chore(deps): patch dev vulnerabilities + drop stale npm lockfile#4
Merged
Conversation
Triage of 27 Dependabot alerts on main:
- 21 alerts originated from package-lock.json, a stale npm lockfile
left over from a pre-pnpm setup. The project's source of truth is
pnpm-lock.yaml (CLAUDE.md mandates pnpm, pnpm-workspace.yaml is
present). Deleting package-lock.json eliminates these phantom alerts
without changing the actual dependency tree.
- 6 alerts in pnpm-lock.yaml are real but all in devDependencies:
vite, postcss, rollup, picomatch. Zero runtime exposure — the only
runtime dep is lit, which has no alerts. Consumers of the published
npm package are unaffected.
Fixes:
- vite 7.3.1 → 7.3.3 (patches 3 alerts: WebSocket file read, path
traversal in .map handling, server.fs.deny bypass)
- postcss → ^8.5.10 via pnpm.overrides (XSS via unescaped </style>)
- rollup → ^4.59.0 via pnpm.overrides (arbitrary file write)
- picomatch → ^4.0.4 via pnpm.overrides (method injection in glob)
The pnpm.overrides block forces patched versions of transitive deps
whose parents (vite, rollup) haven't yet bumped their constraints.
Adds package-lock.json and yarn.lock to .gitignore so a stray
`npm install` won't regenerate the stale lockfile and resurrect
the alerts.
Build verified clean. Bundle output is byte-identical to v0.6.4.
There was a problem hiding this comment.
Pull request overview
This PR performs dependency hygiene to clear Dependabot alerts by removing an obsolete package-lock.json, bumping vite, and enforcing patched transitive versions via pnpm.overrides, without changing runtime/source behavior of the published package.
Changes:
- Removed stale
package-lock.jsonand addedpackage-lock.json/yarn.lockto.gitignoreto prevent reintroduction. - Bumped devDependency
vitefrom^7.3.1to^7.3.3. - Added
pnpm.overridesto force patched transitive versions ofpostcss,rollup, andpicomatch, and recorded the corresponding overrides inpnpm-lock.yaml.
Reviewed changes
Copilot reviewed 1 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| pnpm-lock.yaml | Records the resolved dependency graph with the new Vite version and override-enforced transitive versions. |
| package.json | Updates Vite and adds pnpm.overrides to force patched transitive dependency versions. |
| package-lock.json | Removes the stale npm lockfile to eliminate non-canonical lockfile alerts in a pnpm-managed repo. |
| .gitignore | Prevents package-lock.json/yarn.lock from being reintroduced accidentally. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
LockeAG
added a commit
that referenced
this pull request
May 14, 2026
This branch was cut from feat/gpt-modernization-phase-0-2 before #4 merged to main, so it still carried the stale package-lock.json that #4 deleted. Mirror that change here so the rebase onto main at merge time is conflict-free, and so this branch is correctly published from under pnpm only. Adds package-lock.json and yarn.lock to .gitignore — block accidental regeneration if someone runs `npm install` against the source tree.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Triages all 27 open Dependabot alerts. Zero runtime exposure — every alert is in a devDependency. Consumers of the published npm package (forbes.do, fortunaypoder.com, external community) are unaffected by any of these vulns.
Triage
package-lock.jsonpnpm-workspace.yamlpresent). Deleting eliminates 21 phantom alerts.pnpm-lock.yamlWhat changed
Removed
package-lock.json— stale, never regenerated since pnpm became canonicalpackage-lock.json+yarn.lockto.gitignoreso a straynpm installdoesn't resurrect itBumped
vite^7.3.1→^7.3.3.map(medium)server.fs.denybypassed with queries (high)Forced via
pnpm.overridesTransitive deps whose parent packages haven't yet bumped constraints:
postcss→^8.5.10— XSS via unescaped</style>(medium)rollup→^4.59.0— arbitrary file write via path traversal (high)picomatch→^4.0.4— method injection in POSIX char classes (medium)Verification
pnpm installclean, no warningspnpm buildproduces byte-identical output to v0.6.4 (74.60 kB raw / 19.26 kB gzip)dist/unchangedWhat's NOT addressed
None. All 27 alerts are accounted for: 21 deleted as stale, 6 patched.
Release plan
chorecommit — no version bump needed. Once merged, Dependabot rescan should clear all 27 alerts within ~10 min.Coordination with PR #3
This is independent of PR #3 (GPT modernization). Either order works: