dostulata/initiative
1
0
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity

chore(deps): bump vite, jsdom; pin undici and suppress unreachable advisory

Browse Source 
Bumps vite ^8.0.5 → ^8.0.16 (GHSA-fx2h-pf6j-xcff, server.fs.deny
bypass on Windows) and jsdom ^29.0.1 → ^29.1.1 to unblock the
pre-commit audit gate.

The existing >=7.24.0 undici override was floating to 8.x, which
broke jsdom (it reaches into undici 7's private module layout).
Tightened to ~7.24.0 to keep jsdom working. That leaves
GHSA-vmh5-mc38-953g (undici SOCKS5 ProxyAgent TLS bypass) open —
patched in 7.28+ but we can't move there until jsdom updates its
pin. We never use a SOCKS5 proxy in tests, so the vulnerable code
path is unreachable. Added an auditConfig.ignoreGhsas entry with
a note explaining the rationale and the condition for removing it.
This commit is contained in:
Lukas
2026-06-19 16:29:42 +02:00
parent 1930473753
commit a97ffe5ed1
3 changed files with 235 additions and 180 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/web/package.json
+2 -2
View File
@@ -27,8 +27,8 @@
"@types/react": "^19.0.0",
"@types/react-dom": "^19.0.0",
"@vitejs/plugin-react": "^6.0.1",
"jsdom": "^29.0.1",
"jsdom": "^29.1.1",
"tailwindcss": "^4.2.2",
"vite": "^8.0.5"
"vite": "^8.0.16"
}
}