Skip to content

fix: resolve 10 Dependabot security alerts#836

Merged
BYK merged 1 commit into
masterfrom
byk/fix/dependabot-security-alerts
Jun 23, 2026
Merged

fix: resolve 10 Dependabot security alerts#836
BYK merged 1 commit into
masterfrom
byk/fix/dependabot-security-alerts

Conversation

@BYK

@BYK BYK commented Jun 23, 2026

Copy link
Copy Markdown
Member

Summary

Resolves 10 open Dependabot alerts across 5 CVEs and dismisses 2 low-severity esbuild alerts as tolerable risk.

Alerts Fixed

Alert(s) Package Severity CVE Fix
#180, #181 tar Medium GHSA-vmf3-w455-68vh Bump direct pin 7.5.11 -> 7.5.16
#178, #179 form-data High GHSA-hmw2-7cc7-3qxx pnpm.overrides for 4.0.6 (v4) and 2.5.6 (v2)
#172, #176 vite (root) High + Medium GHSA-fx2h-pf6j-xcff, GHSA-v6wh-96g9-6wx3 Add as direct devDep ^7.3.5 + override
#173, #177 vite (docs) High + Medium same pnpm.overrides in docs
#174, #175 astro High + Medium GHSA-2pvr-wf23-7pc7, GHSA-jrpj-wcv7-9fh9 pnpm update -> 6.4.8

Alerts Dismissed (tolerable_risk)

Alert(s) Package Severity Reason
#167, #168 esbuild Low GHSA-g7r4-m6w7-qqqr - Windows dev-server only vulnerability. Craft is a CLI tool, docs is a static site. Transitive dep of vite@7.3.5 which pins esbuild@^0.27.0 - cannot fix without vite 8 major bump.

Changes

Root project (package.json)

  • tar: 7.5.11 -> 7.5.16 (direct pin bump)
  • vite: added as devDependency at ^7.3.5 (was only transitive via vitest)
  • pnpm.overrides: added form-data@>=4: ^4.0.6, form-data@<3: ^2.5.6, vite: ^7.3.5

Docs project (docs/package.json)

  • astro: resolved 5.16.11 -> 6.4.8 (specifier ^6.1.10 allowed it)
  • @astrojs/starlight: resolved 0.37.3 -> 0.38.3
  • pnpm.overrides: added vite: ^7.3.5

Verification

  • pnpm build - passed
  • pnpm test - 1025 passed, 1 skipped
  • pnpm lint - 0 errors
  • pnpm docs:build - 27 pages built successfully

@github-actions

github-actions Bot commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown
Contributor
PR Preview Action v1.8.1
Preview removed because the pull request was closed.
2026-06-23 10:29 UTC

@BYK
fix: resolve 10 Dependabot security alerts
5d23e76 
Fixes 10 open alerts across 5 CVEs; dismisses 2 low-severity esbuild
alerts as tolerable risk (Windows dev-server only, not applicable to
this CLI tool).

Root project:
- tar: bump direct pin 7.5.11 -> 7.5.16 (GHSA-vmf3-w455-68vh, medium)
- form-data: add pnpm.overrides for 4.0.6 and 2.5.6 to fix transitive
  copies via @types/node-fetch and @types/request (GHSA-hmw2-7cc7-3qxx, high)
- vite: add as direct devDep at ^7.3.5 + override to fix transitive
  copy via vitest (GHSA-fx2h-pf6j-xcff high, GHSA-v6wh-96g9-6wx3 medium)

Docs project:
- astro: bump 5.16.11 -> 6.4.8 via pnpm update (GHSA-2pvr-wf23-7pc7
  high, GHSA-jrpj-wcv7-9fh9 medium)
- vite: add override ^7.3.5 (same CVEs as root)

Dismissed (tolerable_risk):
- esbuild 0.27.7 (GHSA-g7r4-m6w7-qqqr, low) - transitive dep of
  vite 7.3.5 which pins esbuild ^0.27.0; cannot fix without vite 8
  major bump; Windows dev-server only vulnerability
@BYK BYK force-pushed the byk/fix/dependabot-security-alerts branch from 3609b2e to 5d23e76 Compare June 23, 2026 10:22
@BYK BYK merged commit 67eb802 into master Jun 23, 2026
22 checks passed
@BYK BYK deleted the byk/fix/dependabot-security-alerts branch June 23, 2026 10:29
@sentry-release-bot sentry-release-bot Bot mentioned this pull request Jun 23, 2026
Closed
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BYK