Skip to content

Fix Dependabot security alerts#56

Merged
slashdevcorpse merged 1 commit into
mainfrom
security/fix-dependabot-alerts
May 31, 2026
Merged

Fix Dependabot security alerts#56
slashdevcorpse merged 1 commit into
mainfrom
security/fix-dependabot-alerts

Conversation

@slashdevcorpse
Copy link
Copy Markdown
Owner

@slashdevcorpse slashdevcorpse commented May 31, 2026
edited by cubic-dev-ai Bot
Loading

Summary:

  • Upgrades the direct dependency surface for Vite, TanStack Start/Router, Tailwind/Vite tooling, Nitro nightly, Wrangler, and ws.
  • Adds pnpm overrides for vulnerable transitive ranges that remain in the lockfile graph: ajv, brace-expansion, flatted, h3, minimatch, picomatch, postcss, rollup, srvx, undici, ws, and TanStack server core.
  • Regenerates pnpm-lock.yaml so the dependency graph resolves outside the 38 GitHub Dependabot alert ranges.

Validation:

  • pnpm -C apps/codex-claw test
  • pnpm -C apps/codex-claw build
  • pnpm -C apps/landing build
  • pnpm pack:codex-claw
  • pnpm audit --audit-level low
  • git diff --check

Alert tracking:
Closes #18
Closes #19
Closes #20
Closes #21
Closes #22
Closes #23
Closes #24
Closes #25
Closes #26
Closes #27
Closes #28
Closes #29
Closes #30
Closes #31
Closes #32
Closes #33
Closes #34
Closes #35
Closes #36
Closes #37
Closes #38
Closes #39
Closes #40
Closes #41
Closes #42
Closes #43
Closes #44
Closes #45
Closes #46
Closes #47
Closes #48
Closes #49
Closes #50
Closes #51
Closes #52
Closes #53
Closes #54
Closes #55

Summary by cubic

Fixes all current Dependabot security alerts by upgrading and pinning dependencies across apps/codex-claw and apps/landing. Regenerates pnpm-lock.yaml and adds pnpm overrides to force patched versions of vulnerable transitives.

  • Dependencies
    • Upgrade vite to ^7.3.3; @tailwindcss/vite and tailwindcss to ^4.3.0.
    • Upgrade TanStack packages (@tanstack/react-router, @tanstack/react-start, @tanstack/router-plugin, @tanstack/react-router-ssr-query, @tanstack/react-router-devtools) to ^1.167+.
    • Pin nitro nightly to 3.0.1-20260529-064703-255b254f.
    • Upgrade wrangler to ^4.95.0 and ws to ^8.21.0.
    • Add pnpm overrides for vulnerable ranges: @tanstack/start-server-core, ajv, brace-expansion, flatted, h3, minimatch, picomatch, postcss, rollup, srvx, undici, ws.

Written for commit ac80a28. Summary will update on new commits.

Review in cubic

Copilot AI review requested due to automatic review settings May 31, 2026 06:05
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 31, 2026
View reviewed changes
Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 4 files

Tip: cubic can generate docs of your entire codebase and keep them up to date. Try it here.

Re-trigger cubic

@slashdevcorpse slashdevcorpse merged commit 4631cfb into main May 31, 2026
2 of 3 checks passed
@slashdevcorpse slashdevcorpse deleted the security/fix-dependabot-alerts branch May 31, 2026 06:08
Copilot AI reviewed May 31, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

slashdevcorpse added a commit that referenced this pull request May 31, 2026
@slashdevcorpse
Merge pull request #56 from slashdevcorpse/security/fix-dependabot-al…
f895c0f 
…erts

Fix Dependabot security alerts
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment