Bump astro/vite/undici to clear open Dependabot alerts#69
Merged
Conversation
- astro -> ^6.4.6 (resolves to 6.4.8): fixes #13 GHSA-2pvr-wf23-7pc7 (host-header SSRF in prerendered error page) and #14 GHSA-jrpj-wcv7-9fh9 (XSS via unescaped attribute names in spread props). - vite -> ^8.0.16 in solid/ui/website: fixes #9 GHSA-fx2h-pf6j-xcff (server.fs.deny bypass on Windows) and #8 GHSA-v6wh-96g9-6wx3 (launch-editor NTLMv2 hash disclosure via UNC paths). Replaced the existing `vite: ^7` override with selector-based clamps (`vite@<7.3.5` -> safe 7, `vite@<8.0.16` -> safe 8) so transitive 7.x consumers (alerts #10, #11) also land on 7.3.5+. Lockfile no longer contains any vite 7.x. - Added `undici: ">=7.28.0"` override: fixes #15-17 (GHSA-vmh5-mc38-953g TLS-bypass, GHSA-hm92-r4w5-c3mj cross-origin routing, GHSA-pr7r-676h-xcf6 cache-disclosure). jsdom's `^8` ranges pull undici 8.5.0 once unpinned. Lockfile regenerated with pnpm 10.33. The pnpmDeps.hash bump in nix/packages.nix will land in the next commit once CI surfaces the new sandbox hash. Generated with [Indent](https://indent.com) Co-Authored-By: Indent <noreply@indent.com>
Bumping vite to 8.0.16, astro to 6.4.8, and pinning undici >=7.28.0 changes the fetchPnpmDeps sandbox output. Local `nix build .#pnpmDeps` against the new lockfile reports sha256-8/GKERib730GQ3rjfEJyYR3uFdA9s/M8WLAKhKGLwx8=; re-verified that hash builds cleanly. Generated with [Indent](https://indent.com) Co-Authored-By: Indent <noreply@indent.com>
e99f501 to
e0fb7cd
Compare
|
🔗 Preview: https://blit-cd1mguiyn-indent.vercel.app |
Coverage
|
johannkm
approved these changes
Jun 22, 2026
jsdom@29.1.1 imports `undici/lib/handler/wrap-handler.js` (via `jsdom-dispatcher.js`); the path only exists in undici 7.x. The previous `undici: ">=7.28.0"` let pnpm satisfy jsdom's `^8` requirement with undici@8.5.0, which removed/renamed that submodule and broke every @blit-sh/core vitest file with `Cannot find module 'undici/lib/handler/wrap-handler.js'` under the forks pool. Tightening to `^7.28.0` pins to 7.28.0 (still past the SOCKS5/TLS/cache advisories) and restores the missing handler path. Refreshed pnpmDeps.hash via local `nix build .#pnpmDeps`. Generated with [Indent](https://indent.com) Co-Authored-By: Indent <noreply@indent.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
js/pnpm-lock.yamlin the fixed range.astro^6.3.3→^6.4.6(resolves to 6.4.8): clears alert release 0.22.1 #13 (GHSA-2pvr-wf23-7pc7 host-header SSRF) and Perfect video pipeline, clipboard sync, local remote in gateway, lint on Mac, fix release CI #14 (GHSA-jrpj-wcv7-9fh9 XSS via spread props attribute names).vite^8.0.13→^8.0.16insolid/ui/website: clears alert Post blit:disconnected message to parent frame #9 (GHSA-fx2h-pf6j-xcffserver.fs.denybypass on Windows) and Install opencode and mpv indent-spin in demo sandbox #8 (GHSA-v6wh-96g9-6wx3 launch-editor NTLMv2 hash disclosure). Replaces the existingvite: ^7override with selector-based clamps (vite@<7.3.5→ safe 7,vite@<8.0.16→ safe 8); transitive vite 7.x consumers (alerts Respond to OSC color queries (10/11/4) in parse_terminal_queries #10, Vulkan compositor, audio pipeline, WebGPU renderer, mobile UX, encoding overhaul #11) would land on 7.3.5+. After regeneration the lockfile has no vite 7.x at all.undici: ">=7.28.0": clears release 0.24.0 #15 (GHSA-vmh5-mc38-953g TLS-bypass via dropped requestTls in SOCKS5 ProxyAgent), Bump demo to blit v0.24.0 with OSC color query fix #16 (GHSA-pr7r-676h-xcf6 shared-cache whitespace bypass), and v0.24.1: Vulkan Video encode, compute BGRA→NV12, drop VPP/EGL, robustness fixes #17 (GHSA-hm92-r4w5-c3mj SOCKS5 proxy pool reuse). jsdom's^8ranges then resolve to undici 8.5.0 cleanly.nix/packages.nixpnpmDeps.hashbump will land in a follow-up commit on this branch once CI surfaces the new sandbox hash, per the pnpm-deps Nix hash workflow.Motivation
14 Dependabot alerts open on
js/pnpm-lock.yamlcovering 5 packages (astro, vite, undici, devalue, fast-uri, plus the already-fixed esbuild #6). Of those, 8 had genuinely vulnerable versions still in the lockfile (vite 7.3.3 + 8.0.13, astro 6.3.3, undici 7.25.0). The rest (alerts #1, #2, #3, #5, #6, #12) are GitHub-dependency-graph staleness — the lockfile is already past the patched version, but the SBOM endpoint still reports old data (e.g. esbuild 0.27.5 in the SBOM despite 0.28.1 onmainsince PR #68).Testing
pnpm install --lockfile-onlyregenerated cleanly under pnpm 10.33.undici@8.5.0,astro@6.4.8,vite@8.0.16(only — no 7.x),esbuild@0.28.1. No remaining matches for any open advisory's vulnerable range.pnpmDepsnot available in the sandbox; will refresh the hash from the first CI failure log per the established workflow.Tag
@indentto continue the conversation here.