Skip to content

chore(deps): resolve all open dependabot alerts and enable dependabot#229

Merged
chhoumann merged 1 commit into
masterfrom
chore/dependabot-audit-fix
Jul 6, 2026
Merged

chore(deps): resolve all open dependabot alerts and enable dependabot#229
chhoumann merged 1 commit into
masterfrom
chore/dependabot-audit-fix

Conversation

@chhoumann

Copy link
Copy Markdown
Owner

Clears all 68 open dependabot security alerts (all development-scope, package-lock.json) and sets the repo up so alerts stop piling up silently.

What changed

  • npm audit fix across the dev dependency tree: vitest 4.0.13 -> 4.1.9 (critical UI-server RCE advisory), vite 7.2.x -> 7.3.x, plus transitive bumps for svelte, handlebars, lodash, tar, tmp, minimatch, glob, flatted, fast-uri, postcss, sigstore, js-yaml, rollup, undici, ws and friends. 31 npm-audit advisories cleared, no forced major bumps.
  • overrides pinning undici to ^6.27.0 under @actions/http-client (its undici 5.x line has no patched release) - only exercised by semantic-release tooling in CI.
  • Re-resolved the npm package (dep of @semantic-release/npm) to 11.18.0, whose vendored undici 6.27.0 fixes the one advisory npm audit fix cannot reach (bundled deps are immutable). Verified the 11.18.0 tarball bundles undici 6.27.0 before bumping.
  • Added .github/dependabot.yml: weekly grouped npm updates (minor/patch in one PR, security grouped separately) + github-actions updates. Automated security fixes were also enabled on the repo (was disabled - the reason 68 alerts accumulated with zero PRs).

Risk notes

  • Production deps are untouched: fuse.js 7.1.0 and openai 6.9.1 resolve identically, so shipped main.js is unchanged. Everything else is build/test/release tooling.
  • Verified locally: lint, biome format:check, typecheck, build, svelte-check, and the full vitest suite (876 tests, 69 files) all green. npm audit reports 0 vulnerabilities.

- npm audit fix across the dev tree (vitest 4.1.x, vite 7.3.x, svelte,
  handlebars, lodash, tar, undici, and friends) - 31 advisories cleared
- override undici to ^6.27.0 under @actions/http-client (no patched 5.x)
- re-resolve bundled npm to 11.18.0, whose vendored undici 6.27.0 fixes
  the last advisory npm audit fix cannot reach
- add .github/dependabot.yml (weekly, grouped npm + github-actions)

Production deps (fuse.js, openai) are unchanged; shipped main.js is
identical.
@cloudflare-workers-and-pages

Copy link
Copy Markdown

Deploying podnotes with  Cloudflare Pages  Cloudflare Pages

Latest commit: 7a753e4
Status: ✅  Deploy successful!
Preview URL: https://24b68568.podnotes.pages.dev
Branch Preview URL: https://chore-dependabot-audit-fix.podnotes.pages.dev

View logs

@chhoumann chhoumann marked this pull request as ready for review July 6, 2026 13:46
@chhoumann chhoumann merged commit 2cd34bb into master Jul 6, 2026
2 checks passed
@chhoumann chhoumann deleted the chore/dependabot-audit-fix branch July 6, 2026 13:46
@chatgpt-codex-connector

Copy link
Copy Markdown

💡 Codex Review

PodNotes/package-lock.json

Lines 15525 to 15527 in 7a753e4

"peerDependencies": {
"picomatch": "^3 || ^4"
},

P2 Badge Restore the missing svelte-check picomatch lock entry

This fdir peer is still present, but the commit removed the adjacent node_modules/svelte-check/node_modules/picomatch package entry from the lockfile. In a clean install with the committed files, npm ci --ignore-scripts now aborts with npm's sync check (Missing: picomatch@ from lock file), so anyone using npm ci for reproducible installs cannot install the repo until the lockfile is regenerated with that peer entry restored.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Devin Review found 2 potential issues.

Open in Devin Review

Comment thread package.json
Comment thread package.json
@chhoumann

Copy link
Copy Markdown
Owner Author

Good catch - confirmed this was real at 7a753e4: the lockfile surgery that re-resolved the bundled npm package dropped the svelte-check picomatch entry, and npm ci would have failed the sync check. It has since self-healed: the lockfile was fully rewritten by #235, #240, and #238, and npm ci --ignore-scripts now completes cleanly from a fresh checkout (911 packages, no sync errors). Nothing left to restore on master.

chhoumann added a commit that referenced this pull request Jul 6, 2026
node-gyp only exists as a bundled dependency inside the npm package,
where overrides cannot reach; the fix that actually resolved its
vendored undici was re-resolving npm to 11.18.0. Flagged by Devin
review on #229. Lockfile is byte-identical without the override,
confirming it was inert.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant