Skip to content

Bump astro/vite/undici to clear open Dependabot alerts#69

Merged
mgasner merged 3 commits into
mainfrom
indent-2026-06-22-dependabot-bumps
Jun 23, 2026
Merged

Bump astro/vite/undici to clear open Dependabot alerts#69
mgasner merged 3 commits into
mainfrom
indent-2026-06-22-dependabot-bumps

Conversation

@mgasner

@mgasner mgasner commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Summary

Motivation
14 Dependabot alerts open on js/pnpm-lock.yaml covering 5 packages (astro, vite, undici, devalue, fast-uri, plus the already-fixed esbuild #6). Of those, 8 had genuinely vulnerable versions still in the lockfile (vite 7.3.3 + 8.0.13, astro 6.3.3, undici 7.25.0). The rest (alerts #1, #2, #3, #5, #6, #12) are GitHub-dependency-graph staleness — the lockfile is already past the patched version, but the SBOM endpoint still reports old data (e.g. esbuild 0.27.5 in the SBOM despite 0.28.1 on main since PR #68).

Testing

  • pnpm install --lockfile-only regenerated cleanly under pnpm 10.33.
  • Verified post-regen versions: undici@8.5.0, astro@6.4.8, vite@8.0.16 (only — no 7.x), esbuild@0.28.1. No remaining matches for any open advisory's vulnerable range.
  • Local nix build of pnpmDeps not available in the sandbox; will refresh the hash from the first CI failure log per the established workflow.

Open in Indent
Tag @indent to continue the conversation here.

- astro -> ^6.4.6 (resolves to 6.4.8): fixes #13 GHSA-2pvr-wf23-7pc7
  (host-header SSRF in prerendered error page) and #14 GHSA-jrpj-wcv7-9fh9
  (XSS via unescaped attribute names in spread props).
- vite -> ^8.0.16 in solid/ui/website: fixes #9 GHSA-fx2h-pf6j-xcff
  (server.fs.deny bypass on Windows) and #8 GHSA-v6wh-96g9-6wx3
  (launch-editor NTLMv2 hash disclosure via UNC paths). Replaced the
  existing `vite: ^7` override with selector-based clamps
  (`vite@<7.3.5` -> safe 7, `vite@<8.0.16` -> safe 8) so transitive 7.x
  consumers (alerts #10, #11) also land on 7.3.5+. Lockfile no longer
  contains any vite 7.x.
- Added `undici: ">=7.28.0"` override: fixes #15-17
  (GHSA-vmh5-mc38-953g TLS-bypass, GHSA-hm92-r4w5-c3mj cross-origin
  routing, GHSA-pr7r-676h-xcf6 cache-disclosure). jsdom's `^8` ranges
  pull undici 8.5.0 once unpinned.

Lockfile regenerated with pnpm 10.33. The pnpmDeps.hash bump in
nix/packages.nix will land in the next commit once CI surfaces the new
sandbox hash.

Generated with [Indent](https://indent.com)
Co-Authored-By: Indent <noreply@indent.com>
@mgasner mgasner added the indent label Jun 22, 2026 — with indent-zero
@mgasner mgasner requested a review from pcarrier June 22, 2026 18:44
Bumping vite to 8.0.16, astro to 6.4.8, and pinning undici >=7.28.0
changes the fetchPnpmDeps sandbox output. Local `nix build .#pnpmDeps`
against the new lockfile reports
sha256-8/GKERib730GQ3rjfEJyYR3uFdA9s/M8WLAKhKGLwx8=; re-verified that
hash builds cleanly.

Generated with [Indent](https://indent.com)
Co-Authored-By: Indent <noreply@indent.com>
@indent-zero indent-zero Bot force-pushed the indent-2026-06-22-dependabot-bumps branch from e99f501 to e0fb7cd Compare June 22, 2026 18:48
@mgasner mgasner requested a review from johannkm June 22, 2026 18:50
@github-actions

github-actions Bot commented Jun 22, 2026

Copy link
Copy Markdown

🔗 Preview: https://blit-cd1mguiyn-indent.vercel.app

@github-actions

Copy link
Copy Markdown

Coverage

Crate Lines Functions Regions
alacritty-driver 63.7% (626/982) 67.1% (49/73) 64.3% (919/1429)
browser 0.0% (0/807) 0.0% (0/65) 0.0% (0/1370)
cli 28.1% (1208/4299) 41.3% (171/414) 31.1% (2182/7019)
compositor 1.0% (93/9234) 2.0% (8/400) 1.2% (146/12408)
fonts 76.8% (486/633) 85.5% (47/55) 77.9% (922/1183)
gateway 25.7% (362/1411) 29.0% (36/124) 19.4% (449/2318)
proxy 18.3% (150/818) 20.9% (24/115) 20.4% (260/1277)
remote 71.5% (1975/2763) 81.4% (188/231) 74.1% (3737/5045)
sd-notify 73.9% (68/92) 100.0% (6/6) 83.2% (109/131)
server 18.7% (2186/11701) 33.6% (251/748) 20.1% (3660/18180)
ssh 1.9% (7/374) 3.2% (1/31) 0.7% (4/613)
webrtc-forwarder 2.7% (72/2624) 2.1% (4/187) 1.2% (50/4335)
webserver 63.5% (753/1185) 70.8% (121/171) 67.8% (1380/2034)
Total 21.6% (7986/36923) 34.6% (906/2620) 24.1% (13818/57342)

jsdom@29.1.1 imports `undici/lib/handler/wrap-handler.js` (via
`jsdom-dispatcher.js`); the path only exists in undici 7.x. The previous
`undici: ">=7.28.0"` let pnpm satisfy jsdom's `^8` requirement with
undici@8.5.0, which removed/renamed that submodule and broke every
@blit-sh/core vitest file with `Cannot find module
'undici/lib/handler/wrap-handler.js'` under the forks pool.

Tightening to `^7.28.0` pins to 7.28.0 (still past the
SOCKS5/TLS/cache advisories) and restores the missing handler path.
Refreshed pnpmDeps.hash via local `nix build .#pnpmDeps`.

Generated with [Indent](https://indent.com)
Co-Authored-By: Indent <noreply@indent.com>
@mgasner mgasner merged commit 1446240 into main Jun 23, 2026
11 of 12 checks passed
@mgasner mgasner deleted the indent-2026-06-22-dependabot-bumps branch June 23, 2026 00:01
@indent-zero indent-zero Bot mentioned this pull request Jun 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants