Skip to content

chore(deps): consolidate Viewer dependabot bumps (vite 7 + plugin-react 5)#48

Merged
onevcat merged 1 commit into
mainfrom
chore/viewer-deps
Jul 13, 2026
Merged

chore(deps): consolidate Viewer dependabot bumps (vite 7 + plugin-react 5)#48
onevcat merged 1 commit into
mainfrom
chore/viewer-deps

Conversation

@onevcat

@onevcat onevcat commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

What

Resolves all four open Tools/Viewer dependabot PRs (#43, #44, #45, #46) in one consolidated bump, since they collapse to two direct devDependency changes plus a lockfile regeneration.

The one-big-upgrade finding

Only vite and @vitejs/plugin-react are direct deps; the rest are transitive:

dependabot PR package how it's pulled resolved by
#43 esbuild (+vite) vite → esbuild vite 5→7 (esbuild 0.21→0.28)
#45 vite (+plugin-react) direct vite 5→7 (same bump as #43)
#46 @babel/core @vitejs/plugin-react → babel plugin-react 4→5
#44 shell-quote concurrently → shell-quote lockfile regen (fits ^1.8.1)

So: vite is the big one (covers #43 = #45), @vitejs/plugin-react 5 sweeps up babel (#46), and regenerating the lockfile pulls shell-quote 1.9.0 into concurrency's existing range (#44) with no direct change.

Why vite 7, not 8

vite 8 moves to rolldown and makes @vitejs/plugin-react 6 pull babel-plugin-react-compiler / @rolldown/plugin-babel peers — config churn for no security benefit. vite 7 already ships esbuild ^0.25 (the advisory is esbuild <=0.24.2), so it clears the moderate advisory without the rolldown migration. @vitejs/plugin-react 5's peer range covers vite 7.

Result

  • npm audit: 0 vulnerabilities (was 1 critical shell-quote + esbuild moderate + 1 high + 1 low).
  • npm run build and make viewer produce byte-identical SPA output (same hashed chunk names), so Sources/SimUse/Resources/viewer/ is unchanged — no runtime behaviour change.

Once merged, close #43#46 as superseded (dependabot will also auto-close them when the branch lands).

🤖 Generated with Claude Code

…advisories

The four Tools/Viewer dependabot PRs (#43#46) all reduce to two direct
devDependency bumps plus a lockfile regeneration:

- vite ^5.3.3 → ^7.3.6 pulls esbuild 0.25+ (was 0.21.5), clearing the
  moderate esbuild dev-server SSRF advisory (GHSA-67mh-4wv8-2f99) — this is
  the "big one" that dependabot framed as both #43 (esbuild+vite) and #45
  (vite+plugin-react). vite 7 (not 8) keeps esbuild rather than moving to
  rolldown, so no config churn.
- @vitejs/plugin-react ^4.3.1 → ^5.2.0 (peer vite ^7 ok) pulls @babel/core
  7.29.7 (#46).
- Regenerating the lockfile pulls shell-quote 1.9.0 (satisfies concurrently's
  existing ^1.8.1 range), clearing the critical shell-quote advisory
  (GHSA-w7jw-789q-3m8p, #44) with no direct-dep change.

`npm audit` now reports 0 vulnerabilities (was 1 critical + 1 high + 1
moderate + 1 low). `npm run build` and `make viewer` produce byte-identical
SPA output (same hashed chunk names), so the committed
Sources/SimUse/Resources/viewer/ bundle is unchanged. Supersedes #43#46.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: onevcat <onevcat@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant