Skip to content

fix(deps): patch vite and qs security vulnerabilities#91

Merged
PAMulligan merged 2 commits into
mainfrom
deps/patch-vite-qs-vulns
May 25, 2026
Merged

fix(deps): patch vite and qs security vulnerabilities#91
PAMulligan merged 2 commits into
mainfrom
deps/patch-vite-qs-vulns

Conversation

@PAMulligan
Copy link
Copy Markdown
Collaborator

@PAMulligan PAMulligan commented May 25, 2026

Summary

Resolves all 4 open Dependabot alerts (2 high, 2 moderate). Both affected packages are dev-only transitive dependencies (test tooling), not shipped to production.

Package Severity Advisory Before → After
vite High GHSA-p9ff-h696-f583 — arbitrary file read via dev-server WebSocket 8.0.0 → 8.0.14
vite High GHSA-v2wj-q39q-566rserver.fs.deny bypass with queries 8.0.0 → 8.0.14
vite Moderate GHSA-4w7w-66w2-5vf9 — path traversal in optimized deps .map 8.0.0 → 8.0.14
qs Moderate GHSA-q8mj-m7cp-5q26qs.stringify DoS 6.15.1 → 6.15.2

Approach

  • vite is added as a direct devDependency (^8.0.5, resolves to 8.0.14). It enters the tree as an auto-installed peer of vitest, and 8.0.0 satisfied vitest's ^8.0.0 peer range — so a pnpm.overrides entry alone did not bump it. Declaring it directly forces the patched version while still satisfying the peer.
  • qs is pinned via pnpm.overrides (^6.15.2); it is transitive through @stryker-mutator/core → typed-rest-client.

Testing

  • pnpm why vite → 8.0.14, pnpm why qs → 6.15.2 ✅
  • Test suite runs under the new vite. The pre-existing failures in metrics-dashboard/pipeline-cache/stage-profiler/verify-all subprocess tests were confirmed to also fail on main's deps (Windows-local; they pass in Linux CI) and are unrelated to this change.

🤖 Generated with Claude Code

PAMulligan and others added 2 commits May 24, 2026 23:26
@PAMulligan @claude
fix(deps): patch vite and qs security vulnerabilities
80b359f 
Resolve 4 Dependabot alerts (2 high, 2 moderate), both dev-only deps:
- vite 8.0.0 -> 8.0.14: GHSA-p9ff-h696-f583 (arbitrary file read via
  dev-server WebSocket), GHSA-v2wj-q39q-566r (server.fs.deny bypass),
  GHSA-4w7w-66w2-5vf9 (path traversal in optimized deps)
- qs 6.15.1 -> 6.15.2: GHSA-q8mj-m7cp-5q26 (stringify DoS)

vite is added as a direct devDependency because it is an auto-installed
peer of vitest (8.0.0 satisfied vitest's '^8.0.0' peer range, so a pnpm
override alone would not bump it). qs is pinned via pnpm overrides since
it is transitive through @stryker-mutator/core -> typed-rest-client.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@PAMulligan
Merge branch 'main' into deps/patch-vite-qs-vulns
bb9ed6e
@PAMulligan PAMulligan merged commit b8e3496 into main May 25, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@PAMulligan