 + 104 + 12) pass.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>1 parent bd97ceb commit 6f28a77
6 files changed
Lines changed: 165 additions & 264 deletions
File tree
- packages
- expreszo-datetime
- expreszo-mcp-server
- expreszo
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
33 | 33 | | |
34 | 34 | | |
35 | 35 | | |
36 | | - | |
| 36 | + | |
37 | 37 | | |
38 | 38 | | |
39 | | - | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
40 | 42 | | |
41 | 43 | | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
47 | 47 | | |
48 | 48 | | |
49 | 49 | | |
50 | | - | |
| 50 | + | |
51 | 51 | | |
52 | 52 | | |
53 | 53 | | |
54 | 54 | | |
55 | 55 | | |
56 | 56 | | |
57 | 57 | | |
58 | | - | |
| 58 | + | |
59 | 59 | | |
60 | 60 | | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
48 | 48 | | |
49 | 49 | | |
50 | 50 | | |
51 | | - | |
| 51 | + | |
52 | 52 | | |
53 | 53 | | |
54 | 54 | | |
55 | 55 | | |
56 | 56 | | |
57 | 57 | | |
58 | | - | |
| 58 | + | |
59 | 59 | | |
60 | 60 | | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
120 | 120 | | |
121 | 121 | | |
122 | 122 | | |
123 | | - | |
124 | | - | |
| 123 | + | |
| 124 | + | |
125 | 125 | | |
126 | 126 | | |
127 | 127 | | |
| |||
137 | 137 | | |
138 | 138 | | |
139 | 139 | | |
140 | | - | |
| 140 | + | |
141 | 141 | | |
142 | 142 | | |
143 | 143 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
4 | 4 | | |
5 | 5 | | |
6 | 6 | | |
7 | | - | |
| 7 | + | |
8 | 8 | | |
9 | 9 | | |
10 | 10 | | |
| |||
0 commit comments