Summary
Charter's own workspace needs a dependency hygiene pass. This came up while consuming @stackbilt/cli@1.0.0 from img-forge: the published CLI is current, but Charter's repo audit still reports vulnerable transitive packages in the MCP SDK and Vitest/Vite tooling paths.
Evidence from live repo check
From /mnt/c/users/kover/documents/charter on main:
npm view @stackbilt/cli version -> 1.0.0pnpm outdated --format json only reported breaking-major candidates:
typescript current/wanted 5.8.3, latest 6.0.3zod current/wanted 3.25.76, latest 4.4.3
pnpm audit --audit-level moderate initially reported 27 vulnerabilities:
- Vite/Vitest path:
vite@7.3.1, esbuild@0.28.0
- MCP SDK path through
@stackbilt/cli -> @modelcontextprotocol/sdk@1.29.0:
@hono/node-server@1.19.12hono@4.12.9fast-uri@3.1.0qs@6.15.0ip-address@10.1.0
Candidate remediation tested locally
A focused root pnpm.overrides block plus explicit root vite@7.3.2 reduced the audit to zero known vulnerabilities:
"devDependencies": {
"vite": "7.3.2"
},
"pnpm": {
"overrides": {
"@hono/node-server": "1.19.14",
"esbuild": "0.28.1",
"fast-uri": "4.0.0",
"hono": "4.12.25",
"ip-address": "10.1.1",
"qs": "6.15.2",
"vite": "7.3.2"
}
}After this, pnpm audit --audit-level moderate returned:
No known vulnerabilities found
And dependency paths resolved to patched versions:
@hono/node-server@1.19.14hono@4.12.25fast-uri@4.0.0qs@6.15.2ip-address@10.1.1vite@7.3.2esbuild@0.28.1
Additional test gap surfaced
The full test suite has an unrelated stale assertion:
packages/scaffold-core/src/__tests__/package.test.ts
expected '1.2.0' to be '1.1.0'
packages/scaffold-core/package.json reports 1.2.0, so the test should be updated or made less brittle as part of this cleanup.
Acceptance criteria
Notes
Avoid broad major upgrades for this pass. typescript@6 and zod@4 showed as latest, but they are breaking-major candidates and are not needed for the audit cleanup.
Summary
Charter's own workspace needs a dependency hygiene pass. This came up while consuming
@stackbilt/cli@1.0.0fromimg-forge: the published CLI is current, but Charter's repo audit still reports vulnerable transitive packages in the MCP SDK and Vitest/Vite tooling paths.Evidence from live repo check
From
/mnt/c/users/kover/documents/charteronmain:npm view @stackbilt/cli version->1.0.0pnpm outdated --format jsononly reported breaking-major candidates:typescriptcurrent/wanted5.8.3, latest6.0.3zodcurrent/wanted3.25.76, latest4.4.3pnpm audit --audit-level moderateinitially reported 27 vulnerabilities:vite@7.3.1,esbuild@0.28.0@stackbilt/cli -> @modelcontextprotocol/sdk@1.29.0:@hono/node-server@1.19.12hono@4.12.9fast-uri@3.1.0qs@6.15.0ip-address@10.1.0Candidate remediation tested locally
A focused root
pnpm.overridesblock plus explicit rootvite@7.3.2reduced the audit to zero known vulnerabilities:After this,
pnpm audit --audit-level moderatereturned:And dependency paths resolved to patched versions:
@hono/node-server@1.19.14hono@4.12.25fast-uri@4.0.0qs@6.15.2ip-address@10.1.1vite@7.3.2esbuild@0.28.1Additional test gap surfaced
The full test suite has an unrelated stale assertion:
packages/scaffold-core/package.jsonreports1.2.0, so the test should be updated or made less brittle as part of this cleanup.Acceptance criteria
package.json/pnpm-lock.yaml.pnpm audit --audit-level moderatereports no known vulnerabilities.pnpm run buildpnpm run typecheckpnpm run testpnpm run publish:checkpnpm run verify:adfNotes
Avoid broad major upgrades for this pass.
typescript@6andzod@4showed as latest, but they are breaking-major candidates and are not needed for the audit cleanup.