Skip to content

chore(deps): patch dompurify advisory and bump minors#40

Merged
jung-thomas merged 1 commit into
mainfrom
chore/dep-security-updates
Jun 26, 2026
Merged

chore(deps): patch dompurify advisory and bump minors#40
jung-thomas merged 1 commit into
mainfrom
chore/dep-security-updates

Conversation

@jung-thomas

Copy link
Copy Markdown
Contributor

Summary

Routine dependency hygiene pass — clears one moderate advisory and brings minor lines current.

docs/

  • mermaid ^11.12.3^11.16.0 — pulls in dompurify > 3.4.10, clearing GHSA-cmwh-pvxp-8882 (moderate)
  • vitest 4.1.84.1.9
  • vue ^3.5.29^3.5.39

solution/MyHANAApp/

  • @cap-js/cds-types ^0.16.0^0.18.0 (types-only devDep)

npm audit results

Project Before After
solution/MyHANAApp 0 0
docs 5 (1 high, 4 moderate) 4 (1 high, 3 moderate)

The 4 remaining advisories in docs/ are the esbuildvitevitepressvitepress-plugin-mermaid chain. All three vite/esbuild advisories affect only the dev server; the production build output (docs/.vitepress/dist/) is plain static HTML and is not vulnerable. The fixed Vite version is gated on VitePress 2.0, which is still in alpha (alpha-17 as of writing) — deferred until VitePress 2.0 GA.

Verification

  • docs: npm test → 23/23 pass on vitest 4.1.9
  • docs: npm run docs:build → completes cleanly in ~18s
  • solution/MyHANAApp: npx eslint . → unchanged from baseline (the 2 errors / 2 warnings in app/interaction_items/webapp/test/integration/* are pre-existing UI5 OPA fixtures, not introduced by this PR)

Not bumped (intentional)

  • @agentmarkup/vite 0.4.00.5.0 — pre-1.0 minor, deserves a changelog review in a follow-up PR rather than being slipped into a routine hygiene bump.

- docs: bump mermaid ^11.16.0 (pulls in dompurify >3.4.10, clears
  GHSA-cmwh-pvxp-8882), vitest 4.1.9, vue ^3.5.39
- solution: bump @cap-js/cds-types ^0.18.0 (types-only)

npm audit results:
- solution/MyHANAApp: 0 vulnerabilities
- docs: 5 -> 4 (dompurify cleared; remaining vite/esbuild/vitepress
  chain is dev-server-only and gated on vitepress 2.0 which is still
  alpha -- deferred)

Verified: docs npm test (23/23) and npm run docs:build pass; solution
npx eslint is unchanged from baseline (pre-existing UI5 OPA test
warnings only).

Not bumped: @agentmarkup/vite 0.4.0 -> 0.5.0 (pre-1.0 minor, needs
changelog review in a follow-up).

@rich-heilman rich-heilman left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@rich-heilman rich-heilman self-requested a review June 26, 2026 16:18
@jung-thomas jung-thomas merged commit d88700a into main Jun 26, 2026
4 checks passed
@jung-thomas jung-thomas deleted the chore/dep-security-updates branch June 26, 2026 16:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants