From bfc4b4c0b0c1e476c74a86d2b3c1fb418269ad13 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 1 May 2026 13:26:19 +0000 Subject: [PATCH 1/2] Initial plan From db759115699b036d7374addb1fecc1756f29efc5 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 1 May 2026 13:29:10 +0000 Subject: [PATCH 2/2] chore: monthly dependency audit 2026-05 - fix vite and postcss vulnerabilities Agent-Logs-Url: https://github.com/RahilKothari9/chimera/sessions/28569106-81cd-4267-ae52-1b9574a19b10 Co-authored-by: RahilKothari9 <110282686+RahilKothari9@users.noreply.github.com> --- README.md | 7 +++++++ package-lock.json | 12 ++++++------ public/README.md | 7 +++++++ 3 files changed, 20 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 30b0bc0..a649ec6 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,13 @@ This is the living history of Chimera's evolution. Each entry represents a day o --- +### Day 64: 2026-05-01 +**Feature/Change**: Monthly Dependency Audit - 2026-05 +**Description**: Performed the monthly dependency security audit. Fixed 1 high severity vulnerability and 1 moderate severity vulnerability via `npm audit fix`. (1) vite 7.0.0–7.3.1 had three security issues: path traversal in optimized deps `.map` handling (GHSA-4w7w-66w2-5vf9), `server.fs.deny` bypass with queries (GHSA-v2wj-q39q-566r), and arbitrary file read via dev server WebSocket (GHSA-p9ff-h696-f583) — updated from 7.2.x to 7.3.2. (2) postcss <8.5.10 had an XSS vulnerability via unescaped `` in CSS Stringify output (GHSA-qx2v-qp2m-jg93) — updated to 8.5.13. No packages were outdated per `npm outdated`. Build and all 2653 tests continue to pass with no regressions. +**Files Modified**: package-lock.json, README.md, public/README.md + +--- + ### Day 63: 2026-04-19 **Feature/Change**: Frontend Polish - Hero Surface, Heading Rhythm & Timeline Card Refinement diff --git a/package-lock.json b/package-lock.json index c20f544..76a2271 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1205,9 +1205,9 @@ } }, "node_modules/postcss": { - "version": "8.5.6", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.6.tgz", - "integrity": "sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg==", + "version": "8.5.13", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.13.tgz", + "integrity": "sha512-qif0+jGGZoLWdHey3UFHHWP0H7Gbmsk8T5VEqyYFbWqPr1XqvLGBbk/sl8V5exGmcYJklJOhOQq1pV9IcsiFag==", "dev": true, "funding": [ { @@ -1375,9 +1375,9 @@ "license": "MIT" }, "node_modules/vite": { - "version": "7.3.1", - "resolved": "https://registry.npmjs.org/vite/-/vite-7.3.1.tgz", - "integrity": "sha512-w+N7Hifpc3gRjZ63vYBXA56dvvRlNWRczTdmCBBa+CotUzAPf5b7YMdMR/8CQoeYE5LX3W4wj6RYTgonm1b9DA==", + "version": "7.3.2", + "resolved": "https://registry.npmjs.org/vite/-/vite-7.3.2.tgz", + "integrity": "sha512-Bby3NOsna2jsjfLVOHKes8sGwgl4TT0E6vvpYgnAYDIF/tie7MRaFthmKuHx1NSXjiTueXH3do80FMQgvEktRg==", "dev": true, "license": "MIT", "dependencies": { diff --git a/public/README.md b/public/README.md index 30b0bc0..a649ec6 100644 --- a/public/README.md +++ b/public/README.md @@ -19,6 +19,13 @@ This is the living history of Chimera's evolution. Each entry represents a day o --- +### Day 64: 2026-05-01 +**Feature/Change**: Monthly Dependency Audit - 2026-05 +**Description**: Performed the monthly dependency security audit. Fixed 1 high severity vulnerability and 1 moderate severity vulnerability via `npm audit fix`. (1) vite 7.0.0–7.3.1 had three security issues: path traversal in optimized deps `.map` handling (GHSA-4w7w-66w2-5vf9), `server.fs.deny` bypass with queries (GHSA-v2wj-q39q-566r), and arbitrary file read via dev server WebSocket (GHSA-p9ff-h696-f583) — updated from 7.2.x to 7.3.2. (2) postcss <8.5.10 had an XSS vulnerability via unescaped `` in CSS Stringify output (GHSA-qx2v-qp2m-jg93) — updated to 8.5.13. No packages were outdated per `npm outdated`. Build and all 2653 tests continue to pass with no regressions. +**Files Modified**: package-lock.json, README.md, public/README.md + +--- + ### Day 63: 2026-04-19 **Feature/Change**: Frontend Polish - Hero Surface, Heading Rhythm & Timeline Card Refinement