chore(deps): bump vite, jsdom; pin undici and suppress unreachable advisory
Bumps vite ^8.0.5 → ^8.0.16 (GHSA-fx2h-pf6j-xcff, server.fs.deny bypass on Windows) and jsdom ^29.0.1 → ^29.1.1 to unblock the pre-commit audit gate. The existing >=7.24.0 undici override was floating to 8.x, which broke jsdom (it reaches into undici 7's private module layout). Tightened to ~7.24.0 to keep jsdom working. That leaves GHSA-vmh5-mc38-953g (undici SOCKS5 ProxyAgent TLS bypass) open — patched in 7.28+ but we can't move there until jsdom updates its pin. We never use a SOCKS5 proxy in tests, so the vulnerable code path is unreachable. Added an auditConfig.ignoreGhsas entry with a note explaining the rationale and the condition for removing it.
This commit is contained in:
Lukas
+9
-1
@@ -3,8 +3,16 @@
|
||||
"packageManager": "pnpm@10.32.1+sha512.a706938f0e89ac1456b6563eab4edf1d1faf3368d1191fc5c59790e96dc918e4456ab2e67d613de1043d2e8c81f87303e6b40d4ffeca9df15ef1ad567348f2be",
|
||||
"pnpm": {
|
||||
"overrides": {
|
||||
"undici": ">=7.24.0",
|
||||
"undici": "~7.24.0",
|
||||
"picomatch": ">=4.0.4"
|
||||
},
|
||||
"auditConfig": {
|
||||
"ignoreGhsas": [
|
||||
"GHSA-vmh5-mc38-953g"
|
||||
],
|
||||
"_ignoreGhsasNotes": {
|
||||
"GHSA-vmh5-mc38-953g": "undici SOCKS5 ProxyAgent TLS bypass. Only reachable via undici/jsdom (test-time). Patched in undici>=7.28.0 but jsdom@29.1.1 reaches into undici's private module layout, so forcing 7.28+ via override breaks tests. We never use a SOCKS5 proxy in tests, so the path is unreachable. Drop this entry once jsdom updates its undici pin."
|
||||
}
|
||||
}
|
||||
},
|
||||
"devDependencies": {
|
||||
|
||||
Reference in New Issue
Block a user