Skip to content

fix(deps): resolve Dependabot security alerts in docs toolchain#55

Merged
0ptaq0 merged 2 commits into
mainfrom
fix/dependabot-security-alerts
Jul 6, 2026
Merged

fix(deps): resolve Dependabot security alerts in docs toolchain#55
0ptaq0 merged 2 commits into
mainfrom
fix/dependabot-security-alerts

Conversation

@0ptaq0

@0ptaq0 0ptaq0 commented Jul 6, 2026

Copy link
Copy Markdown
Member

Summary

Resolves the 5 open Dependabot alerts on the VitePress documentation toolchain. All are development-only dependencies (docs build/dev server), but worth locking down.

VitePress 1.6.4 pins vite@^5.4.14, and the vite fixes only exist in 6.4.3+ (no 5.x backport), so patched transitives are enforced via npm overrides.

Alerts fixed

Severity Package Advisory Patched
High vite server.fs.deny bypass on Windows alternate paths 6.4.3
Moderate vite Path traversal in optimized deps .map handling 6.4.3
Moderate launch-editor NTLMv2 hash disclosure via UNC path on Windows 2.14.1
Moderate esbuild Dev server request/response exposure 0.25.12
Low @babel/core Arbitrary file read via sourceMappingURL comment 7.29.6

Also pulls non-breaking npm audit fix bumps for ws, yaml, js-yaml, ajv, brace-expansion and joi.

Verification

  • npm audit0 vulnerabilities
  • npm run docs:build → build complete, no errors
  • npm run docs:dev → server boots, pages render (HTTP 200)

0ptaq0 added 2 commits July 6, 2026 08:41
Add npm overrides to pull patched transitive dev dependencies used by
the VitePress docs site:

- vite 6.4.3 (server.fs.deny bypass, .map path traversal)
- esbuild 0.25.12 (dev-server request/response exposure)
- launch-editor 2.14.1 (NTLMv2 hash disclosure on Windows)
- @babel/core 7.29.6 (arbitrary file read via sourceMappingURL)

Also picks up non-breaking audit fixes for ws, yaml, js-yaml, ajv,
brace-expansion and joi. npm audit now reports 0 vulnerabilities.
Docs build and dev server verified working.
Align with the reusable workflow default. apex-code-coverage-transformer
2.23.1+ requires Node >=22, and the sf CLI (installed via npm global)
runs on the workflow Node, so the coverage step needs Node 22.
@vercel

vercel Bot commented Jul 6, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
dml-lib Ready Ready Preview, Comment Jul 6, 2026 2:29pm

Request Review

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

🧪 Apex Test Results

✅ All Tests Passed

==========================================
     APEX TEST EXECUTION SUMMARY
==========================================

📊 Total Tests: 378
✅ Passed: 378
❌ Failed: 0
⏭️  Skipped: 0


🎉 All tests passed successfully!

📦 Download Full Test Results & Logs


📊 Stats: 378 total | ✅ 378 passed | ❌ 0 failed
🤖 Automated comment by Salesforce CI

@codecov

codecov Bot commented Jul 6, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.70%. Comparing base (3729758) to head (2abe422).

Additional details and impacted files
@@           Coverage Diff           @@
##             main      #55   +/-   ##
=======================================
  Coverage   97.70%   97.70%           
=======================================
  Files           1        1           
  Lines        1044     1044           
=======================================
  Hits         1020     1020           
  Misses         24       24           
Flag Coverage Δ
Apex 97.70% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@0ptaq0
0ptaq0 merged commit fb99a27 into main Jul 6, 2026
5 checks passed
@0ptaq0
0ptaq0 deleted the fix/dependabot-security-alerts branch July 6, 2026 14:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant