chore(deps): upgrade dashboard to vite 8 + plugin-react 6 (security)#132
Merged
Conversation
Clears the open dashboard npm advisories. All are dev-server / build-time only — the shipped dashboard is pre-built static assets served by Go, so none are reachable in production — but the upgrade removes the dev-time exposure and modernises the toolchain: - vite 5.4.14 -> 8.1.3: fixes GHSA-fx2h-pf6j-xcff (server.fs.deny bypass, Windows), GHSA-v6wh-96g9-6wx3 (launch-editor NTLM disclosure, Windows), GHSA-4w7w-66w2-5vf9 (optimized-deps .map path traversal). Vite 8 uses rolldown, which drops the standalone esbuild dependency entirely, so GHSA-67mh-4wv8-2f99 (esbuild dev-server SSRF) is resolved at the root. - @vitejs/plugin-react 4.3.4 -> 6.0.3 (vite 8 compat; still supports React 18). - js-yaml pinned >=4.2.0 via overrides to patch GHSA-h67p-54hq-rp68 (quadratic-complexity DoS) inside openapi-typescript's redocly dependency. Deliberately scoped to the security-relevant bumps: React 18, Tailwind 3, react-router 6 and TypeScript 5 are unchanged (those majors are separate migrations, deferred by the dependabot ignore rule). Validated locally: `npm run gen:api`, `tsc -b`, and `vite build` are green; `npm audit` reports 0 vulnerabilities. Supersedes the Dependabot security PRs #122 and #123. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This was referenced Jul 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Does the vite/esbuild security jump properly — with a local dashboard build (which PR CI doesn't run), scoped to just the security-relevant deps.
Advisories cleared
All are dev-server / build-time only — production serves pre-built static assets from Go on Linux, so none are reachable in prod — but this removes the dev-time exposure:
server.fs.denybypass (Windows) — GHSA-fx2h-pf6j-xcff.mappath traversal — GHSA-4w7w-66w2-5vf9overrides: js-yaml ^4.2.0(→ 4.3.0)Changes
vite5.4.14 → 8.1.3,@vitejs/plugin-react4.3.4 → 6.0.3overrides.js-yaml ^4.2.0(patches openapi-typescript's redocly chain)Validation
Local:
npm run gen:api✅ ·tsc -b✅ ·vite build✅ (1851 modules, rolldown) ·npm audit→ 0 vulnerabilities. No app-code changes were needed. dist/ is gitignored (built fresh in the Docker node stage), so onlypackage.json+package-lock.jsonchange.Supersedes Dependabot security PRs #122 and #123.
🤖 Generated with Claude Code