Skip to content

chore(deps): periodic dependabot sweep (build-time transitives)#30

Merged
adrianwedd merged 1 commit into
mainfrom
deps/transitive-sweep-2026-05
May 10, 2026
Merged

chore(deps): periodic dependabot sweep (build-time transitives)#30
adrianwedd merged 1 commit into
mainfrom
deps/transitive-sweep-2026-05

Conversation

@adrianwedd
Copy link
Copy Markdown
Member

@adrianwedd adrianwedd commented May 10, 2026

Summary

  • Adds an overrides block to site/package.json pinning build-time transitive deps to patched versions
  • Closes 20 dependabot alerts in one shot (full GHSA list below)
  • All affected packages are build-toolchain only — none ship to the browser from a static Astro site

Context

Per the 2026-05-11 dependabot triage (private repo: research/intelligence/dependabot_failurefirst_triage_2026-05-11.md), this is the IGNORE-DEVDEP + IGNORE-NO-CONTEXT hygiene sweep. None of these attack vectors apply to an astro build static-site pipeline:

  • rollup/svgo/picomatch/defu/devalue/fast-xml-parser/diff/smol-toml — bundle-time only, inputs are author-controlled
  • h3 — pulled via unstorage; no h3 server runs in production (GitHub Pages serves static files)
  • viteastro dev server is never exposed in production; we run astro build
  • postcss — bundles into shipped CSS, but no user-controlled CSS exists on a static site

The bump is hygiene, not risk reduction.

Closed alerts

# Package GHSA Override target Resolved
10 rollup GHSA-mw96-cpmx-2vgc ^4.59.0 4.60.3
11 fast-xml-parser GHSA-fj3w-jwp8-x2g3 ^5.7.0 5.7.3
12 svgo GHSA-xpqw-6gx7-v673 ^4.0.1 4.0.1
13 devalue GHSA-cfw5-2vxh-hr84 ^5.6.4 5.8.0
14 devalue GHSA-mwv9-gp5h-frr4 ^5.6.4 5.8.0
16 h3 GHSA-wr4h-v87w-p3r7 ^1.15.9 1.15.11
17 h3 GHSA-22cc-p3c6-wpvm ^1.15.9 1.15.11
19 h3 GHSA-72gr-qfp7-vwhw ^1.15.9 1.15.11
20 h3 GHSA-4hxc-9384-m385 ^1.15.9 1.15.11
21 fast-xml-parser GHSA-8gc5-j5rx-235r ^5.7.0 5.7.3
23 picomatch (4.x) GHSA-c2c7-rcm5-vvqj ^4.0.4 4.0.4
24 picomatch (4.x) GHSA-3v7f-55p6-f55p ^4.0.4 4.0.4
26 picomatch (2.x) GHSA-c2c7-rcm5-vvqj ^2.3.2 2.3.2
27 picomatch (2.x) GHSA-3v7f-55p6-f55p ^2.3.2 2.3.2
28 defu GHSA-737v-mqg7-c878 ^6.1.5 6.1.7
29 vite GHSA-p9ff-h696-f583 ^6.4.2 6.4.2
30 fast-xml-parser GHSA-jp2q-39xq-3w4g ^5.7.0 5.7.3
31 vite GHSA-4w7w-66w2-5vf9 ^6.4.2 6.4.2
34 fast-xml-parser GHSA-gh4j-gqv2-49f6 ^5.7.0 5.7.3
35 postcss GHSA-qx2v-qp2m-jg93 ^8.5.10 8.5.14

Notes on dependabot fix-version vs override-target divergence

  • vite — dependabot lists fix=8.0.5 (latest line); 6.4.2 is the in-line backport per the GHSA advisory (>= 6.4.2 patches the 6.x line). We stay on vite 6 because Astro 5 pulls vite 6.
  • h3 — dependabot lists 2.0.1-rc.15; we use 1.15.9 per the GHSA advisory (>= 1.15.6 and >= 1.15.9 are the documented 1.x backports). h3 2.x is still rc.
  • picomatch — split override (@^2 and @^4) because both major lines are pulled in transitively by separate consumers; both have CVEs.

Deferred (NEEDS-REVIEW)

Alert #33 — Astro define:vars XSS (medium). Requires Astro 6 major bump. Held pending define:vars usage audit. Not addressed in this PR.

Verification

  • npm install — clean (1 moderate remaining = deferred Astro 6 alert)
  • npm run build — 1137 pages, build complete, no errors
  • All target packages confirmed at patched versions via npm ls --all

Test plan

  • Local build green
  • npm audit confirms only the deferred Astro 6 alert remains
  • CI / Socket Security checks green
  • Post-merge: bash scripts/build_site.sh --push to deploy
  • Verify dependabot open-alert count drops from 21 → ~1 (the deferred Astro 6 advisory: alert #33; #32 was closed by the 5.18 bump in chore(deps): bump astro 5.17.1 → 5.18.1 and refresh transitives #29)

@adrianwedd
chore(deps): periodic dependabot sweep (build-time transitives)
c4f2a8e 
Adds an `overrides` block to site/package.json to pull build-time
transitive dependencies forward to patched versions. All packages here
are build-toolchain only — none ship to the browser from a static Astro
site, so dependabot's `scope:runtime` flag (just "in dependencies, not
devDependencies") is misleading for our build.

Per the 2026-05-11 dependabot triage
(research/intelligence/dependabot_failurefirst_triage_2026-05-11.md in
the private repo), this is the IGNORE-DEVDEP / IGNORE-NO-CONTEXT
hygiene sweep. The bump is hygiene, not risk reduction — none of these
attack vectors apply to a static-site `astro build` pipeline.

Closed alerts (GHSA → resolved version):
- #10  rollup            GHSA-mw96-cpmx-2vgc → 4.60.3 (^4.59.0)
- #11  fast-xml-parser   GHSA-fj3w-jwp8-x2g3 → 5.7.3  (^5.7.0)
- #12  svgo              GHSA-xpqw-6gx7-v673 → 4.0.1  (^4.0.1)
- #13  devalue           GHSA-cfw5-2vxh-hr84 → 5.8.0  (^5.6.4)
- #14  devalue           GHSA-mwv9-gp5h-frr4 → 5.8.0  (^5.6.4)
- #16  h3                GHSA-wr4h-v87w-p3r7 → 1.15.11 (^1.15.9, 1.x backport)
- #17  h3                GHSA-22cc-p3c6-wpvm → 1.15.11 (^1.15.9, 1.x backport)
- #19  h3                GHSA-72gr-qfp7-vwhw → 1.15.11 (^1.15.9)
- #20  h3                GHSA-4hxc-9384-m385 → 1.15.11 (^1.15.9, 1.x backport)
- #21  fast-xml-parser   GHSA-8gc5-j5rx-235r → 5.7.3  (^5.7.0)
- #23  picomatch         GHSA-c2c7-rcm5-vvqj → 4.0.4  (^4.0.4)
- #24  picomatch         GHSA-3v7f-55p6-f55p → 4.0.4  (^4.0.4)
- #26  picomatch         GHSA-c2c7-rcm5-vvqj → 2.3.2  (^2.3.2, 2.x line)
- #27  picomatch         GHSA-3v7f-55p6-f55p → 2.3.2  (^2.3.2, 2.x line)
- #28  defu              GHSA-737v-mqg7-c878 → 6.1.7  (^6.1.5)
- #29  vite              GHSA-p9ff-h696-f583 → 6.4.2  (^6.4.2, 6.x backport)
- #30  fast-xml-parser   GHSA-jp2q-39xq-3w4g → 5.7.3  (^5.7.0)
- #31  vite              GHSA-4w7w-66w2-5vf9 → 6.4.2  (^6.4.2, 6.x backport)
- #34  fast-xml-parser   GHSA-gh4j-gqv2-49f6 → 5.7.3  (^5.7.0)
- #35  postcss           GHSA-qx2v-qp2m-jg93 → 8.5.14 (^8.5.10)

Notes on dependabot fix-version vs override-target divergence:
- vite: dependabot lists fix=8.0.5 (the latest line); 6.4.2 is the
  in-line backport per the GHSA advisory (`>= 6.4.2` patches the 6.x
  line). We stay on vite 6 because Astro 5 pulls vite 6.
- h3: dependabot lists 2.0.1-rc.15; we use 1.15.9 per the GHSA
  advisory (`>= 1.15.6` and `>= 1.15.9` are the documented 1.x
  backports). h3 2.x is still rc.
- picomatch: split override (^2 and ^4) because both major lines are
  pulled in transitively by separate consumers; both have CVEs.

Deferred (NEEDS-REVIEW, separate PR):
- #33 astro define:vars XSS — requires Astro 6 major bump, deferred
  pending define:vars usage audit.

Verification:
- npm install — clean
- npm run build — 1137 pages, build complete, no errors
- npm audit — 1 moderate (the deferred Astro 6 alert) remaining
@adrianwedd adrianwedd merged commit 1ab2ad8 into main May 10, 2026
@adrianwedd adrianwedd deleted the deps/transitive-sweep-2026-05 branch May 10, 2026 14:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@adrianwedd