chore remediate npm audit findings and pin CI tools - Upgrade Vite @crxjs/vite-plugin Cloudru eslint/stylelint/lint-staged and related deps - Add targeted pnpm overrides for vulnerable transitive packages - Use frozen lockfile in PR e2e; run license validator and publish-browser-extension via pinned npx

Author: Kirill Lebedenko

.github/actions/license/action.yml

@@ -21,5 +21,5 @@ runs:
 
     - name: Run license validator
       run: |
-        pnpx @cloud-ru/ft-license-validator@latest
+        npx --yes @cloud-ru/ft-license-validator@1.3.0
       shell: bash

.github/workflows/pr.yml

@@ -166,7 +166,7 @@ jobs:
           cache: 'pnpm'
 
       - name: Install dependencies
-        run: pnpm install
+        run: pnpm install --frozen-lockfile
 
       - name: Download Chrome build artifact
         uses: actions/download-artifact@v4
@@ -188,17 +188,9 @@ jobs:
     needs: [pr-build, e2e-test]
     runs-on: ubuntu-latest
     steps:
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v2
-        with:
-          version: 10.10.0
-
       - name: Checkout
         uses: actions/checkout@v3
 
-      - name: Install publish-browser-extension
-        run: pnpm install -save-dev publish-browser-extension
-
       - name: Download Chrome build artifact
         uses: actions/download-artifact@v4
         with:
@@ -225,7 +217,7 @@ jobs:
           CHROME_REFRESH_TOKEN: ${{ secrets.CHROME_REFRESH_TOKEN }}
           CHROME_PUBLISH_TARGET: ${{ secrets.CHROME_PUBLISH_TARGET }}
         run: |
-          npx publish-browser-extension \
+          npx --yes publish-browser-extension@4.0.4 \
             --dry-run \
             --chrome-zip dist/chrome/cloudhood-chrome-${{ needs.pr-build.outputs.short_sha }}.zip \
             --chrome-extension-id ${{ env.CHROME_EXTENSION_ID }} \
@@ -240,7 +232,7 @@ jobs:
           FIREFOX_JWT_ISSUER: ${{ secrets.FIREFOX_JWT_ISSUER }}
           FIREFOX_JWT_SECRET: ${{ secrets.FIREFOX_JWT_SECRET }}
         run: |
-          npx publish-browser-extension \
+          npx --yes publish-browser-extension@4.0.4 \
             --dry-run \
             --firefox-zip dist/firefox/cloudhood-firefox-${{ needs.pr-build.outputs.short_sha }}.zip \
             --firefox-sources-zip dist/firefox-sources/cloudhood-firefox-sources-${{ needs.pr-build.outputs.short_sha }}.zip \

.github/workflows/release-all.yml

@@ -111,14 +111,6 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v3
 
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v2
-        with:
-          version: 10.10.0
-
-      - name: Install publish-browser-extension
-        run: pnpm install -g publish-browser-extension
-
       - name: Download Chrome build artifact
         uses: actions/download-artifact@v4
         with:
@@ -161,7 +153,7 @@ jobs:
           CHROME_REFRESH_TOKEN: ${{ secrets.CHROME_REFRESH_TOKEN }}
           CHROME_PUBLISH_TARGET: ${{ secrets.CHROME_PUBLISH_TARGET }}
         run: |
-          npx publish-browser-extension \
+          npx --yes publish-browser-extension@4.0.4 \
             --chrome-zip cloudhood-chrome.zip \
             --chrome-extension-id ${{ env.CHROME_EXTENSION_ID }} \
             --chrome-client-id ${{ env.CHROME_CLIENT_ID }} \
@@ -180,7 +172,7 @@ jobs:
 
           echo "Debug: Firefox extension ID is set: ${{ secrets.FIREFOX_EXTENSION_ID != '' }}"
 
-          npx publish-browser-extension \
+          npx --yes publish-browser-extension@4.0.4 \
             --firefox-zip cloudhood-firefox.zip \
             --firefox-sources-zip cloudhood-firefox-sources.zip \
             --firefox-extension-id ${{ env.FIREFOX_EXTENSION_ID }} \

.github/workflows/release-chrome.yml

@@ -112,7 +112,7 @@ jobs:
 
           echo "Debug: Chrome extension ID is set: ${{ secrets.CHROME_EXTENSION_ID != '' }}"
 
-          npx publish-browser-extension \
+          npx --yes publish-browser-extension@4.0.4 \
             --chrome-zip cloudhood-chrome.zip \
             --chrome-extension-id ${{ env.CHROME_EXTENSION_ID }} \
             --chrome-client-id ${{ env.CHROME_CLIENT_ID }} \

.github/workflows/release-firefox.yml

@@ -126,7 +126,7 @@ jobs:
 
           echo "Debug: Firefox extension ID is set: ${{ secrets.FIREFOX_EXTENSION_ID != '' }}"
 
-          npx publish-browser-extension \
+          npx --yes publish-browser-extension@4.0.4 \
             --firefox-zip cloudhood-firefox.zip \
             --firefox-sources-zip cloudhood-firefox-sources.zip \
             --firefox-extension-id ${{ env.FIREFOX_EXTENSION_ID }} \

package.json

@@ -33,7 +33,6 @@
     "test:e2e:screenshots:generate": "pnpm test:e2e:screenshots:docker:update"
   },
   "dependencies": {
-    "@cloud-ru/ft-config-lint-staged": "1.1.2",
     "@dnd-kit/core": "6.3.1",
     "@dnd-kit/sortable": "10.0.0",
     "@emotion/react": "11.14.0",
@@ -60,11 +59,12 @@
     "vite-plugin-static-copy": "3.1.4"
   },
   "devDependencies": {
-    "@cloud-ru/eslint-config": "3.0.0",
+    "@cloud-ru/eslint-config": "3.1.5",
     "@cloud-ru/ft-config-commit-message": "1.1.2",
-    "@cloud-ru/ft-config-stylelint": "3.0.0",
+    "@cloud-ru/ft-config-lint-staged": "1.1.4",
+    "@cloud-ru/ft-config-stylelint": "3.1.2",
     "@cloud-ru/ft-config-vitest": "1.2.2",
-    "@crxjs/vite-plugin": "^2.0.2",
+    "@crxjs/vite-plugin": "^2.4.0",
     "@eslint/compat": "1.2.9",
     "@playwright/test": "1.57.0",
     "@svgr/webpack": "8.1.0",
@@ -74,7 +74,7 @@
     "@types/webextension-polyfill": "0.12.3",
     "@types/ws": "8.18.1",
     "@vitejs/plugin-react": "^4.5.2",
-    "concurrently": "9.2.0",
+    "concurrently": "9.2.1",
     "eslint-plugin-effector": "0.16.0",
     "fs-extra": "11.3.0",
     "husky": "^9.1.6",
@@ -83,16 +83,24 @@
     "prettier": "3.5.3",
     "terser": "5.46.1",
     "typescript": "5.7.3",
-    "vite": "^5.4.19",
+    "vite": "6.4.2",
     "vite-plugin-svgr": "4.3.0",
     "vite-tsconfig-paths": "5.1.4",
     "webextension-polyfill": "0.12.0",
     "ws": "8.20.0"
   },
   "pnpm": {
     "overrides": {
+      "brace-expansion": "2.0.3",
       "esbuild": "0.27.2",
-      "glob": "10.5.0"
+      "flatted": "3.4.2",
+      "glob": "10.5.0",
+      "minimatch": "9.0.9",
+      "@eslint/eslintrc>minimatch": "3.1.5",
+      "picomatch": "4.0.4",
+      "rollup": "4.60.1",
+      "svgo": "3.3.3",
+      "yaml": "1.10.3"
     }
   },
   "packageManager": "pnpm@10.10.0",