Skip to content

fix(deps): patch vitest, @babel/core, and esbuild advisories in the lockfile#428

Merged
OBenner merged 1 commit into
developfrom
chore/dep-bumps
Jul 17, 2026
Merged

fix(deps): patch vitest, @babel/core, and esbuild advisories in the lockfile#428
OBenner merged 1 commit into
developfrom
chore/dep-bumps

Conversation

@OBenner

@OBenner OBenner commented Jul 17, 2026

Copy link
Copy Markdown
Owner

Second of three PRs from the security-dashboard triage (after #426). Lockfile-only; no manifest changes.

Fixed (3 of 5 Dependabot alerts)

Advisory Package Change Sev
GHSA-5xrq-8626-4rwp vitest (apps/web-frontend) 3.2.4 → 3.2.7 🔴 critical
GHSA-4x5r-pxfx-6jf8 @babel/core 7.29.0 → 7.29.7 🟡 low
GHSA-g7r4-m6w7-qqqr esbuild (under vite) 0.27.7 → 0.28.1 🟡 low

All within existing semver ranges, refreshed from develop's lockfile baseline via npm update --package-lock-only.

No change needed: the root esbuild@0.25.12 is outside the advisory's vulnerable range (>=0.27.3, <0.28.1) — Dependabot's alert points at the nested vite/node_modules/esbuild, which is the one bumped.

Hoisting shape is preserved

This repo's CI (.github/actions/setup-node-frontend) deletes apps/frontend/node_modules and symlinks it to root, so any bump that forces nesting there breaks the build. I diffed the resolved tree against the baseline: 1349 entries, one difference@vitest/mocker moves a level deeper inside web-frontend's already-nested vitest. apps/frontend/node_modules stays empty and root stays hoisted, exactly as on develop.

Not fixed: vitest@4.0.18 at the root (apps/frontend) — needs a follow-up

The remaining critical can't be patched safely here, and the reason is a latent inconsistency in apps/web-frontend/package.json:

"vitest": "^3.1.4",             // v3
"@vitest/coverage-v8": "^4.0.18" // v4  <- mismatched major

@vitest/coverage-v8@4.0.18 declares an exact peer vitest@4.0.18. Today npm hoists coverage-v8@4 to the root, where it peers against apps/frontend's vitest@4.0.18, while web-frontend gets a nested vitest@3. So web-frontend's coverage tooling is effectively peered to the other workspace's vitest — and that hoisted 4.0.18 is pinned in place, which is what blocks the 4.1.x bump.

I tried each way through and every one changes the hoisting shape to nested (i.e. breaks CI):

Attempt Result
Bump apps/frontend's range only vitest 4.1.10 nested under apps/frontend; root stays 4.0.18
Align web-frontend's coverage-v8 to ^3.2.7 both workspaces nested; no root vitest at all
Align both workspaces on vitest 4.1.10 both still nested

Fixing it properly means resolving the web-frontend mismatch — either aligning its coverage-v8 to v3, or migrating it from vitest v3 → v4 — and then verifying the tree still hoists and its suite still passes. That's a dependency change with real CI risk, not a lockfile patch, so it deserves its own PR rather than riding along here.

The exposure in the meantime is limited: vitest is a dev dependency, and the advisory requires the Vitest UI server to be listening (--ui), which neither CI nor a normal vitest run starts.

Also out of scope: .design-system/pnpm-lock.yaml's esbuild (low, #109). That directory is a standalone pnpm project — not in the npm workspaces (apps/*, libs/*) and not referenced by any workflow.

🤖 Generated with Claude Code

…ockfile

Lockfile-only refresh from develop's baseline, within the existing semver
ranges. No package.json manifest changes, and the hoisting shape is unchanged
(apps/frontend/node_modules stays empty), so the setup-node-frontend symlink
step is unaffected.

- vitest 3.2.4 -> 3.2.7 (apps/web-frontend)  GHSA-5xrq-8626-4rwp, critical
- @babel/core 7.29.0 -> 7.29.7               GHSA-4x5r-pxfx-6jf8, low
- esbuild 0.27.7 -> 0.28.1 (under vite)      GHSA-g7r4-m6w7-qqqr, low

The root esbuild 0.25.12 is outside the advisory's vulnerable range
(>=0.27.3, <0.28.1) and needs no change.

Not fixed here: vitest 4.0.18 at the root (apps/frontend). See the PR body.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: Oleg Miagkov <mrobenner@gmail.com>
@cursor

cursor Bot commented Jul 17, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@github-actions github-actions Bot added bug Something isn't working size/M labels Jul 17, 2026
@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json, !**/package-lock.json

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 14074682-4beb-4922-9add-985bc3209c2b

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/dep-bumps

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@sonarqubecloud

Copy link
Copy Markdown

@OBenner
OBenner merged commit 78775d5 into develop Jul 17, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working size/M

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant