chore(deps): fix remaining high-priority Dependabot alerts#629
Merged
Conversation
Direct dependency bumps: - @playwright/test ^1.51.1 → ^1.55.1 (high, #118): SSL cert verification - vite 5.4.19 → 5.4.21 (medium, #120/#121; low, #105–#108): fs.deny bypass + fs settings pnpm overrides for transitive dependencies: - defu <6.1.5 → ^6.1.5 (high, #219): prototype pollution - vite >=6.0.0 <6.4.2 → 6.4.2 (high, #221; medium, #220/#222): arbitrary file read + path traversal Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Updates JavaScript tooling dependencies and introduces pnpm overrides to address multiple Dependabot security alerts (notably high-severity issues in Playwright, defu, and Vite), while keeping the repo’s primary Vite (5.x) pinned and overriding only affected Vite 6.x ranges.
Changes:
- Bump
@playwright/testand rootvitedevDependency versions. - Add pnpm overrides for
defuand for vulnerablevite6.x ranges. - Update
pnpm-lock.yamlto reflect the new resolutions.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| package.json | Adds pnpm overrides for defu and vite and bumps devDependency versions (@playwright/test, vite). |
| pnpm-lock.yaml | Applies updated resolutions and override effects in the lockfile (including updated Playwright/defu/Vite entries). |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Change the vite override target from exact "6.4.2" to "^6.4.2" so that pnpm records a caret range (^6.4.2) in lockfile peerDependencies rather than an exact pin. This is still narrower than the original published ranges (a known pnpm override side-effect) but allows future patch versions without lockfile churn. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 2 changed files in this pull request and generated no new comments.
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
sea-snake
approved these changes
Apr 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bumps direct dependencies and adds pnpm overrides to resolve 3 high-severity alerts (plus 8 medium/low for free):
High:
@playwright/test^1.51.1→^1.55.1in rootpackage.json(chore: add individual request pages #118): SSL certificate verification bypassdefu<6.1.5→^6.1.5via pnpm override (refactor: orbit terminology #219): prototype pollution via__proto__keyvite>=6.0.0 <6.4.2→6.4.2via pnpm override (feat: model props use next_time instead of time #221): arbitrary file read via WebSocketMedium (resolved for free):
vite6.x (feat: show acceptance rules for proposal #220, feat: show deploy wallet quota exceeded error screen #222): path traversal in optimized deps.maphandlingvite5.4.19 → 5.4.21 (feat: check address book metadata when evaluating transfer proposals #120, feat: add remove wallet dialog #121):server.fs.denybypass via backslash on WindowsLow (resolved for free):
vite5.4.19 → 5.4.21 (chore: update colour scheme #105, build(deps): bump h2 from 0.3.22 to 0.3.24 #106, feat: a new enum for changing metadata #107, feat: add paginated search and more filters to list_proposals #108):server.fssettings not applied to HTML files + middleware path bypassNot addressed
glob(high): requires major version jump (7 → 10); transitive dep oftest-exclude@6.0.0— not a clean fixTest plan
pnpm installcompletes successfullyplaywright@1.52.0,defu@6.1.4,vite@6.4.1, orvite@5.4.19🤖 Generated with Claude Code