fix(client): Phase 2 — clear uuid + dompurify advisories via overrides#550
Merged
Conversation
Phase 2 of the dep-update sweep. Adds transitive overrides for postcss, uuid, and dompurify. The vite override planned in the spec is dropped: forcing nested vite to 8.x breaks vitest 4.1.0's @vitest/mocker (the known issue from PR #517). The 6 vite advisories that remain are already accepted dev-only exceptions in .osv-scanner.toml; they unblock in Phase 6c (vitest test-infra majors). bun audit: 8 → 6 advisories; the 6 remaining are vite/vitest dev-server paths, all behind .osv-scanner.toml exceptions. Direct-dep bumps the spec planned for this phase (dompurify 3.3.3 → 3.4.2, @sentry/browser 10.44.0 → 10.52.0, @vitejs/plugin-basic-ssl 2.2.0 → 2.3.0) already landed in Phase 1 via targeted bun update; this PR only adds the overrides + CHANGELOG. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
7 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Phase 2 of the dep-update sweep (spec, plan). Builds on Phase 1 (#549).
client/package.json:postcss ^8.5.10— clears the postcss XSS advisory pulled via viteuuid ^11.1.1— clears the buffer-bounds advisory pulled via mermaiddompurify ^3.4.2— pins mermaid's transitive copy to match the direct depvite ^8.0.0override — forcing nested vite to 8.x breaks vitest 4.1.0's@vitest/mocker(537/581 tests fail with "Failed to parse source for import analysis"). This is the exact known issue documented in PR chore(client): clear 11 devtime advisories via transitive overrides #517's.osv-scanner.tomlexception comments. Phase 6c (vitest test-infra majors) is the unblock path..osv-scanner.toml; OSV Scanner CI gate is unchanged.bun audit: 8 → 6 advisories (uuid + dompurify-via-mermaid cleared in this PR; 4 cleared in Phase 1).What's NOT in this PR (and why)
The spec planned this Phase 2 to also bump direct deps for
dompurify,@sentry/browser,@vitejs/plugin-basic-ssl. Those bumps already landed in Phase 1 (#549) via targetedbun update, since they were within the existing^ranges. This PR is just the override additions + the### SecurityCHANGELOG entry.Test plan
cargo deny check—advisories ok, bans ok, licenses ok, sources okcargo audit— exit 0 with established ignore list (no new RUSTSEC entries; this PR is npm-only)bun run test:run— 32 files, 581/581 tests passbun run build—tsc && vite buildgreenbun audit— 8 → 6 advisories (the 6 remaining are vite paths under existing PR chore(client): clear 11 devtime advisories via transitive overrides #517 exceptions)vite@7.xshenanigans —bun pm ls --all | grep vite@shows onlyvite@8.0.0(direct) +vite@7.3.1(vitest's nested, intentionally preserved until Phase 6c)dompurifynow resolves to3.4.2(single copy across the tree)🤖 Generated with Claude Code