Context
PR #359 is a superseded broad Dependabot npm_and_yarn batch and is not the canonical PostCSS remediation route. PR #360 / issue #355 are the narrow PostCSS route.
This issue splits out the runtime/HTTP residual dependency advisories from #359 so they can be remediated from current main without merging or broadening #359.
Scope
From current main, remediate only the runtime/HTTP package advisories represented in #359:
hono 4.12.5 -> patched floor at least 4.12.18@hono/node-server 1.19.11 -> patched floor at least 1.19.13, or 2.0.2 only if the major bump is validatedexpress-rate-limit 8.2.1 -> patched floor at least 8.2.2axios 1.13.6 -> patched floor at least 1.15.2 / 1.16.1follow-redirects 1.15.11 -> patched floor at least 1.16.0fast-uri 3.1.0 -> patched floor at least 3.1.2ip-address 10.0.1 -> patched floor at least 10.1.1 / 10.2.0
Non-goals
Evidence
pnpm audit --json --audit-level moderate on current main reported advisories for these packages, including high severity entries for express-rate-limit, axios, and fast-uri, and moderate entries for hono, @hono/node-server, follow-redirects, and ip-address.
Acceptance criteria
- Branch starts from current
origin/main.
- PR body links this issue using an accepted keyword (
Closes #..., Fixes #..., or Related to #...).
- Diff stays limited to dependency manifests/lockfile unless a compatibility fix is required and explained.
pnpm audit --json --audit-level moderate no longer reports the scoped advisories above, or any remaining advisory is documented as outside this issue's scope.- Required repo gates are run or explicitly escalated with exact blocker evidence:
pnpm -F @vllnt/ui lintpnpm -F @vllnt/ui exec tsc --noEmit --project tsconfig.build.jsonpnpm buildpnpm test:once
- No direct
main edits, no force-push, no merge/release.
Context
PR #359 is a superseded broad Dependabot
npm_and_yarnbatch and is not the canonical PostCSS remediation route. PR #360 / issue #355 are the narrow PostCSS route.This issue splits out the runtime/HTTP residual dependency advisories from #359 so they can be remediated from current
mainwithout merging or broadening #359.Scope
From current
main, remediate only the runtime/HTTP package advisories represented in #359:hono4.12.5 -> patched floor at least 4.12.18@hono/node-server1.19.11 -> patched floor at least 1.19.13, or 2.0.2 only if the major bump is validatedexpress-rate-limit8.2.1 -> patched floor at least 8.2.2axios1.13.6 -> patched floor at least 1.15.2 / 1.16.1follow-redirects1.15.11 -> patched floor at least 1.16.0fast-uri3.1.0 -> patched floor at least 3.1.2ip-address10.0.1 -> patched floor at least 10.1.1 / 10.2.0Non-goals
Evidence
pnpm audit --json --audit-level moderateon currentmainreported advisories for these packages, including high severity entries forexpress-rate-limit,axios, andfast-uri, and moderate entries forhono,@hono/node-server,follow-redirects, andip-address.Acceptance criteria
origin/main.Closes #...,Fixes #..., orRelated to #...).pnpm audit --json --audit-level moderateno longer reports the scoped advisories above, or any remaining advisory is documented as outside this issue's scope.pnpm -F @vllnt/ui lintpnpm -F @vllnt/ui exec tsc --noEmit --project tsconfig.build.jsonpnpm buildpnpm test:oncemainedits, no force-push, no merge/release.