Skip to content

chore(deps): upgrade dashboard to vite 8 + plugin-react 6 (security)#132

Merged
dvcdsys merged 1 commit into
developfrom
chore/dashboard-vite-security
Jul 2, 2026
Merged

chore(deps): upgrade dashboard to vite 8 + plugin-react 6 (security)#132
dvcdsys merged 1 commit into
developfrom
chore/dashboard-vite-security

Conversation

@dvcdsys

@dvcdsys dvcdsys commented Jul 2, 2026

Copy link
Copy Markdown
Owner

Does the vite/esbuild security jump properly — with a local dashboard build (which PR CI doesn't run), scoped to just the security-relevant deps.

Advisories cleared

All are dev-server / build-time only — production serves pre-built static assets from Go on Linux, so none are reachable in prod — but this removes the dev-time exposure:

Advisory Sev Fixed by
server.fs.deny bypass (Windows) — GHSA-fx2h-pf6j-xcff high vite ≥ 6.4.3 → 8.1.3
launch-editor NTLM disclosure (Windows) — GHSA-v6wh-96g9-6wx3 med vite → 8.1.3
optimized-deps .map path traversal — GHSA-4w7w-66w2-5vf9 med vite → 8.1.3
esbuild dev-server SSRF — GHSA-67mh-4wv8-2f99 med removed (vite 8 → rolldown, no esbuild dep)
js-yaml quadratic DoS — GHSA-h67p-54hq-rp68 med overrides: js-yaml ^4.2.0 (→ 4.3.0)

Changes

  • vite 5.4.14 → 8.1.3, @vitejs/plugin-react 4.3.4 → 6.0.3
  • overrides.js-yaml ^4.2.0 (patches openapi-typescript's redocly chain)
  • Not touched: React 18, Tailwind 3, react-router 6, TS 5 — those majors are separate migrations (deferred by the dependabot ignore rule).

Validation

Local: npm run gen:api ✅ · tsc -b ✅ · vite build ✅ (1851 modules, rolldown) · npm audit0 vulnerabilities. No app-code changes were needed. dist/ is gitignored (built fresh in the Docker node stage), so only package.json + package-lock.json change.

Supersedes Dependabot security PRs #122 and #123.

🤖 Generated with Claude Code

Clears the open dashboard npm advisories. All are dev-server / build-time
only — the shipped dashboard is pre-built static assets served by Go, so none
are reachable in production — but the upgrade removes the dev-time exposure and
modernises the toolchain:

- vite 5.4.14 -> 8.1.3: fixes GHSA-fx2h-pf6j-xcff (server.fs.deny bypass,
  Windows), GHSA-v6wh-96g9-6wx3 (launch-editor NTLM disclosure, Windows),
  GHSA-4w7w-66w2-5vf9 (optimized-deps .map path traversal). Vite 8 uses
  rolldown, which drops the standalone esbuild dependency entirely, so
  GHSA-67mh-4wv8-2f99 (esbuild dev-server SSRF) is resolved at the root.
- @vitejs/plugin-react 4.3.4 -> 6.0.3 (vite 8 compat; still supports React 18).
- js-yaml pinned >=4.2.0 via overrides to patch GHSA-h67p-54hq-rp68
  (quadratic-complexity DoS) inside openapi-typescript's redocly dependency.

Deliberately scoped to the security-relevant bumps: React 18, Tailwind 3,
react-router 6 and TypeScript 5 are unchanged (those majors are separate
migrations, deferred by the dependabot ignore rule). Validated locally:
`npm run gen:api`, `tsc -b`, and `vite build` are green; `npm audit` reports
0 vulnerabilities.

Supersedes the Dependabot security PRs #122 and #123.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@dvcdsys dvcdsys merged commit eba1306 into develop Jul 2, 2026
1 check passed
@dvcdsys dvcdsys deleted the chore/dashboard-vite-security branch July 2, 2026 15:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant