Skip to content

chore(deps): patch Dependabot security alerts#105

Merged
wavekat-eason merged 1 commit into
mainfrom
chore/dependabot-security-patches
Jun 23, 2026
Merged

chore(deps): patch Dependabot security alerts#105
wavekat-eason merged 1 commit into
mainfrom
chore/dependabot-security-patches

Conversation

@wavekat-eason

Copy link
Copy Markdown
Contributor

Why

GitHub flagged 17 open Dependabot alerts (7 high, 6 moderate, 4 low) on main, all in package-lock.json. The lockfile had drifted: package.json already pinned astro@^6.4.8, but the lockfile still resolved astro@6.1.1 (npm flagged it "invalid"), dragging in vulnerable transitive deps.

What

  • Resync the lockfile to the already-pinned astro ^6.4.8. This cascades the fixes for most alerts:
    Package Before After Severity
    astro 6.1.1 6.4.8 high
    vite 7.3.1 7.3.5 high
    devalue 5.6.4 5.8.1 high
    defu 6.1.4 6.1.7 high
    undici 7.14.0 7.28.0 medium
  • Add an esbuild ^0.28.1 override so astro's transitive esbuild picks up the patched 0.28.1 (GHSA-g7r4-m6w7-qqqr). Without it, npm audit fix wanted to install astro@7.0.0 — an unnecessary breaking major for a low-severity, dev-server-only, Windows-only advisory. The override unifies esbuild at 0.28.1 across the whole tree (astro, vite, wrangler).

Result

npm audit → found 0 vulnerabilities

No source changes — dependency tree only.

Verification

  • npm audit ✓ 0 vulnerabilities
  • npm run build ✓ (123 pages)
  • npm run check:links
  • npm run check:screenshots

🤖 Generated with Claude Code

Clear all 17 open Dependabot alerts (7 high) in package-lock.json:

- Resync the lockfile to the already-pinned astro ^6.4.8 (lockfile was
  stale at astro 6.1.1). This cascades the transitive fixes:
  vite 7.3.1 → 7.3.5, devalue 5.6.4 → 5.8.1, defu 6.1.4 → 6.1.7,
  undici 7.14.0 → 7.28.0.
- Add an esbuild ^0.28.1 override so astro's transitive esbuild picks up
  the patched 0.28.1 (GHSA-g7r4-m6w7-qqqr) without forcing the astro 7
  major npm audit would otherwise pull in.

npm audit now reports 0 vulnerabilities. Build, check:links, and
check:screenshots all pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01GYcPoMYpYwjVWsiVpAtmKa
@github-actions

Copy link
Copy Markdown
Contributor

@wavekat-eason wavekat-eason merged commit 97689a9 into main Jun 23, 2026
2 checks passed
@wavekat-eason wavekat-eason deleted the chore/dependabot-security-patches branch June 23, 2026 09:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant