chore(deps): consolidate Viewer dependabot bumps (vite 7 + plugin-react 5)#48
Merged
Conversation
…advisories The four Tools/Viewer dependabot PRs (#43–#46) all reduce to two direct devDependency bumps plus a lockfile regeneration: - vite ^5.3.3 → ^7.3.6 pulls esbuild 0.25+ (was 0.21.5), clearing the moderate esbuild dev-server SSRF advisory (GHSA-67mh-4wv8-2f99) — this is the "big one" that dependabot framed as both #43 (esbuild+vite) and #45 (vite+plugin-react). vite 7 (not 8) keeps esbuild rather than moving to rolldown, so no config churn. - @vitejs/plugin-react ^4.3.1 → ^5.2.0 (peer vite ^7 ok) pulls @babel/core 7.29.7 (#46). - Regenerating the lockfile pulls shell-quote 1.9.0 (satisfies concurrently's existing ^1.8.1 range), clearing the critical shell-quote advisory (GHSA-w7jw-789q-3m8p, #44) with no direct-dep change. `npm audit` now reports 0 vulnerabilities (was 1 critical + 1 high + 1 moderate + 1 low). `npm run build` and `make viewer` produce byte-identical SPA output (same hashed chunk names), so the committed Sources/SimUse/Resources/viewer/ bundle is unchanged. Supersedes #43–#46. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: onevcat <onevcat@gmail.com>
This was referenced Jul 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Resolves all four open Tools/Viewer dependabot PRs (#43, #44, #45, #46) in one consolidated bump, since they collapse to two direct devDependency changes plus a lockfile regeneration.
The one-big-upgrade finding
Only
viteand@vitejs/plugin-reactare direct deps; the rest are transitive:vite→ esbuild@vitejs/plugin-react→ babelconcurrently→ shell-quote^1.8.1)So:
viteis the big one (covers #43 = #45),@vitejs/plugin-react 5sweeps up babel (#46), and regenerating the lockfile pullsshell-quote1.9.0 intoconcurrency's existing range (#44) with no direct change.Why vite 7, not 8
vite 8 moves to rolldown and makes
@vitejs/plugin-react6 pullbabel-plugin-react-compiler/@rolldown/plugin-babelpeers — config churn for no security benefit. vite 7 already ships esbuild^0.25(the advisory is esbuild<=0.24.2), so it clears the moderate advisory without the rolldown migration.@vitejs/plugin-react5's peer range covers vite 7.Result
npm audit: 0 vulnerabilities (was 1 critical shell-quote + esbuild moderate + 1 high + 1 low).npm run buildandmake viewerproduce byte-identical SPA output (same hashed chunk names), soSources/SimUse/Resources/viewer/is unchanged — no runtime behaviour change.Once merged, close #43–#46 as superseded (dependabot will also auto-close them when the branch lands).
🤖 Generated with Claude Code