chore(npm): bump dependencies by yhabib · Pull Request #400 · dfinity/governance-app

yhabib · 2026-06-04T12:46:24Z

Motivation

# npm audit report

brace-expansion  5.0.2 - 5.0.5
Severity: moderate
brace-expansion: Large numeric range defeats documented `max` DoS protection - https://github.com/advisories/GHSA-jxxr-4gwj-5jf2
fix available via `npm audit fix`
node_modules/brace-expansion

vitest  <4.1.0
Severity: critical
When Vitest UI server is listening, arbitrary file can be read and executed - https://github.com/advisories/GHSA-5xrq-8626-4rwp
fix available via `npm audit fix --force`
Will install vitest@4.1.8, which is outside the stated dependency range
node_modules/vitest

2 vulnerabilities (1 moderate, 1 critical)

To address issues that do not require attention, run:
  npm audit fix

Changes

Ran npm audit fix

zeropath-ai · 2026-06-04T12:46:45Z

✅ No security or compliance issues detected. Reviewed everything up to 7d46b60.

Security Overview

🔎 Scanned files: 2 changed file(s)
🔗 Scan Link: https://zeropath.com/app/repositories/dc11ac90-139f-4ba3-936e-80e8c2f2ac81?scanId=a75fbb06-0745-4a78-9321-b054ea672076&codeScanTypes=PrScan&tab=issues

Detected Code Changes

Change Type	Relevant files
Configuration changes	► package-lock.json Update dependency versions for @vitest/expect Update dependency versions for @vitest/mocker Update dependency versions for @vitest/pretty-format Update dependency versions for @vitest/runner Update dependency versions for @vitest/snapshot Update dependency versions for @vitest/spy Update dependency versions for @vitest/utils Update dependency versions for brace-expansion Update dependency versions for es-module-lexer Update dependency versions for std-env Update dependency versions for tinyrainbow Update dependency versions for vitest ► src/governance-app-frontend/package.json Update vitest dependency version
Enhancement	► package-lock.json Update vite peer dependency version range in @vitest/mocker Update vite peer dependency version range in vitest

github-actions · 2026-06-04T12:47:19Z

📊 Build Bundle Stats

The latest build generated the following assets:

dist/index.html                                           1.92 kB │ gzip:   0.68 kB
dist/assets/index-DxfLsNC8.css                          132.17 kB │ gzip:  20.82 kB
dist/assets/externalServices-B9hWFV-7.js                  0.21 kB │ gzip:   0.17 kB
dist/assets/Spinner-iF0pcIc6.js                           0.58 kB │ gzip:   0.40 kB
dist/assets/useTvlValue-BFWe-KFi.js                       0.58 kB │ gzip:   0.39 kB
dist/assets/service-DtHNKNwD.js                           0.60 kB │ gzip:   0.39 kB
dist/assets/useHideBalances-Bq3A4SNP.js                   0.61 kB │ gzip:   0.40 kB
dist/assets/numbers-lYdME_Js.js                           0.61 kB │ gzip:   0.36 kB
dist/assets/PageHeader-Cr3cEbbs.js                        0.75 kB │ gzip:   0.44 kB
dist/assets/Separator-CerY9Nwn.js                         0.77 kB │ gzip:   0.46 kB
dist/assets/CertifiedBadge-3jp9Oe8w.js                    0.80 kB │ gzip:   0.48 kB
dist/assets/useIcpIndex-bSThwp_c.js                       1.08 kB │ gzip:   0.63 kB
dist/assets/addressBook-Q7sCArC7.js                       1.10 kB │ gzip:   0.70 kB
dist/assets/useCommandPaletteSettings-DN4VYDU3.js         1.64 kB │ gzip:   0.80 kB
dist/assets/Switch-qY0yD7W-.js                            1.65 kB │ gzip:   0.82 kB
dist/assets/CopyButton-CTRaWA7m.js                        1.86 kB │ gzip:   0.95 kB
dist/assets/AnimatedNumber-CdM72RFO.js                    1.86 kB │ gzip:   1.04 kB
dist/assets/useGovernanceAppCanister-_BJ019wn.js          1.92 kB │ gzip:   0.97 kB
dist/assets/useInfiniteQueryThenUpdateCall-DrbUqQGG.js    1.93 kB │ gzip:   0.96 kB
dist/assets/ToggleGroup-BN9raciC.js                       3.05 kB │ gzip:   1.33 kB
dist/assets/useTickerPrices-CwK57wLx.js                   3.17 kB │ gzip:   1.51 kB
dist/assets/AmountInput-d81h7Xo-.js                       6.37 kB │ gzip:   2.91 kB
dist/assets/useSpamFilterCanister-GbrbiooO.js             7.20 kB │ gzip:   3.24 kB
dist/assets/QueryStates-ClWtT1Y-.js                       7.95 kB │ gzip:   2.27 kB
dist/assets/index-Cd6iqO7c.js                             8.78 kB │ gzip:   3.41 kB
dist/assets/Input-BtLqkrd2.js                             9.40 kB │ gzip:   3.35 kB
dist/assets/types-BmsE_UPj.js                             9.96 kB │ gzip:   4.32 kB
dist/assets/TopicFollowingAccordion-DZFvpWKL.js          10.15 kB │ gzip:   4.05 kB
dist/assets/index-TjGs5TJ2.js                            14.67 kB │ gzip:   4.69 kB
dist/assets/_auth-CbBo7c9w.js                            17.10 kB │ gzip:   6.51 kB
dist/assets/index-DUo-7QCO.js                            23.48 kB │ gzip:   8.06 kB
dist/assets/DepositICPModal-CEk1lZz6.js                  39.67 kB │ gzip:  13.88 kB
dist/assets/index-C2ivg8UK.js                            41.83 kB │ gzip:  11.86 kB
dist/assets/index-CjBDDAlQ.js                            49.76 kB │ gzip:  15.01 kB
dist/assets/index-DdPl_Frg.js                            67.21 kB │ gzip:  20.66 kB
dist/assets/vendor-md-CeKJeCNV.js                        89.32 kB │ gzip:  25.51 kB
dist/assets/index-Butq5cK0.js                           122.56 kB │ gzip:  34.65 kB
dist/assets/index-DoTPYoPZ.js                           123.95 kB │ gzip:  40.26 kB
dist/assets/vendor-tanstack-dUF9ZPhg.js                 126.65 kB │ gzip:  39.34 kB
dist/assets/vendor-core-react-By6K7kM9.js               193.24 kB │ gzip:  60.69 kB
dist/assets/vendor-recharts-DmT8shOr.js                 228.10 kB │ gzip:  65.92 kB
dist/assets/vendor-icp-B-t-gTJv.js                      404.22 kB │ gzip: 100.21 kB
dist/assets/vendor-libs-SlEJfvxd.js                     553.84 kB │ gzip: 183.40 kB

Copilot

Pull request overview

This PR updates JavaScript dependencies in the governance-app-frontend workspace (and the root workspace lockfile) to remediate the vulnerabilities reported by npm audit, notably upgrading Vitest to a non-vulnerable version and updating transitive packages such as brace-expansion.

Changes:

Bumped vitest in src/governance-app-frontend/package.json from 4.0.18 to 4.1.7.
Regenerated package-lock.json to reflect the Vitest upgrade and related dependency graph updates (e.g., @vitest/*, es-module-lexer, std-env, tinyrainbow).
Updated brace-expansion in the lockfile to 5.0.6 (moving off the vulnerable 5.0.2–5.0.5 range).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
src/governance-app-frontend/package.json	Updates direct dev dependency `vitest` to a patched version.
package-lock.json	Updates resolved/hoisted dependency versions across the workspace install to match the audit fix output (including Vitest’s dependency tree and `brace-expansion`).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

bump dependencies to handle vulns

7d46b60

Copilot AI review requested due to automatic review settings June 4, 2026 12:46

yhabib requested a review from a team as a code owner June 4, 2026 12:46

Copilot started reviewing on behalf of yhabib June 4, 2026 12:46 View session

Copilot AI reviewed Jun 4, 2026

View reviewed changes

yhabib changed the title ~~bump dependencies to handle vulns~~ chore(npm): bump dependencies Jun 4, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(npm): bump dependencies#400

chore(npm): bump dependencies#400
yhabib wants to merge 1 commit into
mainfrom
chore/vulns

yhabib commented Jun 4, 2026

Uh oh!

zeropath-ai Bot commented Jun 4, 2026

Uh oh!

github-actions Bot commented Jun 4, 2026

Uh oh!

Copilot AI left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

yhabib commented Jun 4, 2026

Motivation

Changes

Uh oh!

zeropath-ai Bot commented Jun 4, 2026

Uh oh!

github-actions Bot commented Jun 4, 2026

📊 Build Bundle Stats

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants