fix(deps): upgrade vite, add picomatch/svgo overrides for security#3279
Merged
rossnelson merged 1 commit intomainfrom Apr 8, 2026
Merged
fix(deps): upgrade vite, add picomatch/svgo overrides for security#3279rossnelson merged 1 commit intomainfrom
rossnelson merged 1 commit intomainfrom
Conversation
- vite: ^6.3.0 -> ^6.4.2 (CVE-2026-39363, CVE-2026-39365) - picomatch@>=2 <3: ^2.3.2 (CVE-2026-33671, CVE-2026-33672 — v2 range was not covered by previous override) - svgo@>=2 <3: ^2.8.2 (CVE-2026-29074 — fix exists in 2.8.1+ within same major) Resolves Dependabot alerts #235, #236, #221, #220, #209.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
temporal-cicd bot
pushed a commit
that referenced
this pull request
Apr 10, 2026
Auto-generated version bump from 2.48.1 to 2.48.2 Specific version: 2.48.2 Changes included: - [`92cd681e`](92cd681) Re-wire auth to use a provider pattern. Lots of tests remove cloud references (#3230) - [`3d92202b`](3d92202) Use --top-nav-height CSS variable for sticky element positioning (#3250) - [`16295986`](1629598) Bump saved view limits from 20 to 50 (#3254) - [`a9fa0e91`](a9fa0e9) Display cron string instead of calendar spec when schedule has a cron string in comment field (#3241) - [`f1811715`](f181171) use full for 100% instead of 100vh (#3256) - [`0dfadd74`](0dfadd7) Add samples-ruby to workflows table empty state (#3259) - [`d85d61a3`](d85d61a) Display human-readable schedule spec labels (#3261) - [`b63049c5`](b63049c) Add invite icon to Holocene design system (#3262) - [`00c6418c`](00c6418) Bump google.golang.org/grpc from 1.66.1 to 1.79.3 in /server (#3232) - [`b04a3676`](b04a367) Add back animation (#3251) - [`7b651524`](7b65152) Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 in /server (#3268) - [`45f4fdea`](45f4fde) use snippets for nexus CTAs (#3266) - [`420f5c9d`](420f5c9) min-h-full instead of screen (#3270) - [`f5b2fab6`](f5b2fab) feat(navigation): add NavSection Holocene component (#3263) - [`657b2728`](657b272) Adds requested design changes to breadcrumb items (#3267) - [`6763cc4d`](6763cc4) Remove serena (#3273) - [`dfff353e`](dfff353) Display Principal fields in Event History (#3272) - [`2d289bce`](2d289bc) Update CODEOWNERS to wildcard for temporalio/frontend-engineering (#3275) - [`a2eaf16e`](a2eaf16) Persist workflow view and sort order preferences across navigation (#3260) - [`c5d4c996`](c5d4c99) Add link from Event Card to jump to event id page from Timeline. Remove unnecessary padding (#3277) - [`e5b3ea55`](e5b3ea5) fix(deps): upgrade lodash, svelte, kit, storybook, tar-fs for security (#3269) - [`b44afbe6`](b44afbe) fix(deps): upgrade vite and add picomatch/svgo overrides for security (#3279) - [`4e8cb4e9`](4e8cb4e) Fix unpause confirmation modal title (#3280) - [`740b3529`](740b352) Add Slack notification when DESIGN FEEDBACK REQUESTED label is added to a PR (#3282) - [`7e8170e4`](7e8170e) Add check for COLLABORATOR (#3283) - [`dc27109d`](dc27109) fix: update nav item margin from mb-1 to mb-2 (#3290) - [`3e6416d2`](3e6416d) Pass execution runId in workflow request for schedule recent run (#3289) - [`ae3a1844`](ae3a184) Fix schedule edit double-encoding header fields (#3287) - [`09c083e0`](09c083e) fix: prevent reset modal from closing on authorization error (#3291) - [`0aa3b72b`](0aa3b72) Sort namespace picker alphabetically (#3286) - [`4c3d0057`](4c3d005) Sort alphabetically utility (#3293) - [`67a988b9`](67a988b) Bump @sveltejs/kit from 2.55.0 to 2.57.1 (#3294)
laurakwhit
added a commit
that referenced
this pull request
Apr 10, 2026
Auto-generated version bump from 2.48.1 to 2.48.2 Specific version: 2.48.2 Changes included: - [`92cd681e`](92cd681) Re-wire auth to use a provider pattern. Lots of tests remove cloud references (#3230) - [`3d92202b`](3d92202) Use --top-nav-height CSS variable for sticky element positioning (#3250) - [`16295986`](1629598) Bump saved view limits from 20 to 50 (#3254) - [`a9fa0e91`](a9fa0e9) Display cron string instead of calendar spec when schedule has a cron string in comment field (#3241) - [`f1811715`](f181171) use full for 100% instead of 100vh (#3256) - [`0dfadd74`](0dfadd7) Add samples-ruby to workflows table empty state (#3259) - [`d85d61a3`](d85d61a) Display human-readable schedule spec labels (#3261) - [`b63049c5`](b63049c) Add invite icon to Holocene design system (#3262) - [`00c6418c`](00c6418) Bump google.golang.org/grpc from 1.66.1 to 1.79.3 in /server (#3232) - [`b04a3676`](b04a367) Add back animation (#3251) - [`7b651524`](7b65152) Bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 in /server (#3268) - [`45f4fdea`](45f4fde) use snippets for nexus CTAs (#3266) - [`420f5c9d`](420f5c9) min-h-full instead of screen (#3270) - [`f5b2fab6`](f5b2fab) feat(navigation): add NavSection Holocene component (#3263) - [`657b2728`](657b272) Adds requested design changes to breadcrumb items (#3267) - [`6763cc4d`](6763cc4) Remove serena (#3273) - [`dfff353e`](dfff353) Display Principal fields in Event History (#3272) - [`2d289bce`](2d289bc) Update CODEOWNERS to wildcard for temporalio/frontend-engineering (#3275) - [`a2eaf16e`](a2eaf16) Persist workflow view and sort order preferences across navigation (#3260) - [`c5d4c996`](c5d4c99) Add link from Event Card to jump to event id page from Timeline. Remove unnecessary padding (#3277) - [`e5b3ea55`](e5b3ea5) fix(deps): upgrade lodash, svelte, kit, storybook, tar-fs for security (#3269) - [`b44afbe6`](b44afbe) fix(deps): upgrade vite and add picomatch/svgo overrides for security (#3279) - [`4e8cb4e9`](4e8cb4e) Fix unpause confirmation modal title (#3280) - [`740b3529`](740b352) Add Slack notification when DESIGN FEEDBACK REQUESTED label is added to a PR (#3282) - [`7e8170e4`](7e8170e) Add check for COLLABORATOR (#3283) - [`dc27109d`](dc27109) fix: update nav item margin from mb-1 to mb-2 (#3290) - [`3e6416d2`](3e6416d) Pass execution runId in workflow request for schedule recent run (#3289) - [`ae3a1844`](ae3a184) Fix schedule edit double-encoding header fields (#3287) - [`09c083e0`](09c083e) fix: prevent reset modal from closing on authorization error (#3291) - [`0aa3b72b`](0aa3b72) Sort namespace picker alphabetically (#3286) - [`4c3d0057`](4c3d005) Sort alphabetically utility (#3293) - [`67a988b9`](67a988b) Bump @sveltejs/kit from 2.55.0 to 2.57.1 (#3294) Co-authored-by: laurakwhit <15069288+laurakwhit@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves 5 of the 6 remaining open Dependabot security alerts.
Changes
^6.3.0→^6.4.2(direct devDep upgrade).maphandling^2.3.2(new pnpm override)micromatch) were not protected^2.8.2(new pnpm override)Not addressed (1 alert)
@tootallnate/once([Feature] Child Workflow event is not shown in compact view #210, CVSS 3.3) — deprecated package, no fix publishedTest plan
pnpm install— clean