Context
npm audit --audit-level=moderate currently reports a moderate advisory through the documentation toolchain:
vitepress <=1.6.4
-> vite <=6.4.1
-> esbuild <=0.24.2
The advisory is for the esbuild development server. It affects local/docs tooling, not the published react-socket-store runtime package contents, because the package publishes lib only.
Current status
react-socket-store@0.0.5 is published successfully.- Main CI, Pages, and Publish workflows pass.
npm audit reports No fix available for the current VitePress dependency chain.
Follow-up
- Watch for a VitePress upgrade that resolves the nested Vite/esbuild advisory.
- Validate with
npm run lint, npm run test, npm run build, npm run docs:build, and NPM_CONFIG_CACHE=/private/tmp/react-socket-store-npm-cache npm run pack:dry-run.
- Close this issue when
npm audit --audit-level=moderate no longer reports the VitePress/esbuild chain.
Context
npm audit --audit-level=moderatecurrently reports a moderate advisory through the documentation toolchain:The advisory is for the esbuild development server. It affects local/docs tooling, not the published
react-socket-storeruntime package contents, because the package publisheslibonly.Current status
react-socket-store@0.0.5is published successfully.npm auditreportsNo fix availablefor the current VitePress dependency chain.Follow-up
npm run lint,npm run test,npm run build,npm run docs:build, andNPM_CONFIG_CACHE=/private/tmp/react-socket-store-npm-cache npm run pack:dry-run.npm audit --audit-level=moderateno longer reports the VitePress/esbuild chain.