Dependency updates
npm audit reports 4 moderate vulnerabilities in the dev/build chain:
Security advisories (moderate)
esbuild ≤ 0.24.2 — GHSA-67mh-4wv8-2f99 (dev server can be reached cross-origin)vite ≤ 6.4.1 — GHSA-4w7w-66w2-5vf9 (path traversal in optimized deps .map handling)vitepress ≤ 1.6.4 — pulls vulnerable vitevitepress-plugin-mermaid — pulls vulnerable vitepress
fixAvailable: false from npm audit means it can't auto-resolve — vitepress must be bumped to a version pulling vite ≥ 6.4.2.
Other
mermaid and vitepress-plugin-mermaid show in npm outdated (lockfile drift; current may be behind wanted/latest).
Instructions
Bump vitepress (and vitepress-plugin-mermaid to the matching version) to versions that pull a non-vulnerable vite/esbuild. Run npm install, build the docs site (npm run build), and verify locally. Open a draft PR; if CI passes, mark it ready with gh pr ready. Assign @rubenhensen as reviewer. No tests to verify beyond the build.
Dependency updates
npm auditreports 4 moderate vulnerabilities in the dev/build chain:Security advisories (moderate)
esbuild≤ 0.24.2 — GHSA-67mh-4wv8-2f99 (dev server can be reached cross-origin)vite≤ 6.4.1 — GHSA-4w7w-66w2-5vf9 (path traversal in optimized deps.maphandling)vitepress≤ 1.6.4 — pulls vulnerablevitevitepress-plugin-mermaid— pulls vulnerablevitepressfixAvailable: falsefromnpm auditmeans it can't auto-resolve —vitepressmust be bumped to a version pullingvite≥ 6.4.2.Other
mermaidandvitepress-plugin-mermaidshow innpm outdated(lockfile drift; current may be behindwanted/latest).Instructions
Bump
vitepress(andvitepress-plugin-mermaidto the matching version) to versions that pull a non-vulnerablevite/esbuild. Runnpm install, build the docs site (npm run build), and verify locally. Open a draft PR; if CI passes, mark it ready withgh pr ready. Assign @rubenhensen as reviewer. No tests to verify beyond the build.