fix(deps): clear vite/js-yaml/babel audit advisories

[kanywst]

Problem

CI (lint / typecheck / test / audit / build) is failing on all open PRs (#33-#36). The failure is in the audit step, not the dependabot bumps themselves — newly published advisories tripped npm audit --audit-level=moderate:

• vite <=7.3.3 — GHSA-v6wh-96g9-6wx3 (launch-editor NTLMv2 disclosure), GHSA-fx2h-pf6j-xcff (server.fs.deny bypass) — high
• js-yaml <=4.1.1 — GHSA-h67p-54hq-rp68 (quadratic-complexity DoS) — moderate
• @babel/core <=7.29.0 — GHSA-4x5r-pxfx-6jf8 (arbitrary file read) — low

Fix

Pin patched versions via overrides (existing vite: ^7.3.2 was below the patched line):

• vite: ^7.3.2 → ^7.3.5
• js-yaml: ^4.2.0 (new)
• @babel/core: ^7.29.7 (new)

Verification

npm run check (lint + typecheck + test + audit + build) passes locally — npm audit reports found 0 vulnerabilities.

Merging this to main and rebasing the dependabot PRs will clear their CI.

Summary by CodeRabbit

• Chores
  • Updated and added package dependency overrides for improved stability and compatibility.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1a38efc5-feb0-4295-b6ba-d68686c5001b

📥 Commits

Reviewing files that changed from the base of the PR and between 90d4f3a and 65e7d36.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json

---

📝 Walkthrough

Walkthrough

The package.json overrides section is updated to bump vite from ^7.3.2 to ^7.3.5, retain esbuild at ^0.28.1, and add two new override entries: js-yaml at ^4.2.0 and @babel/core at ^7.29.7.

Changes

Dependency Overrides Update

Layer / File(s)	Summary
package.json overrides bump package.json	Bumps vite override to ^7.3.5, keeps esbuild at ^0.28.1, and adds new overrides for js-yaml (^4.2.0) and @babel/core (^7.29.7).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• 0-draft/chainscope#31: Also modifies package.json overrides for vite and esbuild, directly intersecting with the same override mechanism updated here.

Poem

🐇 Hop, hop, version bump!
vite jumps up, no more slump,
js-yaml joins the override crew,
@babel/core gets pinned too!
The lockfile smiles, the bunny's done —
Fresh overrides under the spring sun. 🌸

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(deps): clear vite/js-yaml/babel audit advisories' directly and specifically describes the main change: updating dependencies to resolve security audit failures.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/audit-overrides

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[gemini-code-assist]

Code Review

This pull request updates several dependencies in package.json and package-lock.json. Specifically, it bumps vite to ^7.3.5 and adds overrides for js-yaml (^4.2.0) and @babel/core (^7.29.7), which updates these packages and their related sub-dependencies in the lockfile. I have no feedback to provide as there are no review comments.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.