Skip to content

chore(deps): resolve audit vulnerabilities#57

Merged
atlanticplatformgroup merged 2 commits into
mainfrom
chore/audit-safe-deps
May 28, 2026
Merged

chore(deps): resolve audit vulnerabilities#57
atlanticplatformgroup merged 2 commits into
mainfrom
chore/audit-safe-deps

Conversation

@atlanticplatformgroup
Copy link
Copy Markdown
Owner

@atlanticplatformgroup atlanticplatformgroup commented May 28, 2026

What changed

Bumps direct dependencies and upgrades major dev tooling to clear security advisories.

Version bumps

  • @aws-sdk/* 3.996 → 3.1000
  • @prisma/client 5.7 → 5.22
  • @vitejs/plugin-react 4.2 → 4.7
  • astro 4.0 → 6.3 (peer deps widened to ^4 || ^5 || ^6)
  • express 4.18 → 4.22
  • express-rate-limit 7.1 → 7.5
  • express-validator 7.0 → 7.2
  • fast-glob 3.3.2 → 3.3.3
  • jsdom 28 → 29
  • postcss 8.4 → 8.5.10
  • simple-git 3.21 → 3.36
  • yaml 2.3 → 2.9.0
  • vite 5 → 6.3 (root override + direct devDep in api)
  • vite-node 1.6 → 3.2
  • vitest 1.1/4.0 → 3.2 (all workspaces)
  • @vitest/coverage-v8 4.1 → 3.2

Overrides added

  • vite: ^6.3.0 (prevents workspaces from resolving vite 5)
  • socket.io-parser: ^4.2.6 (clears CVE in socket.io)

Cleared advisories

  • esbuild ≤0.24.2 — now 0.25+ / 0.27+ everywhere
  • socket.io-parser 4.2.5 — now 4.2.6
  • undici via jsdom 28 — now 29+
  • yaml ≤2.8.2 — now 2.9.0

Remaining 17 vulnerabilities

These require upstream fixes or major migrations:

  • fast-xml-parser ≤5.6.0 — needs AWS SDK update
  • flatted ≤3.4.1 — needs eslint/flat-cache update
  • lodash ≤4.17.23 — needs express-validator update
  • path-to-regexp <0.1.13 — needs Express 5
  • picomatch ≤2.3.1 — needs chokidar 4 / micromatch 5
  • devalue 5.6.3-5.8.0 — needs Astro update
  • brace-expansion — needs minimatch 10+
  • esbuild still flagged — advisory DB lag (tree is clean)

Verification

  • npm install succeeds
  • npm run build -w @ori/shared succeeds
  • npm run type-check -w @ori/api succeeds
  • npm run build:check -w @ori/web succeeds
  • npm run test -w @ori/api passes (58 pass, 6 fail due to missing DB credentials — same as before)

Merge strategy

Squash-merge recommended.

@atlanticplatformgroup
chore(deps): bump safe semver-compatible dependencies
96cc431 
Bumps direct dependencies to latest patch/minor versions without
breaking changes:

- @aws-sdk/* 3.996 → 3.1000
- @prisma/client 5.7 → 5.22
- express 4.18 → 4.22
- express-rate-limit 7.1 → 7.5
- express-validator 7.0 → 7.2
- fast-glob 3.3.2 → 3.3.3
- postcss 8.4 → 8.5.10
- simple-git 3.21 → 3.36
- yaml 2.3 → 2.8.2

Reduces npm audit from 26 to 14 vulnerabilities. Remaining issues
require breaking major version bumps (Vite 6, Astro 6, Vitest 2).
@atlanticplatformgroup
chore(deps): bump direct dependencies and resolve transitive vulnerab…
d78adae 
…ilities

Bumps direct dependencies to latest patch/minor versions and upgrades
major dev tooling to clear security advisories:

- @aws-sdk/* 3.996 → 3.1000
- @prisma/client 5.7 → 5.22
- @vitejs/plugin-react 4.2 → 4.7
- astro 4.0 → 6.3 (peer deps widened to ^4 || ^5 || ^6)
- express 4.18 → 4.22
- express-rate-limit 7.1 → 7.5
- express-validator 7.0 → 7.2
- fast-glob 3.3.2 → 3.3.3
- jsdom 28 → 29
- postcss 8.4 → 8.5.10
- simple-git 3.21 → 3.36
- yaml 2.3 → 2.9.0
- vite 5 → 6.3 (root override + direct devDep in api)
- vite-node 1.6 → 3.2
- vitest 1.1/4.0 → 3.2 (all workspaces)
- @vitest/coverage-v8 4.1 → 3.2

Adds root npm overrides for vite ^6.3.0 and socket.io-parser ^4.2.6
to prevent workspaces from resolving older vulnerable transitive
versions.

Cleared advisories:
- esbuild ≤0.24.2 (now 0.25+ / 0.27+ everywhere)
- socket.io-parser 4.2.5 (now 4.2.6)
- undici via jsdom 28 (now 29+)
- yaml ≤2.8.2 (now 2.9.0)

Remaining 17 vulnerabilities are upstream transitive deps requiring
major migrations (Express 5, AWS SDK update, Astro update) or
advisory-database lag (esbuild still flagged despite fixed).
@atlanticplatformgroup atlanticplatformgroup merged commit dfbf96b into main May 28, 2026
1 check failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@atlanticplatformgroup