Skip to content

build(frontend): bump dev dependencies including audit fix#2811

Merged
peterpeterparker merged 1 commit into
mainfrom
build/bump-dev
Jun 1, 2026
Merged

build(frontend): bump dev dependencies including audit fix#2811
peterpeterparker merged 1 commit into
mainfrom
build/bump-dev

Conversation

@peterpeterparker
Copy link
Copy Markdown
Contributor

@peterpeterparker peterpeterparker commented Jun 1, 2026

Motivation

Few things to bump and audit fix, not that relevant for SSG prod but the newest vite security issue is nice to patch in the emulator (even though it's only for dev)

Vite

https://x.com/vite_js/status/2061503356615475328

Audit

❯ npm audit
# npm audit report

@sveltejs/kit  <=2.60.0
Severity: high
@sveltejs/kit: Unvalidated redirect in handle hook causes Denial-of-Service - https://github.com/advisories/GHSA-3f6h-2hrp-w5wx
@sveltejs/adapter-node has a BODY_SIZE_LIMIT bypass - https://github.com/advisories/GHSA-2crg-3p73-43xp
@sveltejs/kit: `query.batch` cross-talk - https://github.com/advisories/GHSA-hgv7-v322-mmgr
fix available via `npm audit fix`
node_modules/@sveltejs/kit

ajv  7.0.0-alpha.0 - 8.17.1
Severity: moderate
ajv has ReDoS when using `$data` option - https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
fix available via `npm audit fix`
node_modules/ajv

brace-expansion  <=1.1.12 || 4.0.0 - 5.0.5
Severity: moderate
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
brace-expansion: Large numeric range defeats documented `max` DoS protection - https://github.com/advisories/GHSA-jxxr-4gwj-5jf2
fix available via `npm audit fix`
node_modules/@junobuild/cli-tools/node_modules/brace-expansion
node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion
node_modules/brace-expansion

devalue  5.6.3 - 5.8.0
Severity: high
Svelte devalue: DoS via sparse array deserialization - https://github.com/advisories/GHSA-77vg-94rm-hx3p
fix available via `npm audit fix`
node_modules/devalue

dompurify  <=3.3.3
Severity: moderate
DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation - https://github.com/advisories/GHSA-39q2-94rc-95cp
DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix) - https://github.com/advisories/GHSA-h7mw-gpvr-xq4m
DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode - https://github.com/advisories/GHSA-crv5-9vww-q3g8
DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback - https://github.com/advisories/GHSA-v9jr-rg53-9pgp
fix available via `npm audit fix`
node_modules/dompurify

fast-uri  <=3.1.1
Severity: high
fast-uri vulnerable to path traversal via percent-encoded dot segments - https://github.com/advisories/GHSA-q3j6-qgpj-74h6
fast-uri vulnerable to host confusion via percent-encoded authority delimiters - https://github.com/advisories/GHSA-v39h-62p7-jpjc
fix available via `npm audit fix`
node_modules/fast-uri

picomatch  <=2.3.1
Severity: high
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
fix available via `npm audit fix`
node_modules/micromatch/node_modules/picomatch

postcss  <8.5.10
Severity: moderate
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output - https://github.com/advisories/GHSA-qx2v-qp2m-jg93
fix available via `npm audit fix`
node_modules/postcss

svelte  <=5.55.6
Severity: moderate
Svelte SSR vulnerable to cross-site scripting via spread attributes - https://github.com/advisories/GHSA-pr6f-5x2q-rwfp
Svelte: SSR XSS via Insecure Promise Serialization in hydratable - https://github.com/advisories/GHSA-f3cj-j4f6-wq85
Svelte Vulnerable to XSS via DOM Clobbering of Internal Framework State - https://github.com/advisories/GHSA-rcqx-6q8c-2c42
Svelte: ReDoS in `<svelte:element>` Tag Validation - https://github.com/advisories/GHSA-9rmh-mm8f-r9h6
fix available via `npm audit fix`
node_modules/svelte

vite  8.0.0 - 8.0.4
Severity: high
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling - https://github.com/advisories/GHSA-4w7w-66w2-5vf9
Vite: `server.fs.deny` bypassed with queries - https://github.com/advisories/GHSA-v2wj-q39q-566r
Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket - https://github.com/advisories/GHSA-p9ff-h696-f583
fix available via `npm audit fix`
node_modules/vite

yaml  1.0.0 - 1.10.2
Severity: moderate
yaml is vulnerable to Stack Overflow via deeply nested YAML collections - https://github.com/advisories/GHSA-48c2-rrv3-qjmp
fix available via `npm audit fix`
node_modules/postcss-load-config/node_modules/yaml

11 vulnerabilities (6 moderate, 5 high)

@peterpeterparker peterpeterparker merged commit defe78c into main Jun 1, 2026
28 checks passed
@peterpeterparker peterpeterparker deleted the build/bump-dev branch June 1, 2026 18:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@peterpeterparker