build(deps): bump vite from 6.4.1 to 6.4.2 in /site#21
Open
dependabot[bot] wants to merge 311 commits into
Open
build(deps): bump vite from 6.4.1 to 6.4.2 in /site#21dependabot[bot] wants to merge 311 commits into
dependabot[bot] wants to merge 311 commits into
Conversation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Policy Puppetry v0.2 (11 scenarios, cloud-native formats), VLA Deceptive Alignment v0.1 (8 scenarios, 4 subtypes), failure modes taxonomy 3->10, early deepseek-r1:1.5b Ansible compliance signal, GH #263. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When AI safety judges disagree on which attacks work, aggregate metrics mask the problem. Based on Reports #62 and #65. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…efined stats) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
River Song blog post (#300) documenting the qwen3:1.7b 15% accuracy discovery, corrected crescendo ASR (65% strict / 85% broad), and structural lessons for AI safety evaluation ecosystem. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Nav: group Blog + Daily Paper + What's New under "Content", merge Policy + Services into "Policy & Services", nest Manifesto + Glossary under "About". isActive now checks children for correct highlighting. Footer: add What's New, Daily Paper, Search, Framework, Policy, Services links. Rename columns to match nav grouping. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…CU-QA, Jailbreak in Pieces) 4 new daily paper reviews via NLM pipeline: - 2312.02119: Tree of Attacks — automated jailbreak generation - 2306.13213: Safety in Numbers — multi-agent safety properties - 2311.03191: EICU-QA — clinical AI question answering - 2307.14539: Jailbreak in Pieces — compositional multimodal attacks Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…y gap analysis Pattern-level findings on why text-based AI safety fails for robots: - Blindfold framework (ACM SenSys 2026) 85%+ ASR with benign-text attacks - Failure-First VLA data: 0% refusal rate across 58 FLIP-graded traces - Triple failure: filters, training, and evaluators all operate at wrong layer - No governance framework distinguishes text-layer from action-layer safety Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…nforcement Data-driven blog post analysing the Governance Lag Index dataset (90 events). Key findings: median GLI 2,032 days, embodied AI median 2,124 days, 90% of events have no enforcement timeline. Historical comparison with aviation, nuclear, pharma sectors. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
… embodied AI safety Post #58: Pattern-level analysis of how text-level safety evaluators miss contextually dangerous instructions. 45% BENIGN_QUERY finding, defense impossibility triangle, Blindfold validation. No operational content. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
GLI dataset at 100 entries. Deployment acceleration (Tesla, Figure, Apptronik), attack surface expansion (72.4% VLA ASR, 97% LRM jailbreak), and governance absence (73% null GLI) converge in Q2-Q4 2026. EU AI Act high-risk deadline August 2, 2026 creates compliance vacuum without harmonised standards. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- ClawKeeper: Comprehensive Safety Protection for OpenClaw Agents (2603.24414) - AgentWatcher: A Rule-based Prompt Injection Monitor (2604.01194) https://claude.ai/code/session_019LWitMCcDB6d2HQmn9VcwS
- Tex3D: Objects as Attack Surfaces via Adversarial 3D Textures for VLA Models (2604.01618) - Structured Visual Narratives Undermine Safety Alignment in Multimodal LLMs (2603.21697) https://claude.ai/code/session_01EsZnoQpvQYsUBaTw352zQ5
First "This Week in AI Safety" digest post. Covers 92 sources from NLM deep research: CMU red-teaming as security theater, PreSafe Decision-Before-Reasoning, AEGIS CBFs for VLA, CoT-Safety Tradeoff, RAHS risk-adjusted scoring, SafeAgentBench <10% rejection. All findings connected to F41LUR3-F1R57 research (Reports #338, #49, DETECTED_PROCEEDS, 236-model corpus). OG image pending NLM generation. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Revisit of Feffer et al. CMU analysis with 4 months of F41LUR3-F1R57 empirical evidence. 236 models, 135,623 results, kappa 0.126 corpus validates the security theater thesis. 79.9% heuristic over-report rate, grader kappa 0.204 on ambiguous traces. Measured framing: "their diagnosis appears conservative." Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Rename this-week-in-ai-safety → ai-safety-daily. Daily cadence when there's enough news, skip on slow days. Updated title, description, tags, and body text to reflect daily format. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- ANNIE: adversarial safety attacks on VLA robots (2509.03383) - In-Decoding Safety-Awareness Probing for LLM jailbreak defense (2601.10543)
10 foundational AI safety papers backdated to November 2025: - Adversarial attacks on aligned LLMs, AutoDAN, in-context attacks - Many-shot jailbreaking, HarmBench, StrongREJECT - OpenVLA, RT-2, PaLM-E, SayCan (embodied AI foundations) Filenames use topic-only slugs (no date prefix) for stable permalinks. Date field in frontmatter controls sort order. 4 duplicates detected and replaced (PAIR, TAP, GCG, DeepInception already in Jan/Feb/Mar). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…arch Papers cover key safety themes: moderation (WildGuard, Llama Guard), adversarial robustness (Rainbow Teaming, Latent Jailbreak, Crescendo), interpretability (Representation Engineering, Circuit Breakers, Refusal Direction), and deception (Sleeper Agents, Jailbroken). Posts connect each paper to F41LUR3-F1R57 embodied AI failure patterns. Files: 10 new daily-paper posts, topic-only filenames, Oct 1-10 dates in frontmatter - wildguard-open-safety-moderation.md - llama-guard-llm-safeguard.md - rainbow-teaming-open-adversarial-prompts.md - latent-jailbreak-task-oriented-attacks.md - crescendo-multi-turn-jailbreak.md - representation-engineering-ai-transparency.md - sleeper-agents-deceptive-training.md - circuit-breakers-behavior-removal.md - refusal-mediated-single-direction.md - jailbroken-safety-training-failures.md No duplicates found in existing daily-paper collection.
…ety, AI-SS 2026 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ily paper Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Exploring the Adversarial Vulnerabilities of Vision-Language-Action Models in Robotics (2411.13587) - Constitutional Classifiers: Defending against Universal Jailbreaks across Thousands of Hours of Red Teaming (2501.18837) https://claude.ai/code/session_01N5YsUUMy7RrsTe29baopXK
Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 6.4.1 to 6.4.2. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v6.4.2/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v6.4.2/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-version: 6.4.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
github-actions
Bot
force-pushed
the
dependabot/npm_and_yarn/site/vite-6.4.2
branch
from
24d3d78 to
3b4a520
Compare
adrianwedd
added a commit
that referenced
this pull request
May 10, 2026
Adds an `overrides` block to site/package.json to pull build-time transitive dependencies forward to patched versions. All packages here are build-toolchain only — none ship to the browser from a static Astro site, so dependabot's `scope:runtime` flag (just "in dependencies, not devDependencies") is misleading for our build. Per the 2026-05-11 dependabot triage (research/intelligence/dependabot_failurefirst_triage_2026-05-11.md in the private repo), this is the IGNORE-DEVDEP / IGNORE-NO-CONTEXT hygiene sweep. The bump is hygiene, not risk reduction — none of these attack vectors apply to a static-site `astro build` pipeline. Closed alerts (GHSA → resolved version): - #10 rollup GHSA-mw96-cpmx-2vgc → 4.60.3 (^4.59.0) - #11 fast-xml-parser GHSA-fj3w-jwp8-x2g3 → 5.7.3 (^5.7.0) - #12 svgo GHSA-xpqw-6gx7-v673 → 4.0.1 (^4.0.1) - #13 devalue GHSA-cfw5-2vxh-hr84 → 5.8.0 (^5.6.4) - #14 devalue GHSA-mwv9-gp5h-frr4 → 5.8.0 (^5.6.4) - #16 h3 GHSA-wr4h-v87w-p3r7 → 1.15.11 (^1.15.9, 1.x backport) - #17 h3 GHSA-22cc-p3c6-wpvm → 1.15.11 (^1.15.9, 1.x backport) - #19 h3 GHSA-72gr-qfp7-vwhw → 1.15.11 (^1.15.9) - #20 h3 GHSA-4hxc-9384-m385 → 1.15.11 (^1.15.9, 1.x backport) - #21 fast-xml-parser GHSA-8gc5-j5rx-235r → 5.7.3 (^5.7.0) - #23 picomatch GHSA-c2c7-rcm5-vvqj → 4.0.4 (^4.0.4) - #24 picomatch GHSA-3v7f-55p6-f55p → 4.0.4 (^4.0.4) - #26 picomatch GHSA-c2c7-rcm5-vvqj → 2.3.2 (^2.3.2, 2.x line) - #27 picomatch GHSA-3v7f-55p6-f55p → 2.3.2 (^2.3.2, 2.x line) - #28 defu GHSA-737v-mqg7-c878 → 6.1.7 (^6.1.5) - #29 vite GHSA-p9ff-h696-f583 → 6.4.2 (^6.4.2, 6.x backport) - #30 fast-xml-parser GHSA-jp2q-39xq-3w4g → 5.7.3 (^5.7.0) - #31 vite GHSA-4w7w-66w2-5vf9 → 6.4.2 (^6.4.2, 6.x backport) - #34 fast-xml-parser GHSA-gh4j-gqv2-49f6 → 5.7.3 (^5.7.0) - #35 postcss GHSA-qx2v-qp2m-jg93 → 8.5.14 (^8.5.10) Notes on dependabot fix-version vs override-target divergence: - vite: dependabot lists fix=8.0.5 (the latest line); 6.4.2 is the in-line backport per the GHSA advisory (`>= 6.4.2` patches the 6.x line). We stay on vite 6 because Astro 5 pulls vite 6. - h3: dependabot lists 2.0.1-rc.15; we use 1.15.9 per the GHSA advisory (`>= 1.15.6` and `>= 1.15.9` are the documented 1.x backports). h3 2.x is still rc. - picomatch: split override (^2 and ^4) because both major lines are pulled in transitively by separate consumers; both have CVEs. Deferred (NEEDS-REVIEW, separate PR): - #33 astro define:vars XSS — requires Astro 6 major bump, deferred pending define:vars usage audit. Verification: - npm install — clean - npm run build — 1137 pages, build complete, no errors - npm audit — 1 moderate (the deferred Astro 6 alert) remaining
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps vite from 6.4.1 to 6.4.2.
Release notes
Sourced from vite's releases.
Changelog
Sourced from vite's changelog.
Commits
6b3fad0release: v6.4.2ca4da5dfix: avoid path traversal with optimize deps sourcemap handler (#22161)fe28e47fix: apply server.fs check to env transport (#22159) (#22163)5487f4frelease: v6.4.11114b5dfix(dev): trim trailing slash beforeserver.fs.denycheck (#20968) (#20969)f12697crelease: v6.4.0ca6455efeat: allow passing down resolved config to vite's createServer (#20932)0e173d8release: v6.3.7c59a222fix(esbuild): inject esbuild helpers correctly for esbuild 0.25.9+ (#20940)3f337c5release: v6.3.6Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.