Skip to content

Commit 6f28a77

Browse files
Sander Toonenclaude
andcommitted
Fix all Dependabot vulnerabilities (vitest 4, qs pin)
Two open advisories on the default branch: - GHSA-5xrq-8626-4rwp (critical): vitest UI server arbitrary file read/execute, fixed in 4.1.0. Bump `vitest`, `@vitest/coverage-v8`, and `@vitest/ui` from ^3.2.4 to ^4.1.0 across all four manifests (resolves to 4.1.8). - GHSA-q8mj-m7cp-5q26 (moderate): `qs.stringify` DoS, fixed in 6.15.2. Pin the transitive `qs` (via express/body-parser in the mcp-server) through a yarn `resolutions` entry, matching the existing `ip-address` pin. vitest 4 now declares `vite` as a direct dependency (^6 || ^7 || ^8), which led yarn 1 to resolve a second vite major and fail linking with "could not find a copy of vite to link". Pin `vite` to ^6.0.1 in `resolutions` so the whole tree shares the single hoisted vite 6.4.2 (in range for vitest and what the build already used). vitest 4's `vitest/globals` no longer transitively pulls in @types/node, so the core package's `types: ["vitest/globals"]` broke type-checking of test files (`import assert from 'assert'`). Add "node", matching the datetime and mcp-server tsconfigs which already list it. Lint, type-check, and the full test suite (2215 + 104 + 12) pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent bd97ceb commit 6f28a77

6 files changed

Lines changed: 165 additions & 264 deletions

File tree

package.json

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -33,9 +33,11 @@
3333
"typescript-eslint": "^8.15.0",
3434
"vite": "^6.0.1",
3535
"vite-plugin-dts": "^4.3.0",
36-
"vitest": "^3.2.4"
36+
"vitest": "^4.1.0"
3737
},
3838
"resolutions": {
39-
"ip-address": "^10.1.1"
39+
"ip-address": "^10.1.1",
40+
"qs": "^6.15.2",
41+
"vite": "^6.0.1"
4042
}
4143
}

packages/expreszo-datetime/package.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -47,14 +47,14 @@
4747
},
4848
"devDependencies": {
4949
"@types/luxon": "^3.4.0",
50-
"@vitest/coverage-v8": "^3.2.4",
50+
"@vitest/coverage-v8": "^4.1.0",
5151
"@types/node": "^24.5.2",
5252
"cross-env": "^7.0.3",
5353
"rimraf": "^5.0.10",
5454
"terser": "^5.44.1",
5555
"typescript": "^5.9.2",
5656
"vite": "^6.0.1",
5757
"vite-plugin-dts": "^4.3.0",
58-
"vitest": "^3.2.4"
58+
"vitest": "^4.1.0"
5959
}
6060
}

packages/expreszo-mcp-server/package.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -48,13 +48,13 @@
4848
},
4949
"devDependencies": {
5050
"@types/node": "^24.5.2",
51-
"@vitest/coverage-v8": "^3.2.4",
51+
"@vitest/coverage-v8": "^4.1.0",
5252
"cross-env": "^7.0.3",
5353
"rimraf": "^5.0.10",
5454
"tsx": "^4.20.5",
5555
"typescript": "^5.9.2",
5656
"vite": "^6.0.1",
5757
"vite-plugin-dts": "^4.3.0",
58-
"vitest": "^3.2.4"
58+
"vitest": "^4.1.0"
5959
}
6060
}

packages/expreszo/package.json

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -120,8 +120,8 @@
120120
"@rollup/plugin-typescript": "^12.1.4",
121121
"@types/node": "^24.5.2",
122122
"@typescript/native-preview": "^7.0.0-dev.20250920.1",
123-
"@vitest/coverage-v8": "^3.2.4",
124-
"@vitest/ui": "^3.2.4",
123+
"@vitest/coverage-v8": "^4.1.0",
124+
"@vitest/ui": "^4.1.0",
125125
"cross-env": "^7.0.3",
126126
"eslint": "^9.15.0",
127127
"eslint-plugin-import": "^2.32.0",
@@ -137,7 +137,7 @@
137137
"typescript-eslint": "^8.15.0",
138138
"vite": "^6.0.1",
139139
"vite-plugin-dts": "^4.3.0",
140-
"vitest": "^3.2.4",
140+
"vitest": "^4.1.0",
141141
"vscode-languageserver-types": "^3.17.5"
142142
},
143143
"_bundlesize_note": "bundlesize measures gzipped sizes by default. The UMD bundle currently sits at ~45 KB gzipped; the 60 KB cap leaves ~33% headroom for incremental growth. The ESM entry is a thin re-export barrel, so we don't gate it (the real weight lives in dist/chunks/*.mjs). bundlesize is NOT wired into CI today; this field documents the intended budget.",

packages/expreszo/tsconfig.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
"outDir": "./dist",
55
"rootDir": "./",
66
"tsBuildInfoFile": "./dist/.tsbuildinfo",
7-
"types": ["vitest/globals"]
7+
"types": ["vitest/globals", "node"]
88
},
99
"include": [
1010
"src/**/*",

0 commit comments

Comments
 (0)