Skip to content

chore: update dependencies #95

Description

@dobby-coder

Security vulnerabilities (fix first)

CVE / Advisory Package Severity Current Fixed in
GHSA-fx2h-pf6j-xcff vite high 8.0.14 8.1.0
GHSA-v6wh-96g9-6wx3 vite moderate 8.0.14 8.1.0
GHSA-g7r4-m6w7-qqqr esbuild (transitive) low 0.27.x ≥0.28.1

vite (8.0.14 → 8.1.0): two advisories — server.fs.deny bypass on Windows alternate paths (high, CWE-22/200) and NTLMv2 hash disclosure via UNC paths (moderate, CWE-73/522). Direct dependency.
esbuild (transitive): arbitrary file read via dev server on Windows (low, CWE-22). Fixed by upgrading vite (esbuild is pulled in transitively via svelte-i18n override).

Outdated packages

Package Current Latest Bump type Notes
vite 8.0.14 8.1.0 patch CVE fix — priority
@sveltejs/kit 2.61.1 2.68.0 minor Core framework
svelte 5.55.9 5.56.4 patch Core framework
svelte-check 4.4.8 4.7.1 minor
@sveltejs/adapter-node 5.5.4 5.5.7 patch
@sveltejs/vite-plugin-svelte not installed / indirect latest check if needed
eslint 10.4.0 10.6.0 minor
eslint-plugin-svelte 3.17.1 3.20.0 minor
typescript-eslint 8.59.4 8.62.1 minor
@playwright/test 1.60.0 1.61.1 minor
prettier 3.8.3 3.9.3 minor
prettier-plugin-svelte 4.0.1 4.1.1 minor
@iconify/svelte 5.2.1 5.2.2 patch
@privacybydesign/yivi-web 1.0.1 1.0.2 patch
sass 1.100.0 1.101.0 patch
@types/node 25.9.1 26.0.1 major Node typings
globals 17.6.0 17.7.0 patch
tsx 4.22.3 4.22.4 patch
vitest 4.1.7 4.1.9 patch

Worker instructions

  1. CVEs first (all in one PR, severity order):

    • Upgrade vite to ^8.1.0 — fixes both vite advisories and the transitive esbuild advisory.
    • Run npm audit to confirm zero remaining vulnerabilities.
  2. Minor/patch batch (one PR): upgrade all minor and patch packages together — @sveltejs/kit, svelte, svelte-check, @sveltejs/adapter-node, eslint, eslint-plugin-svelte, typescript-eslint, @playwright/test, prettier, prettier-plugin-svelte, @iconify/svelte, @privacybydesign/yivi-web, sass, globals, tsx, vitest.

  3. Major individually: @types/node 25 → 26 in its own PR (review for API-breaking changes).

  4. After each batch: run npm run build and npx vitest run (unit tests). Fix any failures before opening the PR.

  5. Open a DRAFT PR titled chore: update dependencies, assign reviewer rubenhensen, include Closes #<this issue number> on its own line in the PR body.

  6. Monitor CI. Once all checks are green, mark the PR ready for review with gh pr ready.

Metadata

Metadata

Assignees

No one assigned

    Labels

    dependenciesPull requests that update a dependency file

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions