Skip to content

chore(deps): override esbuild + vite to patch audit advisories#72

Merged
rubenhensen merged 1 commit into
mainfrom
chore/audit-fix-esbuild-override
May 8, 2026
Merged

chore(deps): override esbuild + vite to patch audit advisories#72
rubenhensen merged 1 commit into
mainfrom
chore/audit-fix-esbuild-override

Conversation

@dobby-coder
Copy link
Copy Markdown
Contributor

@dobby-coder dobby-coder Bot commented May 7, 2026

Closes #71.

Summary

  • Add overrides block to package.json forcing esbuild ^0.25.0 and vite ^6.4.2.
  • npm audit now reports 0 vulnerabilities (was 4 moderate).
  • npm run docs:build completes successfully (~6.8s) with vite 6 — no config changes required.

Why overrides instead of bumping vitepress

  • vitepress latest stable is 1.6.4, which pins vite ^5.4.14 and is itself flagged by the audit.
  • Vite advisory GHSA-4w7w-66w2-5vf9 is patched in 6.4.2 / 7.3.2 / 8.0.5 only — not backported to 5.x.
  • vitepress@2.0.0-alpha.17 is still pre-release; vitepress-plugin-mermaid@2.0.17 declares peer vitepress: ^1.0.0 || ^1.0.0-alpha, so it does not support 2.x yet.
  • Overrides let us pull the patched vite/esbuild today without waiting for vitepress 2 stable + a matching mermaid plugin release. We can drop the overrides once vitepress 2 ships and the mermaid plugin catches up.

Test plan

  • npm install clean (0 vulnerabilities).
  • npm run docs:build succeeds; mermaid diagrams still render in built HTML (verified via grep mermaid docs/.vitepress/dist/*.html).
  • Reviewer quickstart: git fetch origin && git checkout chore/audit-fix-esbuild-override && rm -rf node_modules package-lock.json && npm install && npm run docs:build

@dobby-coder
chore(deps): override esbuild + vite to patch audit advisories
cde6727 
Closes #71

vitepress 1.6.4 (latest stable) pins vite ^5.4.14, which transitively
pulls a vulnerable esbuild (GHSA-67mh-4wv8-2f99) and a vite version
itself flagged by GHSA-4w7w-66w2-5vf9. Patches for the vite advisory
landed in 6.4.2 / 7.3.2 / 8.0.5 only (not backported to 5.x). vitepress
2.x is still alpha and vitepress-plugin-mermaid does not yet support it.

Use npm overrides to force:
- esbuild ^0.25.0 (fixes GHSA-67mh-4wv8-2f99)
- vite ^6.4.2 (fixes GHSA-4w7w-66w2-5vf9)

`npm audit` reports 0 vulnerabilities. `npm run docs:build`
completes successfully against vite 6 with no config changes.
@dobby-coder dobby-coder Bot requested a review from rubenhensen May 7, 2026 22:15
@dobby-coder dobby-coder Bot marked this pull request as ready for review May 7, 2026 22:17
@dobby-coder dobby-coder Bot mentioned this pull request May 7, 2026
Closed
@rubenhensen rubenhensen merged commit b6e10f4 into main May 8, 2026
1 check passed
@rubenhensen rubenhensen deleted the chore/audit-fix-esbuild-override branch May 8, 2026 07:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rubenhensen rubenhensen rubenhensen approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

chore: update dependencies

1 participant

@rubenhensen