Skip to content

fix(deps): address security vulnerabilities in vite, picomatch, and defu#791

Merged
BYK merged 1 commit intomasterfrom
fix/security-deps-vite-picomatch-defu
Apr 14, 2026
Merged

fix(deps): address security vulnerabilities in vite, picomatch, and defu#791
BYK merged 1 commit intomasterfrom
fix/security-deps-vite-picomatch-defu

Conversation

@BYK
Copy link
Copy Markdown
Member

@BYK BYK commented Apr 14, 2026

Summary

Resolve 10 open Dependabot alerts (5 high, 5 medium) across 3 transitive dependencies.

  • vite: 7.3.0 → 7.3.2 (main), 6.4.1 → 6.4.2 (docs) — arbitrary file read via WebSocket, server.fs.deny bypass, path traversal in .map handling
  • picomatch: 2.3.1 → 2.3.2 (pnpm override), 4.0.3 → 4.0.4 — ReDoS via extglob quantifiers, method injection in POSIX character classes
  • defu: 6.1.4 → 6.1.7 (pnpm override in docs) — prototype pollution via __proto__ key

Approach

  • Added "picomatch@<3": "^2.3.2" override in package.json — the 2.x line is pinned deep in @sentry/esbuild-pluginunplugin@1.0.1chokidar and can't be bumped via direct deps
  • Added "defu": "^6.1.5" override in docs/package.json — locked via astrounstorageh3defu
  • vite and picomatch 4.x resolved naturally via lockfile regeneration (existing semver ranges permit the patched versions)

CVEs addressed

CVE-2026-39363, CVE-2026-39364, CVE-2026-39365, CVE-2026-33671, CVE-2026-33672, CVE-2026-35209

@BYK
fix(deps): address security vulnerabilities in vite, picomatch, and defu
033961f 
Resolve 10 open Dependabot alerts (5 high, 5 medium) across 3 transitive
dependencies by adding pnpm overrides and regenerating lockfiles.

- vite: 7.3.0 → 7.3.2 (main), 6.4.1 → 6.4.2 (docs) — lockfile re-resolve
- picomatch: 2.3.1 → 2.3.2 (override), 4.0.3 → 4.0.4 — lockfile re-resolve
- defu: 6.1.4 → 6.1.7 (override in docs)

CVEs: CVE-2026-39363, CVE-2026-39364, CVE-2026-39365, CVE-2026-33671,
CVE-2026-33672, CVE-2026-35209
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 14, 2026
edited
Loading

PR Preview Action v1.8.1
Preview removed because the pull request was closed.
2026-04-14 13:25 UTC

@BYK BYK marked this pull request as ready for review April 14, 2026 12:59
@BYK BYK merged commit 6ba86bc into master Apr 14, 2026
19 checks passed
@BYK BYK deleted the fix/security-deps-vite-picomatch-defu branch April 14, 2026 13:24
@sentry-release-bot sentry-release-bot bot mentioned this pull request Apr 14, 2026
Closed
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BYK