Skip to content

chore: upgrade all devDependencies and fix security vulnerabilities#6

Merged
ConsoleTVs merged 1 commit intomainfrom
chore/upgrade-dependencies
Apr 12, 2026
Merged

chore: upgrade all devDependencies and fix security vulnerabilities#6
ConsoleTVs merged 1 commit intomainfrom
chore/upgrade-dependencies

Conversation

@ConsoleTVs
Copy link
Copy Markdown
Member

@ConsoleTVs ConsoleTVs commented Apr 12, 2026

Summary

  • Fixes all 8 Dependabot security alerts (5 high, 3 moderate) by upgrading vulnerable dependencies
  • Upgrades all remaining devDependencies to their latest versions
  • Fixes 2 new lint errors from stricter oxlint 1.59.0 rules

Security Fixes

Package From To Severity CVEs
vite 8.0.2 8.0.8 3x high fs.deny bypass, WebSocket file read, path traversal
happy-dom 20.8.4 20.8.9 2x high fetch credentials leak, code execution via module compiler
lodash 4.17.23 4.18.0 1x high + 1x medium code injection via _.template, prototype pollution
picomatch 4.0.3 4.0.4 1x medium method injection in POSIX character classes
brace-expansion <=5.0.4 patched 1x moderate zero-step sequence hang

lodash and brace-expansion are transitive deps (via vite-plugin-dts@microsoft/api-extractor and @vue/language-core respectively). picomatch was added as a direct override to ensure the patched version is used across all dependents.

Other Upgrades

Package From To
@types/node 25.5.0 25.6.0
@vitest/coverage-v8 4.1.0 4.1.4
oxfmt 0.41.0 0.44.0
oxlint 1.56.0 1.59.0
react 19.2.4 19.2.5
react-dom 19.2.4 19.2.5
solid-js 1.9.11 1.9.12
vite-plugin-solid 2.11.11 2.11.12
vitest 4.1.0 4.1.4

Lint Fix

Added <typeof fetch> type parameter to two vi.fn(fetch) calls in query.test.ts to satisfy the require-mock-type-parameters rule newly enforced by oxlint 1.59.0.

Verification

  • npm audit → 0 vulnerabilities
  • npm run format:check → pass
  • npm run lint → 0 warnings, 0 errors
  • npm test → 61/61 tests pass
  • npm run build → successful

@ConsoleTVs
chore: upgrade all devDependencies to latest versions
f75a297 
Fixes all 8 Dependabot security alerts (5 high, 3 moderate):
- vite 8.0.2 -> 8.0.8 (3 CVEs: fs.deny bypass, WebSocket file read, path traversal)
- happy-dom 20.8.4 -> 20.8.9 (2 CVEs: fetch credentials, code execution)
- lodash 4.17.23 -> 4.18.0 (2 CVEs: prototype pollution, code injection via template)
- picomatch 4.0.3 -> 4.0.4 (method injection in POSIX character classes)
- brace-expansion -> patched (zero-step sequence hang)

Also upgrades non-vulnerable packages to latest:
- @types/node 25.5.0 -> 25.6.0
- @vitest/coverage-v8 4.1.0 -> 4.1.4
- oxfmt 0.41.0 -> 0.44.0
- oxlint 1.56.0 -> 1.59.0
- react 19.2.4 -> 19.2.5
- react-dom 19.2.4 -> 19.2.5
- solid-js 1.9.11 -> 1.9.12
- vite-plugin-solid 2.11.11 -> 2.11.12
- vitest 4.1.0 -> 4.1.4

Adds type parameter to vi.fn(fetch) calls to satisfy new oxlint
require-mock-type-parameters rule.
@ConsoleTVs ConsoleTVs force-pushed the chore/upgrade-dependencies branch from cccff06 to f75a297 Compare April 12, 2026 18:31
@ConsoleTVs ConsoleTVs merged commit ee6315c into main Apr 12, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ConsoleTVs