Skip to content

build(deps): resolve 3 npm security advisories (esbuild/postcss/vite)#8

Merged
kud merged 1 commit into
mainfrom
fix/npm-audit
Jul 5, 2026
Merged

build(deps): resolve 3 npm security advisories (esbuild/postcss/vite)#8
kud merged 1 commit into
mainfrom
fix/npm-audit

Conversation

@kud

@kud kud commented Jul 5, 2026

Copy link
Copy Markdown
Owner

Summary

Resolves the 3 pre-existing npm security advisories flagged by npm audit. All were transitive dev-toolchain dependencies (via tsup, tsx, vitest/vite); no direct runtime dependency changed.

Advisories fixed

Severity Package Advisory Fix
high vite Path traversal / server.fs.deny bypass / WS file read (GHSA-4w7w-66w2-5vf9 et al.) npm audit fix (lockfile)
moderate postcss XSS via unescaped </style> (GHSA-qx2v-qp2m-jg93) npm audit fix (lockfile)
low esbuild Arbitrary file read via dev server on Windows (GHSA-g7r4-m6w7-qqqr) overrides pin to esbuild 0.28.1

The esbuild advisory (range 0.27.3–0.28.0) was not resolved by npm audit fix because it is pulled transitively by three toolchain packages. Pinned to exact 0.28.1 (the fixed release, a minor ahead of 0.27.4) via an overrides entry. No --force and no major bumps were required.

Audit before β†’ after

before: 3 vulnerabilities (1 low, 1 moderate, 1 high)
after:  0 vulnerabilities

Gates

Full suite green before and after the change:

  • npm run typecheck β€” pass
  • npm run build β€” pass
  • npm test β€” 23 passed (3 files)

- vite: 8.0.3 β†’ 8.1.3
- esbuild: 0.27.4 β†’ 0.28.1 (pinned via package.json overrides)
- rolldown: 1.0.0-rc.12 β†’ 1.1.4
- postcss: 8.5.8 β†’ 8.5.16
- nanoid: 3.3.11 β†’ 3.3.15
- @emnapi/core + runtime: 1.9.1 β†’ 1.11.1
- @napi-rs/wasm-runtime: 1.1.2 β†’ 1.1.6
- @oxc-project/types: 0.122.0 β†’ 0.138.0
- tinyglobby: 0.2.15 β†’ 0.2.17
- @tybys/wasm-util: 0.10.1 β†’ 0.10.3
@kud kud marked this pull request as ready for review July 5, 2026 02:50
@kud kud merged commit 148a939 into main Jul 5, 2026
1 check passed
@kud kud deleted the fix/npm-audit branch July 5, 2026 02:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant