Context
PR #359 is a superseded broad Dependabot npm_and_yarn batch and is not the canonical PostCSS remediation route. PR #360 / issue #355 are the narrow PostCSS route.
This issue splits out the build-tool/glob residual dependency advisories from #359 so they can be remediated from current main without merging or broadening #359.
Scope
From current main, remediate only these build-tool/glob package advisories represented in #359:
vite 6.4.1 and 7.3.1 lockfile entries -> patched floors at least 6.4.2 and 7.3.2 / 7.3.3 as applicablepicomatch 2.3.1 and 4.0.3 lockfile entries -> patched floors at least 2.3.2 and 4.0.4 as applicablebrace-expansion 1.1.12 and 5.0.4 lockfile entries -> patched floors at least 1.1.13 and 5.0.5 / 5.0.6 as applicable
Non-goals
Evidence
pnpm audit --json --audit-level moderate on current main reported:
vite moderate/high advisories patched by >=6.4.2 / >=7.3.2.picomatch moderate/high advisories patched by >=2.3.2 / >=4.0.4.brace-expansion moderate advisories patched by >=1.1.13 / >=5.0.5.
Acceptance criteria
- Branch starts from current
origin/main.
- PR body links this issue using an accepted keyword (
Closes #..., Fixes #..., or Related to #...).
- Diff stays limited to dependency manifests/lockfile unless a compatibility fix is required and explained.
pnpm audit --json --audit-level moderate no longer reports the scoped Vite/picomatch/brace-expansion advisories, or any remaining advisory is documented as outside this issue's scope.- Required repo gates are run or explicitly escalated with exact blocker evidence:
pnpm -F @vllnt/ui lintpnpm -F @vllnt/ui exec tsc --noEmit --project tsconfig.build.jsonpnpm buildpnpm test:once
- No direct
main edits, no force-push, no merge/release.
Context
PR #359 is a superseded broad Dependabot
npm_and_yarnbatch and is not the canonical PostCSS remediation route. PR #360 / issue #355 are the narrow PostCSS route.This issue splits out the build-tool/glob residual dependency advisories from #359 so they can be remediated from current
mainwithout merging or broadening #359.Scope
From current
main, remediate only these build-tool/glob package advisories represented in #359:vite6.4.1 and 7.3.1 lockfile entries -> patched floors at least 6.4.2 and 7.3.2 / 7.3.3 as applicablepicomatch2.3.1 and 4.0.3 lockfile entries -> patched floors at least 2.3.2 and 4.0.4 as applicablebrace-expansion1.1.12 and 5.0.4 lockfile entries -> patched floors at least 1.1.13 and 5.0.5 / 5.0.6 as applicableNon-goals
Evidence
pnpm audit --json --audit-level moderateon currentmainreported:vitemoderate/high advisories patched by>=6.4.2/>=7.3.2.picomatchmoderate/high advisories patched by>=2.3.2/>=4.0.4.brace-expansionmoderate advisories patched by>=1.1.13/>=5.0.5.Acceptance criteria
origin/main.Closes #...,Fixes #..., orRelated to #...).pnpm audit --json --audit-level moderateno longer reports the scoped Vite/picomatch/brace-expansion advisories, or any remaining advisory is documented as outside this issue's scope.pnpm -F @vllnt/ui lintpnpm -F @vllnt/ui exec tsc --noEmit --project tsconfig.build.jsonpnpm buildpnpm test:oncemainedits, no force-push, no merge/release.