Skip to content

chore(deps): patch Dependabot security alerts#103

Merged
wavekat-eason merged 1 commit into
mainfrom
chore/dependabot-security-updates
Jun 22, 2026
Merged

chore(deps): patch Dependabot security alerts#103
wavekat-eason merged 1 commit into
mainfrom
chore/dependabot-security-updates

Conversation

@wavekat-eason

Copy link
Copy Markdown
Contributor

What

Bumps astro ^6.1.1^6.4.8 and refreshes the lockfile (npm audit fix) to clear the repo's open Dependabot alerts. Astro is the only vulnerable direct dependency; everything else is transitive (mostly through astro/vite and wrangler/miniflare).

Alerts resolved (all high/medium)

Package Was Now Advisory
astro 6.1.1 6.4.8 multiple (< 6.4.6)
vite 7.3.1 7.3.5 path traversal, fs.deny bypass, WS file read
devalue 5.6.4 5.8.1 high
defu 6.1.4 6.1.7 prototype pollution (high)
undici 7.14.0 7.28.0 medium (via wrangler/miniflare)
ws 8.21.0 high (via miniflare)
wrangler 4.47.0 4.103.0 pulls patched esbuild 0.28.1

npm audit: 13 → 2.

Left intentionally

Two low-severity esbuild advisories (GHSA-g7r4-m6w7-qqqr) remain. They affect the dev server on Windows only and esbuild is pinned transitively by astro's vite; the only fix npm audit fix --force offers is downgrading astro to 5.x (a breaking change and a regression). We build on Linux/Cloudflare and never expose the dev server, so the residual risk is nil.

Verification

  • Full build with private docs synced: 123 pages, ✓ Complete
  • npm run check:links: 123 pages scanned, no broken or leaking internal links

🤖 Generated with Claude Code

Bump astro ^6.1.1 → ^6.4.8 and refresh the lockfile (npm audit fix) to
clear the open Dependabot alerts. Resolves all high/medium advisories:

- astro       6.1.1  → 6.4.8   (multiple advisories, < 6.4.6)
- vite        7.3.1  → 7.3.5   (path traversal, fs.deny bypass, WS read)
- devalue     5.6.4  → 5.8.1   (high)
- defu        6.1.4  → 6.1.7   (prototype pollution, high)
- undici      7.14.0 → 7.28.0  (via wrangler/miniflare, medium)
- ws          →  8.21.0        (via miniflare, high)
- wrangler    4.47.0 → 4.103.0 (pulls patched esbuild 0.28.1)

Two low-severity esbuild dev-server advisories remain: they only affect
the dev server on Windows and are pinned transitively by astro's vite;
the only "fix" npm offers is downgrading astro to 5.x, so we leave them.
We build on Linux/Cloudflare and don't expose the dev server.

Full build (docs synced) + `npm run check:links` pass: 123 pages, no
broken or leaking internal links.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions

Copy link
Copy Markdown
Contributor

@wavekat-eason wavekat-eason merged commit 3232cbb into main Jun 22, 2026
2 checks passed
@wavekat-eason wavekat-eason deleted the chore/dependabot-security-updates branch June 22, 2026 10:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant