Skip to content

fix(deps): resolve docs dependabot advisories#1743

Closed
fengmk2 wants to merge 6 commits into
mainfrom
fix/dependabot-docs-advisories
Closed

fix(deps): resolve docs dependabot advisories#1743
fengmk2 wants to merge 6 commits into
mainfrom
fix/dependabot-docs-advisories

Conversation

@fengmk2
Copy link
Copy Markdown
Member

@fengmk2 fengmk2 commented Jun 2, 2026
edited
Loading

Resolves the open Dependabot advisories in the documentation site (docs/ is a separate pnpm workspace, docs/pnpm-lock.yaml).

Most fixes land through a normal lockfile refresh, since the patched versions already fall within the ranges their parents declare. Only lodash-es needs an override: chevrotain (via mermaid) pins it to exactly 4.17.23, so the patched 4.18.x can't be reached any other way.

Package Resolved How Advisories
vite 7.3.5 lockfile GHSA-v2wj-q39q-566r, GHSA-p9ff-h696-f583
defu 6.1.7 lockfile GHSA-737v-mqg7-c878
picomatch 4.0.4 lockfile GHSA-c2c7-rcm5-vvqj
lodash-es 4.18.1 override GHSA-r5fr-rjxr-66jc

Validation

  • pnpm install in docs/ succeeds and the lockfile is consistent.
  • No vulnerable versions remain (lodash-es 4.17.23 is fully replaced by the override).

@fengmk2 fengmk2 self-assigned this Jun 2, 2026
@netlify
Copy link
Copy Markdown

netlify Bot commented Jun 2, 2026
edited
Loading

Deploy Preview for viteplus-preview canceled.

Name Link
🔨 Latest commit b9105e6
🔍 Latest deploy log https://app.netlify.com/projects/viteplus-preview/deploys/6a1e91ea6ea46a0008073964

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 2, 2026
edited
Loading

✅ Staging deployment successful!

Preview: https://viteplus-staging.void.app/
Commit: b9105e6

fengmk2 added 4 commits June 2, 2026 14:31
@fengmk2
fix(deps): resolve docs dependabot advisories
f7ab11f 
Add overrides in docs/pnpm-workspace.yaml (a separate pnpm workspace) to
clear the open advisories in the docs site lockfile:
- vite ^7.3.2 (GHSA-v2wj-q39q-566r, GHSA-p9ff-h696-f583)
- defu ^6.1.5 (GHSA-737v-mqg7-c878)
- lodash-es ^4.18.0 (GHSA-r5fr-rjxr-66jc)
- picomatch ^4.0.4 (GHSA-c2c7-rcm5-vvqj)
@fengmk2
fix(deps): raise docs vite override floor to ^7.3.5
0e35c88 
Pin the override floor to the resolved version (7.3.5) instead of the
minimum patched release (7.3.2), keeping it on the vite 7 line that
vitepress supports.
@fengmk2
refactor(deps): trim docs overrides to only what needs forcing
e40cdfb 
vite, defu and picomatch reach their patched versions through normal
in-range resolution, so drop their overrides and let the lockfile carry
them. Keep only the lodash-es override, which chevrotain (via mermaid)
pins to exactly 4.17.23 and so cannot be patched any other way.
@fengmk2
fix(deps): raise docs lodash-es override floor to ^4.18.1
cbc33c0 
Pin the override to the resolved version (4.18.1, the latest patched
release) instead of the minimum patched floor (4.18.0).
@fengmk2 fengmk2 force-pushed the fix/dependabot-docs-advisories branch from 351345d to cbc33c0 Compare June 2, 2026 06:32
@fengmk2 fengmk2 marked this pull request as ready for review June 2, 2026 06:50
@fengmk2
Copy link
Copy Markdown
Member Author

fengmk2 commented Jun 2, 2026

renovate re-enable #1744

@fengmk2 fengmk2 requested review from Boshen and wan9chi June 2, 2026 06:50
@fengmk2 fengmk2 closed this Jun 2, 2026
@fengmk2 fengmk2 deleted the fix/dependabot-docs-advisories branch June 2, 2026 08:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wan9chi wan9chi Awaiting requested review from wan9chi

@Boshen Boshen Awaiting requested review from Boshen

Assignees

@fengmk2 fengmk2

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fengmk2