Skip to content

fix(security): addresses dependabot security concerns#42

Merged
robert-7 merged 1 commit into
gh-pagesfrom
security-fixes
Jul 1, 2026
Merged

fix(security): addresses dependabot security concerns#42
robert-7 merged 1 commit into
gh-pagesfrom
security-fixes

Conversation

@robert-7

@robert-7 robert-7 commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Summary

  • Addresses Dependabot alert #7, #8, and #9.
  • Pins Vite to 7.3.5 to address the Windows dev-server path handling advisories.
  • Pins esbuild to 0.28.1 and refreshes the lockfile platform packages to the patched release.

Verification

  • pnpm install completed successfully with pnpm 11.9.0.
  • Lockfile passed the repository supply-chain policy check.
  • Confirmed pnpm overrides now live in pnpm-workspace.yaml, where pnpm 11 reads them.

Dependabot Alerts

  • Alert #7: esbuild arbitrary file read on Windows dev server, fixed by esbuild 0.28.1.
  • Alert #8: Vite server.fs.deny bypass on Windows alternate paths, fixed by Vite 7.3.5.
  • Alert #9: Vite / launch-editor UNC path handling issue, fixed by Vite 7.3.5.

@robert-7 robert-7 merged commit 2bb0fea into gh-pages Jul 1, 2026
1 check passed
@robert-7 robert-7 deleted the security-fixes branch July 4, 2026 16:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant