Skip to content

chore(deps): fix dependabot security alerts#244

Merged
michaeljymsgutierrez merged 1 commit into
developfrom
chore/fix-dependabot-security-alerts
Jun 30, 2026
Merged

chore(deps): fix dependabot security alerts#244
michaeljymsgutierrez merged 1 commit into
developfrom
chore/fix-dependabot-security-alerts

Conversation

@michaeljymsgutierrez

Copy link
Copy Markdown
Owner

Description

Fixes open Dependabot security alerts by upgrading vulnerable direct and transitive dependencies. Adds a resolutions field to packages/package.json to force safe versions of transitive packages (form-data, markdown-it) without adding them as direct dependencies. Uses resolutions.vite to resolve a yarn 1.x peer dependency hoisting conflict introduced by the vitest@4.1.0 upgrade. The esbuild alert (LOW severity, Windows-only) is intentionally excluded - its fix version (0.28.x) is a semver-breaking change and vite declares a peer on ^0.27.0, so forcing it risks breaking the build toolchain.

Github Issue: N/A

Changes

  • packages/package.json - upgraded vite from ^7.3.1 to ^7.3.5 (fixes HIGH severity CVE: dev server allows bypassing of server.fs.deny via encoded path)
  • packages/package.json - upgraded vitest from ^4.0.18 to ^4.1.0 (fixes CRITICAL severity CVE: allows arbitrary remote code execution via crafted test file)
  • packages/package.json - added resolutions.vite: "7.3.5" to resolve yarn 1.x peer dependency hoisting conflict between vitest@4.1.0 and vite
  • packages/package.json - added resolutions.form-data: "4.0.6" to pin transitive dep (fixes HIGH severity CVE: allows reading files outside intended directory)
  • packages/package.json - added resolutions.markdown-it: "14.2.0" to pin transitive dep (fixes MEDIUM severity CVE: ReDoS via crafted input)
  • packages/yarn.lock - updated to reflect resolved versions: vite@7.3.5, vitest@4.1.9, form-data@4.0.6, markdown-it@14.2.0

Screenshots/Images

N/A

How Has This Been Tested?

  • All 81 existing tests pass after upgrades (yarn test)
  • yarn install completes cleanly with resolutions applied - no peer dependency errors
  • Confirmed resolved versions in yarn.lock: form-data@4.0.6, markdown-it@14.2.0, vite@7.3.5, vitest@4.1.9

Checklist

  • Code follows the project's coding standards and best practices.
  • Existing tests pass.
  • Documentation is updated to reflect changes.
  • The PR is assigned to the correct reviewers.

Reviewer Guidance

  • Only packages/package.json and packages/yarn.lock are modified - no source or test changes
  • form-data and markdown-it are NOT added as direct dependencies - they are pinned only via resolutions (yarn 1.x mechanism for forcing transitive dep versions)
  • resolutions.vite is required to prevent yarn 1.x from failing to hoist a shared vite copy for both vite and vitest - without it, yarn throws Invariant Violation: could not find a copy of vite to link in vitest/node_modules
  • esbuild is intentionally NOT upgraded - its current version 0.27.3 satisfies vite's peer range ^0.27.0; upgrading to 0.28.x (the Dependabot fix version) would break that constraint and is classified as LOW severity / Windows-only

@vercel

vercel Bot commented Jun 30, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
arm-js-library-demo Ready Ready Preview, Comment Jun 30, 2026 5:54pm

@michaeljymsgutierrez michaeljymsgutierrez self-assigned this Jun 30, 2026
@michaeljymsgutierrez michaeljymsgutierrez added deps Dependency updates and version bumps chore Maintenance tasks, configs, and cleanups labels Jun 30, 2026
@michaeljymsgutierrez michaeljymsgutierrez merged commit f823754 into develop Jun 30, 2026
3 checks passed
@michaeljymsgutierrez michaeljymsgutierrez deleted the chore/fix-dependabot-security-alerts branch June 30, 2026 17:56
michaeljymsgutierrez added a commit that referenced this pull request Jun 30, 2026
- [c099dd9][michaeljymsgutierrez]: Updated release version from v2.9.0 to v2.9.1 - 2026-07-01 02:27:36
- [9ca0c99][Chael Gutierrez]: fix(deploy): rename release branch prefix to releases to avoid ref collision (#245) - 2026-07-01 02:26:00
- [f823754][Chael Gutierrez]: chore(deps): fix dependabot security alerts - upgrade vite, vitest, form-data and markdown-it (#244) - 2026-07-01 01:55:56
- [2fcec47][Chael Gutierrez]: chore(deploy): add pre-flight checks, dry-run mode, canary sync, path safety and fail-fast (#243) - 2026-07-01 01:36:47
- [8cf2be1][Chael Gutierrez]: test(units): improve test structure and expand coverage across all unit modules (#242) - 2026-07-01 00:38:33
- [81e929f][Chael Gutierrez]: docs(contributing): add branch purposes, flow diagram, and toc updates (#241) - 2026-06-29 02:27:20
- [9e02459][Chael Gutierrez]: docs(contributing): add CONTRIBUTING.md and link from README (#240) - 2026-06-29 02:07:47
- [b8e9297][Chael Gutierrez]: chore(deps): upgrade production dependencies (#239) - 2026-06-24 02:57:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

chore Maintenance tasks, configs, and cleanups deps Dependency updates and version bumps

Projects

Development

Successfully merging this pull request may close these issues.

1 participant