chore(deps): bump dependencies to resolve open Dependabot PRs @W-22472465@#208
Merged
Conversation
Bumps and [picomatch](https://github.com/micromatch/picomatch). These dependencies needed to be updated together. Updates `picomatch` from 2.3.1 to 2.3.2 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...2.3.2) Updates `picomatch` from 4.0.3 to 4.0.4 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...2.3.2) --- updated-dependencies: - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect - dependency-name: picomatch dependency-version: 4.0.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [handlebars](https://github.com/handlebars-lang/handlebars.js) from 4.7.8 to 4.7.9. - [Release notes](https://github.com/handlebars-lang/handlebars.js/releases) - [Changelog](https://github.com/handlebars-lang/handlebars.js/blob/v4.7.9/release-notes.md) - [Commits](handlebars-lang/handlebars.js@v4.7.8...v4.7.9) --- updated-dependencies: - dependency-name: handlebars dependency-version: 4.7.9 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps and [brace-expansion](https://github.com/juliangruber/brace-expansion). These dependencies needed to be updated together. Updates `brace-expansion` from 2.0.2 to 2.0.3 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@v2.0.2...v2.0.3) Updates `brace-expansion` from 5.0.4 to 5.0.5 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@v2.0.2...v2.0.3) Updates `brace-expansion` from 1.1.12 to 1.1.13 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@v2.0.2...v2.0.3) --- updated-dependencies: - dependency-name: brace-expansion dependency-version: 2.0.3 dependency-type: indirect - dependency-name: brace-expansion dependency-version: 5.0.5 dependency-type: indirect - dependency-name: brace-expansion dependency-version: 1.1.13 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [lodash](https://github.com/lodash/lodash) from 4.17.23 to 4.18.1. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.23...4.18.1) --- updated-dependencies: - dependency-name: lodash dependency-version: 4.18.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [ip-address](https://github.com/beaugunderson/ip-address) from 10.1.0 to 10.2.0. - [Commits](https://github.com/beaugunderson/ip-address/commits) --- updated-dependencies: - dependency-name: ip-address dependency-version: 10.2.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [basic-ftp](https://github.com/patrickjuchli/basic-ftp) from 5.3.0 to 5.3.1. - [Release notes](https://github.com/patrickjuchli/basic-ftp/releases) - [Changelog](https://github.com/patrickjuchli/basic-ftp/blob/master/CHANGELOG.md) - [Commits](patrickjuchli/basic-ftp@v5.3.0...v5.3.1) --- updated-dependencies: - dependency-name: basic-ftp dependency-version: 5.3.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [fast-xml-builder](https://github.com/NaturalIntelligence/fast-xml-builder) from 1.1.5 to 1.2.0. - [Changelog](https://github.com/NaturalIntelligence/fast-xml-builder/blob/main/CHANGELOG.md) - [Commits](NaturalIntelligence/fast-xml-builder@v1.1.5...v1.2.0) --- updated-dependencies: - dependency-name: fast-xml-builder dependency-version: 1.2.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [fast-uri](https://github.com/fastify/fast-uri) from 3.1.0 to 3.1.2. - [Release notes](https://github.com/fastify/fast-uri/releases) - [Commits](fastify/fast-uri@v3.1.0...v3.1.2) --- updated-dependencies: - dependency-name: fast-uri dependency-version: 3.1.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps and [picomatch](https://github.com/micromatch/picomatch). These dependencies needed to be updated together. Updates `picomatch` from 2.3.1 to 2.3.2 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...2.3.2) Updates `picomatch` from 4.0.3 to 4.0.4 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...2.3.2) --- updated-dependencies: - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect - dependency-name: picomatch dependency-version: 4.0.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [handlebars](https://github.com/handlebars-lang/handlebars.js) from 4.7.8 to 4.7.9. - [Release notes](https://github.com/handlebars-lang/handlebars.js/releases) - [Changelog](https://github.com/handlebars-lang/handlebars.js/blob/v4.7.9/release-notes.md) - [Commits](handlebars-lang/handlebars.js@v4.7.8...v4.7.9) --- updated-dependencies: - dependency-name: handlebars dependency-version: 4.7.9 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [postcss](https://github.com/postcss/postcss) from 8.5.6 to 8.5.12. - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@8.5.6...8.5.12) --- updated-dependencies: - dependency-name: postcss dependency-version: 8.5.12 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…7.0.5 Resolves remaining moderate severity advisories: vite path-traversal (GHSA-4w7w-66w2-5vf9, fixed in 6.4.2) and serialize-javascript CPU exhaustion (GHSA-qj8w-gfj5-8c6v, fixed in 7.0.5). Vite 6 keeps the project compatible with the Node 20.18 pin in .nvmrc; vite 7 and 8 require Node 20.19+. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 13, 2026
marcelinollano
changed the title
marcelinollano
changed the title
marcelinollano
changed the title
npiccolo
approved these changes
May 14, 2026
Contributor
npiccolo
left a comment
npiccolo
left a comment
There was a problem hiding this comment.
Review ✅
Pure lock file update — no logic changes.
npm auditreports 0 vulnerabilities in both root and/webviewnpm run buildsucceeds with vite 6.4.2npm run test:backend— 381/381 passingnpm run test:frontend— 387/387 passing
The vite 5 → 6 bump is the right ceiling given the Node 20.18 pin in .nvmrc (vite 7+ requires 20.19+). serialize-javascript override to 7.0.5 correctly addresses GHSA-qj8w-gfj5-8c6v.
LGTM ✅
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
@W-22472465@
Resolves 12 open Dependabot PRs and brings npm audit to 0 vulnerabilities in both root and
/webviewworkspaces.GUS: @W-22472465@
Root
package-lock.jsonbumpspicomatch(chore(deps): bump picomatch #178)handlebars4.7.8 → 4.7.9 (chore(deps-dev): bump handlebars from 4.7.8 to 4.7.9 #179)brace-expansion(chore(deps): bump brace-expansion #181)lodash4.17.23 → 4.18.1 (chore(deps-dev): bump lodash from 4.17.23 to 4.18.1 #190)ip-address10.1.0 → 10.2.0 (chore(deps): bump ip-address from 10.1.0 to 10.2.0 #200)basic-ftp5.3.0 → 5.3.1 (chore(deps): bump basic-ftp from 5.3.0 to 5.3.1 #201)fast-xml-builder1.1.5 → 1.2.0 (chore(deps): bump fast-xml-builder from 1.1.5 to 1.2.0 #202)fast-uri3.1.0 → 3.1.2 (chore(deps): bump fast-uri from 3.1.0 to 3.1.2 #203)Webview
package-lock.jsonbumpspicomatch(chore(deps): bump picomatch in /webview #177)handlebars4.7.8 → 4.7.9 (chore(deps-dev): bump handlebars from 4.7.8 to 4.7.9 in /webview #182)postcss8.5.6 → 8.5.12 (chore(deps): bump postcss from 8.5.6 to 8.5.12 in /webview #197)Manual changes
vite5.4.21 → 6.4.2 in/webview(replaces chore(deps-dev): bump vite from 5.4.21 to 8.0.9 in /webview #193 which targeted 8.0.9; vite 7+ requires Node 20.19+ but.nvmrcis pinned at 20.18.0).serialize-javascriptoverride 7.0.3 → 7.0.5 (GHSA-qj8w-gfj5-8c6v).Closes #177, #178, #179, #181, #182, #190, #193, #197, #200, #201, #202, #203.
Test plan
npm auditreports 0 vulnerabilities in root and/webviewnpm run buildsucceeds (vite 6.4.2 builds webview cleanly)npm run test:backend— 381/381 passingnpm run test:frontend— 387/387 passing🤖 Generated with Claude Code