Skip to content

release 0.22.1#13

Merged
jsegaran merged 1 commit into
mainfrom
release/0.22.1
Apr 11, 2026
Merged

release 0.22.1#13
jsegaran merged 1 commit into
mainfrom
release/0.22.1

Conversation

@jsegaran

Copy link
Copy Markdown
Contributor

Automated release PR for v0.22.1.

Open in Indent
Tag @indent to continue the conversation here.

@jsegaran jsegaran added the indent label Apr 11, 2026 — with indent-zero
@jsegaran jsegaran requested a review from pcarrier April 11, 2026 20:31
@jsegaran jsegaran merged commit c53600c into main Apr 11, 2026
12 of 13 checks passed
@jsegaran jsegaran deleted the release/0.22.1 branch April 11, 2026 20:31
@github-actions

Copy link
Copy Markdown

🔗 Preview: https://blit-45rrfl6m9-indent.vercel.app

@github-actions

Copy link
Copy Markdown

Coverage

Crate Lines Functions Regions
alacritty-driver 59.7% (529/886) 62.5% (40/64) 59.8% (754/1261)
browser 0.0% (0/807) 0.0% (0/65) 0.0% (0/1370)
cli 36.2% (1064/2938) 46.9% (151/322) 38.2% (1924/5033)
compositor 8.5% (134/1582) 9.0% (10/111) 8.7% (214/2452)
fonts 76.8% (486/633) 85.5% (47/55) 77.9% (922/1183)
gateway 29.0% (354/1219) 28.0% (35/125) 22.4% (440/1963)
proxy 18.2% (150/825) 20.7% (24/116) 20.6% (260/1261)
remote 72.2% (1940/2687) 84.9% (186/219) 75.4% (3674/4870)
server 22.2% (1777/8008) 39.9% (202/506) 24.1% (3014/12521)
ssh 1.9% (7/362) 3.2% (1/31) 0.7% (4/599)
webrtc-forwarder 0.7% (15/2064) 0.7% (1/151) 0.9% (33/3487)
webserver 59.8% (446/746) 70.8% (75/106) 62.7% (838/1336)
Total 30.3% (6902/22757) 41.3% (772/1871) 32.3% (12077/37336)

mgasner added a commit that referenced this pull request Jun 23, 2026
**Summary**
- Bumps three transitively-vulnerable packages to land every open
Dependabot alert against `js/pnpm-lock.yaml` in the fixed range.
- `astro` `^6.3.3` → `^6.4.6` (resolves to 6.4.8): clears alert #13
(GHSA-2pvr-wf23-7pc7 host-header SSRF) and #14 (GHSA-jrpj-wcv7-9fh9 XSS
via spread props attribute names).
- `vite` `^8.0.13` → `^8.0.16` in `solid`/`ui`/`website`: clears alert
#9 (GHSA-fx2h-pf6j-xcff `server.fs.deny` bypass on Windows) and #8
(GHSA-v6wh-96g9-6wx3 launch-editor NTLMv2 hash disclosure). Replaces the
existing `vite: ^7` override with selector-based clamps (`vite@<7.3.5` →
safe 7, `vite@<8.0.16` → safe 8); transitive vite 7.x consumers (alerts
#10, #11) would land on 7.3.5+. After regeneration the lockfile has no
vite 7.x at all.
- New override `undici: ">=7.28.0"`: clears #15 (GHSA-vmh5-mc38-953g
TLS-bypass via dropped requestTls in SOCKS5 ProxyAgent), #16
(GHSA-pr7r-676h-xcf6 shared-cache whitespace bypass), and #17
(GHSA-hm92-r4w5-c3mj SOCKS5 proxy pool reuse). jsdom's `^8` ranges then
resolve to undici 8.5.0 cleanly.
- Lockfile regenerated with pnpm 10.33 (matches CI sandbox). The
`nix/packages.nix` `pnpmDeps.hash` bump will land in a follow-up commit
on this branch once CI surfaces the new sandbox hash, per the pnpm-deps
Nix hash workflow.

**Motivation**
14 Dependabot alerts open on `js/pnpm-lock.yaml` covering 5 packages
(astro, vite, undici, devalue, fast-uri, plus the already-fixed esbuild
#6). Of those, 8 had genuinely vulnerable versions still in the lockfile
(vite 7.3.3 + 8.0.13, astro 6.3.3, undici 7.25.0). The rest (alerts #1,
#2, #3, #5, #6, #12) are GitHub-dependency-graph staleness — the
lockfile is already past the patched version, but the SBOM endpoint
still reports old data (e.g. esbuild 0.27.5 in the SBOM despite 0.28.1
on `main` since PR #68).

**Testing**
- `pnpm install --lockfile-only` regenerated cleanly under pnpm 10.33.
- Verified post-regen versions: `undici@8.5.0`, `astro@6.4.8`,
`vite@8.0.16` (only — no 7.x), `esbuild@0.28.1`. No remaining matches
for any open advisory's vulnerable range.
- Local nix build of `pnpmDeps` not available in the sandbox; will
refresh the hash from the first CI failure log per the established
workflow.

[![Open in
Indent](https://assets.indent.com/view-in-indent.svg)](https://app.indent.com/chats/d28bf82f-595b-493a-a132-5a7da6cf0b6e)
Tag `@indent` to continue the conversation here.

---------

Co-authored-by: Indent <noreply@indent.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants