Skip to content

Fix npm audit issues in webviews#795

Merged
TwitchBronBron merged 3 commits into
chris/npm-audit-cleanupfrom
task/upgrade-webviews-deps
May 19, 2026
Merged

Fix npm audit issues in webviews#795
TwitchBronBron merged 3 commits into
chris/npm-audit-cleanupfrom
task/upgrade-webviews-deps

Conversation

@chrisdp

@chrisdp chrisdp commented May 19, 2026

Copy link
Copy Markdown
Collaborator

Branched from #794. Targets chris/npm-audit-cleanup.

Summary

  • Bumped svelte ecosystem: svelte 3.54 → 5.55, vite 4 → 8, @sveltejs/vite-plugin-svelte 2 → 7, svelte-check 2 → 4, @tsconfig/svelte 3 → 5, typescript 4.9 → 5.5, svelte-codicons 0.10 → 0.21
  • Wrapped top-level <tr> in <tbody> in 3 svelte files; svelte 5 now enforces HTML structure that the browser would otherwise auto-repair
  • Added moduleResolution: "node" to webviews/tsconfig.json (TS 5 with module: "ESNext" defaults to "classic", which is incompatible with resolveJsonModule)
  • Set strict: false in webviews/tsconfig.json to preserve the looser baseline that svelte 3 / TS 4.9 was running
  • Added audit script in webviews/package.json and cascaded it from the top-level audit script

Known follow-up

Setting strict: false masks 272 latent type-safety issues that the new toolchain would otherwise surface. They are not regressions caused by this PR — the code is identical — but represent pre-existing implicit-any and possibly-undefined patterns that the older toolchain didn't catch. Re-enabling strict: true and fixing these is a worthwhile follow-up but out of scope here.

- svelte 3.54 -> 5.55, vite 4 -> 8, @sveltejs/vite-plugin-svelte 2 -> 7,
  svelte-check 2 -> 4, @tsconfig/svelte 3 -> 5, typescript 4.9 -> 5.5,
  svelte-codicons 0.10 -> 0.21
- Wrap top-level `<tr>` in `<tbody>` in 3 svelte files (svelte 5 enforces
  the HTML structure the browser would otherwise auto-repair)
- Add `moduleResolution: "node"` to webviews/tsconfig.json (TS 5 with
  `module: "ESNext"` would otherwise default to "classic", which is
  incompatible with `resolveJsonModule`)
- Set `strict: false` in webviews/tsconfig.json to preserve the looser
  baseline svelte 3/TS 4.9 was running; the 272 type errors svelte 5/TS 5
  would surface are real but pre-existing latent issues, tracked separately
- Add `audit` script to webviews and cascade it from the top-level
  `audit` script so `npm run audit` covers both packages

Clears 15 webviews vulnerabilities; 0 vulns remain in webviews.
@chrisdp chrisdp changed the title Upgrade webviews to svelte 5 + vite 8 Fix npm audit issues in webviews May 19, 2026
chrisdp added 2 commits May 19, 2026 13:57
vite 7+ and 8+ require Node 20.19+ / 22.12+. CI runs Node 18.20.4, so
the previous bump to vite 8 broke `npm run build` in CI with
"Vite requires Node.js version 20.19+ or 22.12+".

vite 6.4.2 is the latest in the 6.x line that supports Node 18 and is
outside the audit's vulnerable range (`vite <=6.4.1`). Pair it with
`@sveltejs/vite-plugin-svelte` ^5.1.1, the latest plugin that peers
against vite 6 and still supports Node 18.
@coveralls

Copy link
Copy Markdown

Coverage Status

Coverage is 54.915%task/upgrade-webviews-deps into chris/npm-audit-cleanup. No base build found for chris/npm-audit-cleanup.

@TwitchBronBron
TwitchBronBron merged commit bfd6db8 into chris/npm-audit-cleanup May 19, 2026
7 checks passed
@TwitchBronBron
TwitchBronBron deleted the task/upgrade-webviews-deps branch May 19, 2026 17:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants