Commit d82b7f7
committed
security: patch vulnerable transitive deps without bumping framework
Clears 36 of 59 Dependabot alerts via surgical, in-major changes only:
- catalog: vite 7.3.1->7.3.5, defu ^6.1.4->^6.1.7
- pnpm overrides forcing patched same-major versions for yaml, ws, tar,
shell-quote, node-forge, lodash, nitropack, unhead, fast-uri, simple-git,
flatted, postcss, @babel/plugin-transform-modules-systemjs, picomatch (2/4),
brace-expansion (1/2/5), devalue@5, h3@1, webpack@5
No changes to vuetify/nuxt/vue/eslint/devtools declarations. 57/57 tests pass,
build clean. Remaining 23 alerts are dev/build-only and need either a Nuxt
framework bump (h3 2.x-rc, nuxt, nitro, srvx) or risky major jumps
(serialize-javascript 6->7, esbuild via vite 8, devalue 2.x).1 parent 39b7ab2 commit d82b7f7
2 files changed
Lines changed: 3600 additions & 1422 deletions
0 commit comments