fix(deps): patch vitest, @babel/core, and esbuild advisories in the lockfile#428
Conversation
…ockfile Lockfile-only refresh from develop's baseline, within the existing semver ranges. No package.json manifest changes, and the hoisting shape is unchanged (apps/frontend/node_modules stays empty), so the setup-node-frontend symlink step is unaffected. - vitest 3.2.4 -> 3.2.7 (apps/web-frontend) GHSA-5xrq-8626-4rwp, critical - @babel/core 7.29.0 -> 7.29.7 GHSA-4x5r-pxfx-6jf8, low - esbuild 0.27.7 -> 0.28.1 (under vite) GHSA-g7r4-m6w7-qqqr, low The root esbuild 0.25.12 is outside the advisory's vulnerable range (>=0.27.3, <0.28.1) and needs no change. Not fixed here: vitest 4.0.18 at the root (apps/frontend). See the PR body. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Oleg Miagkov <mrobenner@gmail.com>
|
Bugbot is not enabled for your account, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
|
Important Review skippedReview was skipped due to path filters ⛔ Files ignored due to path filters (1)
CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|



Second of three PRs from the security-dashboard triage (after #426). Lockfile-only; no manifest changes.
Fixed (3 of 5 Dependabot alerts)
vitest(apps/web-frontend)@babel/coreesbuild(undervite)All within existing semver ranges, refreshed from
develop's lockfile baseline vianpm update --package-lock-only.No change needed: the root
esbuild@0.25.12is outside the advisory's vulnerable range (>=0.27.3, <0.28.1) — Dependabot's alert points at the nestedvite/node_modules/esbuild, which is the one bumped.Hoisting shape is preserved
This repo's CI (
.github/actions/setup-node-frontend) deletesapps/frontend/node_modulesand symlinks it to root, so any bump that forces nesting there breaks the build. I diffed the resolved tree against the baseline: 1349 entries, one difference —@vitest/mockermoves a level deeper inside web-frontend's already-nested vitest.apps/frontend/node_modulesstays empty and root stays hoisted, exactly as ondevelop.Not fixed:
vitest@4.0.18at the root (apps/frontend) — needs a follow-upThe remaining critical can't be patched safely here, and the reason is a latent inconsistency in
apps/web-frontend/package.json:@vitest/coverage-v8@4.0.18declares an exact peervitest@4.0.18. Today npm hoists coverage-v8@4 to the root, where it peers against apps/frontend's vitest@4.0.18, while web-frontend gets a nested vitest@3. So web-frontend's coverage tooling is effectively peered to the other workspace's vitest — and that hoisted 4.0.18 is pinned in place, which is what blocks the 4.1.x bump.I tried each way through and every one changes the hoisting shape to nested (i.e. breaks CI):
^3.2.7Fixing it properly means resolving the web-frontend mismatch — either aligning its coverage-v8 to v3, or migrating it from vitest v3 → v4 — and then verifying the tree still hoists and its suite still passes. That's a dependency change with real CI risk, not a lockfile patch, so it deserves its own PR rather than riding along here.
The exposure in the meantime is limited: vitest is a dev dependency, and the advisory requires the Vitest UI server to be listening (
--ui), which neither CI nor a normalvitest runstarts.Also out of scope:
.design-system/pnpm-lock.yaml's esbuild (low, #109). That directory is a standalone pnpm project — not in the npm workspaces (apps/*,libs/*) and not referenced by any workflow.🤖 Generated with Claude Code