release 0.22.1#13
Merged
Merged
Conversation
pcarrier
approved these changes
Apr 11, 2026
|
🔗 Preview: https://blit-45rrfl6m9-indent.vercel.app |
Coverage
|
mgasner
added a commit
that referenced
this pull request
Jun 23, 2026
**Summary** - Bumps three transitively-vulnerable packages to land every open Dependabot alert against `js/pnpm-lock.yaml` in the fixed range. - `astro` `^6.3.3` → `^6.4.6` (resolves to 6.4.8): clears alert #13 (GHSA-2pvr-wf23-7pc7 host-header SSRF) and #14 (GHSA-jrpj-wcv7-9fh9 XSS via spread props attribute names). - `vite` `^8.0.13` → `^8.0.16` in `solid`/`ui`/`website`: clears alert #9 (GHSA-fx2h-pf6j-xcff `server.fs.deny` bypass on Windows) and #8 (GHSA-v6wh-96g9-6wx3 launch-editor NTLMv2 hash disclosure). Replaces the existing `vite: ^7` override with selector-based clamps (`vite@<7.3.5` → safe 7, `vite@<8.0.16` → safe 8); transitive vite 7.x consumers (alerts #10, #11) would land on 7.3.5+. After regeneration the lockfile has no vite 7.x at all. - New override `undici: ">=7.28.0"`: clears #15 (GHSA-vmh5-mc38-953g TLS-bypass via dropped requestTls in SOCKS5 ProxyAgent), #16 (GHSA-pr7r-676h-xcf6 shared-cache whitespace bypass), and #17 (GHSA-hm92-r4w5-c3mj SOCKS5 proxy pool reuse). jsdom's `^8` ranges then resolve to undici 8.5.0 cleanly. - Lockfile regenerated with pnpm 10.33 (matches CI sandbox). The `nix/packages.nix` `pnpmDeps.hash` bump will land in a follow-up commit on this branch once CI surfaces the new sandbox hash, per the pnpm-deps Nix hash workflow. **Motivation** 14 Dependabot alerts open on `js/pnpm-lock.yaml` covering 5 packages (astro, vite, undici, devalue, fast-uri, plus the already-fixed esbuild #6). Of those, 8 had genuinely vulnerable versions still in the lockfile (vite 7.3.3 + 8.0.13, astro 6.3.3, undici 7.25.0). The rest (alerts #1, #2, #3, #5, #6, #12) are GitHub-dependency-graph staleness — the lockfile is already past the patched version, but the SBOM endpoint still reports old data (e.g. esbuild 0.27.5 in the SBOM despite 0.28.1 on `main` since PR #68). **Testing** - `pnpm install --lockfile-only` regenerated cleanly under pnpm 10.33. - Verified post-regen versions: `undici@8.5.0`, `astro@6.4.8`, `vite@8.0.16` (only — no 7.x), `esbuild@0.28.1`. No remaining matches for any open advisory's vulnerable range. - Local nix build of `pnpmDeps` not available in the sandbox; will refresh the hash from the first CI failure log per the established workflow. [](https://app.indent.com/chats/d28bf82f-595b-493a-a132-5a7da6cf0b6e) Tag `@indent` to continue the conversation here. --------- Co-authored-by: Indent <noreply@indent.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Automated release PR for v0.22.1.
Tag
@indentto continue the conversation here.