fix(deps): fix vulnerabilities in rollup, minimatch & serialize-javascript

[timoa]

Description

All 10 high-severity vulnerabilities are resolved. The remaining 1 moderate vulnerability is below the --audit-level=high threshold (exit code 0 confirms no high/critical issues).

Here's a summary of what was done in package.json:

• "rollup": ">=4.59.0" — fixes the Arbitrary File Write via Path Traversal vulnerability (vite > rollup)
• "minimatch": ">=10.2.3" — covers all minimatch ReDoS vulnerabilities across all dependency paths (@vscode/vsce, glob, typescript-eslint)
• "serialize-javascript": ">=7.0.3" — fixes the RCE vulnerability (webpack > terser-webpack-plugin > serialize-javascript)

Type of change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that changes existing behaviour)
• Documentation update
• Refactor/code quality improvement
• Dependency update

Checklist

Code quality

• My commit messages follow Conventional Commits (e.g. feat:, fix:, docs:, chore:)
• I have not introduced any TypeScript types without justification
• I have not left debug code, console.log, or commented-out blocks

Testing

• I have tested the changes locally by pressing F5 in VSCode to launch the Extension Development Host
• I have run pnpm test, and all tests pass
• I have run pnpm lint, and there are no lint errors
• I have added or updated tests to cover my changes (if applicable)

Build & compatibility

• I have run pnpm run compile and pnpm run webpack without errors
• The extension works in VSCode (and ideally Cursor/Windsurf)

Documentation

• I have updated the README.md if my change adds a new feature, keyboard shortcut, or changes existing behaviour
• I have updated or added JSDoc comments for non-obvious logic (if applicable)

Screenshots/recordings

Summary by CodeRabbit

• Chores
  • Updated package dependencies to enforce consistent minimum versions for build tools and utilities, improving stability and security.

[github-actions]

🩺 React Doctor

react-doctor v0.0.29

�[32m✔�[39m Select projects to scan �[2m›�[22m workflow-visual-editor
�[33mNo feature branch or uncommitted changes detected. Running full scan.�[39m

�[2mScanning /home/runner/work/workflow-editor/workflow-editor...�[22m


  �[33m⚠�[39m Array index "idx" used as key — causes bugs when list is reordered or filtered�[33m (12)�[39m
�[2m    Use a stable unique identifier: `key={item.id}` or `key={item.slug}` — index keys break on reorder/filter�[22m
�[2m    src/components/TriggerNode.tsx: 26�[22m
�[2m    src/components/JobPropertyPanel.tsx: 885�[22m
�[2m    src/components/SourceCodeDialog.tsx: 206�[22m
�[2m    src/webview/App.tsx: 649�[22m
�[2m    src/components/TriggerPropertyPanel.tsx: 144�[22m
�[2m    src/components/TriggerBadge.tsx: 64�[22m
�[2m    src/webview/components/SourceCodeDialog.tsx: 220�[22m
�[2m    src/webview/components/TriggerNode.tsx: 26�[22m
�[2m    src/webview/components/TriggerPropertyPanel.tsx: 144�[22m
�[2m    src/webview/components/JobPropertyPanel.tsx: 885�[22m
�[2m    src/webview/components/TriggerBadge.tsx: 64�[22m
�[2m    src/App.tsx: 632�[22m

  �[33m⚠�[39m Enforce a clickable non-interactive element has at least one keyboard event listener.�[33m (20)�[39m
�[2m    Visible, non-interactive elements with click handlers must have one of `keyup`, `keydown`, or `keypress` listener.�[22m
�[2m    src/components/PasteYamlDialog.tsx: 21, 28�[22m
�[2m    src/components/JobPropertyPanel.tsx: 1017�[22m
�[2m    src/components/SourceCodeDialog.tsx: 146, 153�[22m
�[2m    src/components/ConfirmDialog.tsx: 30, 37�[22m
�[2m    src/components/RunScriptDialog.tsx: 111, 118�[22m
�[2m    src/webview/App.tsx: 533�[22m
�[2m    src/webview/components/SourceCodeDialog.tsx: 160, 167�[22m
�[2m    src/webview/components/ConfirmDialog.tsx: 30, 37�[22m
�[2m    src/webview/components/PasteYamlDialog.tsx: 21, 28�[22m
�[2m    src/webview/components/RunScriptDialog.tsx: 123, 130�[22m
�[2m    src/webview/components/JobPropertyPanel.tsx: 1017�[22m
�[2m    src/App.tsx: 489�[22m

  �[33m⚠�[39m Static HTML elements with event handlers require a role.�[33m (10)�[39m
�[2m    Add a role attribute to this element, or use a semantic HTML element instead.�[22m
�[2m    src/components/PasteYamlDialog.tsx: 28�[22m
�[2m    src/components/JobPropertyPanel.tsx: 1017�[22m
�[2m    src/components/SourceCodeDialog.tsx: 153�[22m
�[2m    src/components/ConfirmDialog.tsx: 37�[22m
�[2m    src/components/RunScriptDialog.tsx: 118�[22m
�[2m    src/webview/components/SourceCodeDialog.tsx: 167�[22m
�[2m    src/webview/components/ConfirmDialog.tsx: 37�[22m
�[2m    src/webview/components/PasteYamlDialog.tsx: 28�[22m
�[2m    src/webview/components/RunScriptDialog.tsx: 130�[22m
�[2m    src/webview/components/JobPropertyPanel.tsx: 1017�[22m

  �[33m⚠�[39m A form label must be associated with a control.�[33m (45)�[39m
�[2m    Either give the label a `htmlFor` attribute with the id of the associated control, or wrap the label around the control.�[22m
�[2m    src/components/JobPropertyPanel.tsx: 200, 212, 219, 277, 359, 401, 426, 494, 851, 874, 915�[22m
�[2m    src/components/WorkflowPropertyPanel.tsx: 71, 81, 92�[22m
�[2m    src/components/TriggerPropertyPanel.tsx: 130, 158, 175, 219, 263, 325, 369, 414�[22m
�[2m    src/webview/components/WorkflowPropertyPanel.tsx: 71, 81, 92�[22m
�[2m    src/webview/components/TriggerPropertyPanel.tsx: 130, 158, 175, 219, 263, 325, 369, 414, 432�[22m
�[2m    src/webview/components/JobPropertyPanel.tsx: 200, 212, 219, 277, 359, 401, 426, 494, 851, 874, 915�[22m

  �[33m⚠�[39m Component "JobPropertyPanel" is 1016 lines — consider breaking it into smaller focused components�[33m (6)�[39m
�[2m    Extract logical sections into focused components: `<UserHeader />`, `<UserActions />`, etc.�[22m
�[2m    src/components/JobPropertyPanel.tsx: 40�[22m
�[2m    src/webview/App.tsx: 56�[22m
�[2m    src/components/TriggerPropertyPanel.tsx: 48�[22m
�[2m    src/webview/components/TriggerPropertyPanel.tsx: 48�[22m
�[2m    src/webview/components/JobPropertyPanel.tsx: 40�[22m
�[2m    src/App.tsx: 56�[22m

  �[33m⚠�[39m 3 setState calls in a single useEffect — consider using useReducer or deriving state�[33m (3)�[39m
�[2m    Combine into useReducer: `const [state, dispatch] = useReducer(reducer, initialState)`�[22m
�[2m    src/components/JobPropertyPanel.tsx: 139�[22m
�[2m    src/webview/App.tsx: 105�[22m
�[2m    src/webview/components/JobPropertyPanel.tsx: 139�[22m

  �[33m⚠�[39m "@codemirror/view" is a heavy library — use React.lazy() or next/dynamic for code splitting�[33m (8)�[39m
�[2m    Use `const Component = dynamic(() => import('library'), { ssr: false })` from next/dynamic or React.lazy()�[22m
�[2m    src/components/SourceCodeDialog.tsx: 2, 3�[22m
�[2m    src/components/RunScriptDialog.tsx: 2, 3�[22m
�[2m    src/webview/components/SourceCodeDialog.tsx: 2, 3�[22m
�[2m    src/webview/components/RunScriptDialog.tsx: 2, 3�[22m

  �[33m⚠�[39m Component "AppInner" has 13 useState calls — consider useReducer for related state�[33m (2)�[39m
�[2m    Group related state: `const [state, dispatch] = useReducer(reducer, { field1, field2, ... })`�[22m
�[2m    src/webview/App.tsx: 56�[22m
�[2m    src/App.tsx: 56�[22m

  �[2m┌────────────────────────────────────────────────────┐�[22m
  �[2m│�[22m �[32m┌─────┐�[39m                                            �[2m│�[22m
  �[2m│�[22m �[32m│ ◠ ◠ │�[39m                                            �[2m│�[22m
  �[2m│�[22m �[32m│  ▽  │�[39m                                            �[2m│�[22m
  �[2m│�[22m �[32m└─────┘�[39m                                            �[2m│�[22m
  �[2m│�[22m React Doctor �[2m(www.react.doctor)�[22m                    �[2m│�[22m
  �[2m│�[22m                                                    �[2m│�[22m
  �[2m│�[22m �[32m94�[39m / 100  �[32mGreat�[39m                                    �[2m│�[22m
  �[2m│�[22m                                                    �[2m│�[22m
  �[2m│�[22m �[32m███████████████████████████████████████████████�[39m�[2m░░░�[22m �[2m│�[22m
  �[2m│�[22m                                                    �[2m│�[22m
  �[2m│�[22m �[33m⚠ 106 warnings�[39m  �[2macross 20/64 files�[22m  �[2min 709ms�[22m       �[2m│�[22m
  �[2m└────────────────────────────────────────────────────┘�[22m

�[2m  Full diagnostics written to /tmp/react-doctor-df3ab4b2-8273-4e41-8fea-428b40d8fc7d�[22m

�[2m  Share your results: �[36mhttps://www.react.doctor/share?p=workflow-visual-editor&s=94&w=106&f=20�[39m�[22m

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.68%. Comparing base (cba1fa5) to head (03395f0).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #70   +/-   ##
=======================================
  Coverage   93.68%   93.68%           
=======================================
  Files           8        8           
  Lines         269      269           
  Branches      101      101           
=======================================
  Hits          252      252           
  Misses          1        1           
  Partials       16       16           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cba1fa5 and 03395f0.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json

---

📝 Walkthrough

Walkthrough

The pnpm.overrides configuration is updated to include three new dependency version constraints: rollup, minimatch, and serialize-javascript, while preserving the existing qs override with improved formatting.

Changes

Cohort / File(s)	Summary
pnpm.overrides Configuration package.json	Added three new dependency overrides (rollup >=4.59.0, minimatch >=10.2.3, serialize-javascript >=7.0.3) and applied trailing comma formatting to existing qs entry.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested labels

bug

Poem

🐰 Hop, hop, dependencies fall in line,
Rollup, minimatch, serialize divine,
Version pinned with care and grace,
Overrides set in their rightful place!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: fixing vulnerabilities in three dependencies (rollup, minimatch, and serialize-javascript).
Description check	✅ Passed	The description covers all required template sections including a detailed explanation of changes, the correct type of change selected (Dependency update), and all checklist items completed or appropriately marked.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/deps-vulnerabilities

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[timoa-bot]

🎉 This PR is included in version 1.2.34 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀