Skip to content

fix(deps): resolve Dependabot security alerts in docs toolchain#45

Merged
0ptaq0 merged 2 commits into
mainfrom
fix/dependabot-security-alerts
Jul 6, 2026
Merged

fix(deps): resolve Dependabot security alerts in docs toolchain#45
0ptaq0 merged 2 commits into
mainfrom
fix/dependabot-security-alerts

Conversation

@0ptaq0

@0ptaq0 0ptaq0 commented Jul 6, 2026

Copy link
Copy Markdown
Member

Summary

Resolves the open Dependabot alerts on the VitePress documentation toolchain. All are development-only dependencies (docs build/dev server), but worth locking down.

VitePress 1.6.4 pins vite@^5.4.14, and the vite fixes only exist in 6.4.3+ (no 5.x backport), so patched transitives are enforced via npm overrides.

Alerts fixed

Severity Package Advisory Patched
High form-data Unsafe random boundary generation 4.0.6
High vite server.fs.deny bypass on Windows alternate paths 6.4.3
Moderate vite Path traversal in optimized deps .map handling 6.4.3
Moderate esbuild Dev server request/response exposure 0.25.12
Low @babel/core Arbitrary file read via sourceMappingURL comment 7.29.6

Also pulls non-breaking npm audit fix bumps for ajv, brace-expansion, js-yaml and related transitives (incl. launch-editor 2.14.1).

Verification

  • npm audit0 vulnerabilities
  • npm run docs:build → build complete, no errors
  • npm run docs:dev → server boots, pages render (HTTP 200)

Add npm overrides to pull patched transitive dev dependencies used by
the VitePress docs site:

- vite 6.4.3 (server.fs.deny bypass, .map path traversal)
- esbuild 0.25.12 (dev-server request/response exposure)
- launch-editor 2.14.1 (NTLMv2 hash disclosure on Windows)
- @babel/core 7.29.6 (arbitrary file read via sourceMappingURL)

Also picks up non-breaking audit fixes for form-data, ajv,
brace-expansion, js-yaml and related transitives. npm audit now
reports 0 vulnerabilities. Docs build and dev server verified working.
@vercel

vercel Bot commented Jul 6, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
async-lib Ready Ready Preview, Comment Jul 6, 2026 1:40pm

Request Review

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

🧪 Apex Test Results

✅ All Tests Passed

==========================================
     APEX TEST EXECUTION SUMMARY
==========================================

📊 Total Tests: 159
✅ Passed: 159
❌ Failed: 0
⏭️  Skipped: 0


🎉 All tests passed successfully!

📦 Download Full Test Results & Logs


📊 Stats: 159 total | ✅ 159 passed | ❌ 0 failed
🤖 Automated comment by Salesforce CI

sf CLI latest needs Node >=22; Node 20 crashes on undici/jsforce.
@codecov

codecov Bot commented Jul 6, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.10%. Comparing base (d65189c) to head (d281ca7).
⚠️ Report is 6 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main      #45      +/-   ##
==========================================
+ Coverage   99.06%   99.10%   +0.03%     
==========================================
  Files          15       16       +1     
  Lines         963     1002      +39     
==========================================
+ Hits          954      993      +39     
  Misses          9        9              
Flag Coverage Δ
Apex 99.10% <ø> (+0.03%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@0ptaq0
0ptaq0 merged commit 991d0b4 into main Jul 6, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant