chore(deps): resolve all open dependabot alerts and enable dependabot#229
Conversation
- npm audit fix across the dev tree (vitest 4.1.x, vite 7.3.x, svelte, handlebars, lodash, tar, undici, and friends) - 31 advisories cleared - override undici to ^6.27.0 under @actions/http-client (no patched 5.x) - re-resolve bundled npm to 11.18.0, whose vendored undici 6.27.0 fixes the last advisory npm audit fix cannot reach - add .github/dependabot.yml (weekly, grouped npm + github-actions) Production deps (fuse.js, openai) are unchanged; shipped main.js is identical.
Deploying podnotes with
|
| Latest commit: |
7a753e4
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://24b68568.podnotes.pages.dev |
| Branch Preview URL: | https://chore-dependabot-audit-fix.podnotes.pages.dev |
💡 Codex ReviewLines 15525 to 15527 in 7a753e4 This ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
|
Good catch - confirmed this was real at 7a753e4: the lockfile surgery that re-resolved the bundled npm package dropped the svelte-check picomatch entry, and npm ci would have failed the sync check. It has since self-healed: the lockfile was fully rewritten by #235, #240, and #238, and npm ci --ignore-scripts now completes cleanly from a fresh checkout (911 packages, no sync errors). Nothing left to restore on master. |
node-gyp only exists as a bundled dependency inside the npm package, where overrides cannot reach; the fix that actually resolved its vendored undici was re-resolving npm to 11.18.0. Flagged by Devin review on #229. Lockfile is byte-identical without the override, confirming it was inert.
Clears all 68 open dependabot security alerts (all development-scope, package-lock.json) and sets the repo up so alerts stop piling up silently.
What changed
npm audit fixacross the dev dependency tree: vitest 4.0.13 -> 4.1.9 (critical UI-server RCE advisory), vite 7.2.x -> 7.3.x, plus transitive bumps for svelte, handlebars, lodash, tar, tmp, minimatch, glob, flatted, fast-uri, postcss, sigstore, js-yaml, rollup, undici, ws and friends. 31 npm-audit advisories cleared, no forced major bumps.overridespinning undici to^6.27.0under@actions/http-client(its undici 5.x line has no patched release) - only exercised by semantic-release tooling in CI.npmpackage (dep of@semantic-release/npm) to 11.18.0, whose vendored undici 6.27.0 fixes the one advisorynpm audit fixcannot reach (bundled deps are immutable). Verified the 11.18.0 tarball bundles undici 6.27.0 before bumping..github/dependabot.yml: weekly grouped npm updates (minor/patch in one PR, security grouped separately) + github-actions updates. Automated security fixes were also enabled on the repo (was disabled - the reason 68 alerts accumulated with zero PRs).Risk notes
npm auditreports 0 vulnerabilities.