Skip to content

fix(deps): resolve npm audit advisories and sync lockfile#5

Merged
steve-calvert-glean merged 1 commit into
mainfrom
fix/npm-audit
Jun 22, 2026
Merged

fix(deps): resolve npm audit advisories and sync lockfile#5
steve-calvert-glean merged 1 commit into
mainfrom
fix/npm-audit

Conversation

@steve-calvert-glean

Copy link
Copy Markdown
Contributor

Summary

Resolves npm audit advisories and fixes a package-lock drift.

  • Lockfile sync — package-lock.json's engines field still said >=24.15.0 while package.json says >=22.12.0 (the bump was committed without regenerating the lock). Synced.
  • npm audit fix — cleared the in-range vite advisory.
  • overrides — forward-patch dev-only transitive advisories npm could not fix in range: esbuild ^0.28.1, undici ^7.28.0, tmp ^0.2.7.

Result: npm audit 9 to 2 vulnerabilities. Build + 28 tests pass on the bumped versions (tsup, vitest, and the bintastic test harness all verified).

Remaining (accepted)

2 moderate: js-yaml via gray-matter — the only consumer-facing advisory. No gray-matter-compatible fix (gray-matter 4 pins js-yaml 3.x; forcing js-yaml 4.x breaks gray-matter frontmatter parsing, verified). Low real risk: a quadratic DoS in YAML merge-key handling, and pluginpack only parses frontmatter from the repo's own trusted source plugins. The genuine fix is upstream.

🤖 Generated with Claude Code

Sync package-lock.json engines with package.json (>=22.12.0); it was left stale when engines was bumped without re-running npm install. Run npm audit fix for the in-range vite advisory. Add overrides forward-patching dev-only transitive advisories: esbuild ^0.28.1, undici ^7.28.0, tmp ^0.2.7.

Takes npm audit from 9 vulnerabilities to 2. The remaining two (moderate, js-yaml via gray-matter) have no gray-matter-compatible fix and are low real-risk (trusted frontmatter input only).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@steve-calvert-glean steve-calvert-glean added the dependencies Pull requests that update a dependency file label Jun 22, 2026
@steve-calvert-glean steve-calvert-glean merged commit d98bc48 into main Jun 22, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant