Skip to content

Update dependencies#107

Merged
danielchalmers merged 2 commits into
mainfrom
chore/update-dependencies
Jun 17, 2026
Merged

Update dependencies#107
danielchalmers merged 2 commits into
mainfrom
chore/update-dependencies

Conversation

@danielchalmers

@danielchalmers danielchalmers commented Jun 17, 2026

Copy link
Copy Markdown
Owner

Summary

Refreshes the lockfile (it had drifted behind node_modules, so npm ci would have downgraded) and bumps devDependency floors to the latest published versions. No source files change.

Package Was Now
@playwright/test 1.59.1 1.61.0
@types/chrome 0.1.42 0.1.43
@types/node 25.6.2 25.9.3
eslint 10.3.0 10.5.0
prettier 3.8.3 3.8.4
typescript-eslint 8.59.2 8.61.1
vitest 4.1.5 4.1.9

Already latest, unchanged: @eslint/js, eslint-config-prettier, typescript, wxt.

Security

npm audit goes from 6 vulnerabilities (1 high, 4 critical, 1 low) to 1 low:

  • High (fixed): transitive sweep moves vite 8.0.12 → 8.0.16, out of the vulnerable 8.0.0–8.0.15 range (Windows fs.deny bypass / NTLM hash disclosure).
  • 4 criticals (fixed): added overrides: shell-quote ^1.8.4. The vulnerable shell-quote is reached only through the dev-only Firefox web-ext runner chain under wxt; npm's suggested auto-fix would have downgraded wxt to 0.3.2 (destructive), so an override is used instead. API-stable, dev-only path this Chrome/Edge extension never executes.
  • 1 low (left, documented): esbuild dev-server file-read (Windows-only) is only patched in 0.28.1, but wxt pins esbuild@^0.27.1. Forcing it across the minor boundary risks breaking the build for a low-severity dev-only issue, so it's intentionally left.
  • uuid override held at ^11.1.1 (latest 14.0.0 is a forced transitive 3-major jump with no security driver).

Validation

  • ✅ lint · typecheck (source + tests) · 157 unit tests
  • ✅ build + zip
  • ✅ 40/40 e2e (Playwright 1.61.0 — its new chromium-1228 was downloaded locally)

Refresh the lockfile (which had drifted behind node_modules) and bump
devDependency floors to the latest published versions:

- @playwright/test 1.59.1 -> 1.61.0
- @types/chrome 0.1.42 -> 0.1.43
- @types/node 25.6.2 -> 25.9.3
- eslint 10.3.0 -> 10.5.0
- prettier 3.8.3 -> 3.8.4
- typescript-eslint 8.59.2 -> 8.61.1
- vitest 4.1.5 -> 4.1.9

The transitive sweep moves vite 8.0.12 -> 8.0.16, clearing a
high-severity advisory (GHSA-fx2h-pf6j-xcff / GHSA-v6wh-96g9-6wx3).

Add a shell-quote ^1.8.4 override to clear 4 critical advisories in the
dev-only web-ext (Firefox) runner chain under wxt, without npm's
suggested destructive wxt downgrade.

Validated: lint, typecheck (source + tests), 157 unit tests, build,
zip, and 40 e2e tests all pass.
@danielchalmers danielchalmers force-pushed the chore/update-dependencies branch from cc99956 to 75ba30f Compare June 17, 2026 19:25
@playwright/test 1.61.0 requires chromium-1228, which is only present
in the matching v1.61.0-noble Playwright Docker image. The e2e job was
still pinned to v1.59.1-noble, so the browser binary was missing.
@danielchalmers danielchalmers changed the title Update dependencies to latest and pin shell-quote override Update dependencies Jun 17, 2026
@danielchalmers danielchalmers merged commit 2bd2f52 into main Jun 17, 2026
4 checks passed
@danielchalmers danielchalmers deleted the chore/update-dependencies branch June 17, 2026 19:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant