Patch all Dependabot CVEs (vite, electron, overrides)#60
Merged
Conversation
Bumps the two direct devDependencies whose vulnerable trees account for nearly all open Dependabot alerts: - vite 7.3.1 -> 7.3.2 (CVE-2026-39363 / -39364 / -39365) - electron 40.0.0 -> 40.8.5 (CVE-2026-34770..34781 and related) Adds npm `overrides` to lift the remaining transitive vulnerabilities that don't auto-resolve through the direct bumps: - tar -> 7.5.13 - tmp -> 0.2.4 - dompurify -> 3.4.0 - @tootallnate/once -> 3.0.1 Tightens `engines.node` from `22` to `>=22.12` to match what vite 7.3.2 itself declares (`^20.19.0 || >=22.12.0`). The forge plugin uses `require('vite')` and vite 7 is ESM-only, so Node below 22.12 hits ERR_REQUIRE_ESM at `npm start`. CI's `node-version: 22` resolves to a 22.12+ release already; the change only affects local dev. After these changes `npm audit` reports `found 0 vulnerabilities`.
Three small, unrelated clean-ups surfaced while verifying the CVE
upgrade but visible on main as well:
- Remove the invalid `style="flex: 1; display: 'grid'; gap: '12px'"`
from <RuleResults> in App.vue. The quoted `'grid'` / `'12px'` were
never valid CSS (browsers discarded them) and the attribute only
tripped Vue's "Extraneous non-props attributes on fragment root"
warning on every re-render.
- Drop `defineEmits` from the `vue` import in RuleResults.vue;
`<script setup>` exposes it as a compiler macro, so the explicit
import triggered `[@vue/compiler-sfc] defineEmits is a compiler
macro and no longer needs to be imported.`
- Replace `darken($primary-color, 8%)` with
`color.adjust($primary-color, $lightness: -8%)` in App.vue and add
`@use 'sass:color';` to the style block. This is the Sass migrator's
own suggestion and silences both the `global-builtin` and
`color-functions` deprecation warnings ahead of Dart Sass 3.0.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes every open Dependabot alert (21 high / 20 moderate / 6 low on
main) without changing any application behaviour.Direct bumps
vite7.3.1 → 7.3.2 (CVE-2026-39363 / -39364 / -39365 — arbitrary file read,server.fs.denybypass, path traversal in optimized-deps.map)electron40.0.0 → 40.8.5 (CVE-2026-34770..34781 and related — 15 alerts cleared in one bump)Forced transitive upgrades via
overrides(required because they don't lift through the direct bumps):tar→ 7.5.13tmp→ 0.2.4dompurify→ 3.4.0@tootallnate/once→ 3.0.1engines.nodetightened from22to>=22.12to match what vite 7.3.2 itself declares. The forge plugin usesrequire('vite')and vite 7 is ESM-only, so Node below 22.12 hitsERR_REQUIRE_ESMatnpm start. CI'snode-version: 22already resolves to a 22.12+ release; the change only affects local dev.After the changes:
npm auditreports 0 vulnerabilities.Bundled clean-ups
Three unrelated warnings were noisy in the dev console and trivial to kill while we were already in the files; none changes behaviour:
style="flex: 1; display: 'grid'; gap: '12px'"attribute on<RuleResults>inApp.vue(browsers discarded the quoted values; only the Vue fragment-root warning remained).defineEmitsfrom thevueimport inRuleResults.vue— it's a<script setup>compiler macro.darken($primary-color, 8%)→color.adjust($primary-color, $lightness: -8%)+@use 'sass:color';inApp.vue(the Sass migrator's own suggestion; silences the Dart Sass 3.0 deprecations).Notes
nvm use 22(ornvm install 22). CI is unaffected.Missing requestHandler or method: doValidation,Could not create web worker(s), etc.). Not yet verified whether they also occur onmain, nor whether they disappear in the packaged build — tracking separately from this PR.