chore(deps): patch Dependabot security alerts#103
Merged
Conversation
Bump astro ^6.1.1 → ^6.4.8 and refresh the lockfile (npm audit fix) to clear the open Dependabot alerts. Resolves all high/medium advisories: - astro 6.1.1 → 6.4.8 (multiple advisories, < 6.4.6) - vite 7.3.1 → 7.3.5 (path traversal, fs.deny bypass, WS read) - devalue 5.6.4 → 5.8.1 (high) - defu 6.1.4 → 6.1.7 (prototype pollution, high) - undici 7.14.0 → 7.28.0 (via wrangler/miniflare, medium) - ws → 8.21.0 (via miniflare, high) - wrangler 4.47.0 → 4.103.0 (pulls patched esbuild 0.28.1) Two low-severity esbuild dev-server advisories remain: they only affect the dev server on Windows and are pinned transitively by astro's vite; the only "fix" npm offers is downgrading astro to 5.x, so we leave them. We build on Linux/Cloudflare and don't expose the dev server. Full build (docs synced) + `npm run check:links` pass: 123 pages, no broken or leaking internal links. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Bumps
astro^6.1.1→^6.4.8and refreshes the lockfile (npm audit fix) to clear the repo's open Dependabot alerts. Astro is the only vulnerable direct dependency; everything else is transitive (mostly throughastro/viteandwrangler/miniflare).Alerts resolved (all high/medium)
< 6.4.6)fs.denybypass, WS file readnpm audit: 13 → 2.Left intentionally
Two low-severity
esbuildadvisories (GHSA-g7r4-m6w7-qqqr) remain. They affect the dev server on Windows only andesbuildis pinned transitively by astro'svite; the only fixnpm audit fix --forceoffers is downgrading astro to 5.x (a breaking change and a regression). We build on Linux/Cloudflare and never expose the dev server, so the residual risk is nil.Verification
npm run check:links: 123 pages scanned, no broken or leaking internal links🤖 Generated with Claude Code