Skip to content

chore: update dependencies#122

Merged
rubenhensen merged 4 commits into
mainfrom
chore/update-dependencies-95
Jul 2, 2026
Merged

chore: update dependencies#122
rubenhensen merged 4 commits into
mainfrom
chore/update-dependencies-95

Conversation

@dobby-coder

@dobby-coder dobby-coder Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Closes #95

Resolves the dependency updates tracked in #95. Each batch is a separate commit; all checks (build, svelte-check, eslint, prettier, vitest) and npm audit are green after every batch.

1. Security CVEs (commit 1)

Bumps vite 8.0.14 → 8.1.2, which clears all three advisories. npm audit now reports 0 vulnerabilities (was 1 high + 1 low on main).

Advisory Package Severity Resolution
GHSA-fx2h-pf6j-xcff vite high server.fs.deny bypass on Windows alternate paths — fixed in vite 8.1.0
GHSA-v6wh-96g9-6wx3 vite (launch-editor) moderate NTLMv2 hash disclosure via UNC paths — fixed in vite 8.1.0
GHSA-g7r4-m6w7-qqqr esbuild (transitive) low Arbitrary file read via dev server on Windows — vite 8.1.2 pulls esbuild 0.28.1 on the vite/tsx path. The standing ^0.25.0 override for svelte-i18n / @esbuild-kit/core-utils remains, so two esbuild lines coexist (0.25.x + 0.28.1); npm audit reports 0 vulnerabilities for both.

2. Minor/patch bumps (commit 2)

@sveltejs/kit 2.61.1→2.69.0, @sveltejs/adapter-node 5.5.4→5.5.7, svelte 5.55.9→5.56.4, svelte-check 4.4.8→4.7.1, eslint 10.4.0→10.6.0, eslint-plugin-svelte 3.17.1→3.20.0, typescript-eslint 8.59.4→8.62.1, @playwright/test 1.60.0→1.61.1, prettier 3.8.3→3.9.4, prettier-plugin-svelte 4.0.1→4.1.1, @iconify/svelte 5.2.1→5.2.2, @privacybydesign/yivi-web 1.0.1→1.0.2, sass 1.100.0→1.101.0, globals 17.6.0→17.7.0, tsx 4.22.3→4.22.4, vitest 4.1.7→4.1.9.

prettier 3.9 changed SCSS map formatting, so src/lib/global.scss was reformatted (--write) to stay clean under the lint gate.

3. Major bump — evaluated individually (commit 3)

@types/node 25 → 26. Dev-only typings bump; no API-breaking impact — svelte-check, build, and the unit suite all pass on the Node 22 runtime.

Verification

  • npm audit0 vulnerabilities
  • npm run build → OK
  • npm run check (svelte-check) → OK
  • npx eslint . --max-warnings 0 + prettier --check . → OK
  • npx vitest run94 passed

Playwright integration tests run in CI (no browser/DB locally). Kept in draft pending green CI.

dobby-coder Bot added 3 commits July 1, 2026 22:23
Fixes three advisories, all resolved by upgrading vite (audit now clean):
- GHSA-fx2h-pf6j-xcff (high): vite server.fs.deny bypass on Windows alternate paths
- GHSA-v6wh-96g9-6wx3 (moderate): launch-editor NTLMv2 hash disclosure via UNC paths
- GHSA-g7r4-m6w7-qqqr (low): esbuild arbitrary file read via dev server (transitive; deduped to 0.28.1)

Refs #95
Bumps (all minor/patch, within existing major):
- @sveltejs/kit 2.61.1 -> 2.69.0
- @sveltejs/adapter-node 5.5.4 -> 5.5.7
- @sveltejs/vite-plugin-svelte -> latest
- svelte 5.55.9 -> 5.56.4
- svelte-check 4.4.8 -> 4.7.1
- eslint 10.4.0 -> 10.6.0
- eslint-plugin-svelte 3.17.1 -> 3.20.0
- typescript-eslint 8.59.4 -> 8.62.1
- @playwright/test 1.60.0 -> 1.61.1
- prettier 3.8.3 -> 3.9.4
- prettier-plugin-svelte 4.0.1 -> 4.1.1
- @iconify/svelte 5.2.1 -> 5.2.2
- @privacybydesign/yivi-web 1.0.1 -> 1.0.2
- sass 1.100.0 -> 1.101.0
- globals 17.6.0 -> 17.7.0
- tsx 4.22.3 -> 4.22.4
- vitest 4.1.7 -> 4.1.9

Reformat src/lib/global.scss for prettier 3.9 SCSS map style change.
Build, svelte-check, eslint, and vitest (94) all pass; audit clean.

Refs #95
Evaluated individually per the tracking issue. @types/node 26 is a
dev-only typings bump; no API-breaking impact on this codebase.
svelte-check (typecheck), build, and vitest (94) all pass on Node 22.

Refs #95
@dobby-coder dobby-coder Bot requested a review from rubenhensen July 1, 2026 22:26

@dobby-coder dobby-coder Bot left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rules Dobby 2 — consolidated review (dep-bump PR #122)

The change itself is clean and I verified the substance:

  • CVE fix is real: vite 8.0.14 → 8.1.2 clears GHSA-fx2h-pf6j-xcff (high), GHSA-v6wh-96g9-6wx3 (moderate) and the transitive esbuild GHSA-g7r4-m6w7-qqqr (low). npm audit0 vulnerabilities.
  • Transitive-override guidance honoured: the repo's standing overrides for cookie (^0.7.2) and esbuild (^0.25.0, incl. @esbuild-kit/core-utils) are still present in package.json, so the 0-vuln result is consistent with prior guidance rather than an accidental drop of the overrides.
  • Only version bumps + a Prettier reformat: package.json/package-lock.json bumps plus one Prettier 3.9 SCSS reformat in src/lib/global.scss. No source-logic, route, or accessibility surface touched — no rule in the memory base is violated by the diff.
  • Conventional-commit title, Closes #95 keyword, and draft-pending-CI handling are all correct.

One finding to fix (per the promised-vs-delivered rule): the PR description lists @sveltejs/vite-plugin-svelte among the bumped packages ("(latest)"), but it is unchanged at ^7.1.2 on both main and this branch. Please drop it from the bump list (or note it was already latest) so the description matches the diff. Trivial description-only edit — no code change needed.

Comment thread package.json

@dobby-coder dobby-coder Bot left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rules Dobby 2 — consolidated review (dep-bump PR #122)

Verdict is sign-off / approve — posted as COMMENT only because GitHub blocks self-approval on a bot-authored PR. Treat as approved.

Reviewed against the full memory rule base (per-rule Haiku fan-out) + Review Dobby 2's findings. Substance verified:

  • CVE fix is real: vite 8.0.14 → 8.1.2 clears GHSA-fx2h-pf6j-xcff (high), GHSA-v6wh-96g9-6wx3 (moderate), and the transitive esbuild GHSA-g7r4-m6w7-qqqr (low). npm audit0 vulnerabilities.
  • Standing overrides preserved: cookie ^0.7.2 and esbuild ^0.25.0 (incl. @esbuild-kit/core-utils) unchanged — consistent with this repo's npm-audit-overrides guidance.
  • Diff is version bumps only + one Prettier 3.9 SCSS reformat in src/lib/global.scss. No source logic, routes, accessibility, or color-system surface touched. Conventional-commit title, Closes #95, tests-run, and draft-pending-CI handling all check out.
  • Cycle-1 fix landed: @sveltejs/vite-plugin-svelte no longer misreported in the bump list.

The one remaining item was Review Dobby 2's non-blocking, description-only nit — the CVE table called esbuild "deduped to 0.28.1" when the ^0.25.0 override keeps a second esbuild line. That was a trivially self-resolvable body edit, so I corrected the wording inline rather than looping. No code change was needed (npm audit already 0).

Approving and flipping out of draft. Playwright/CI gates the actual merge.

@dobby-coder dobby-coder Bot marked this pull request as ready for review July 1, 2026 22:43
@dobby-coder dobby-coder Bot mentioned this pull request Jul 1, 2026
@rubenhensen

Copy link
Copy Markdown
Contributor

/dobby fix conflicts

@dobby-coder

dobby-coder Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

Dobby is out of tokens — usage limit hit. Resets 02 Jul 2026, 09:30 CEST. I'll pick this up automatically then!

@dobby-coder

dobby-coder Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

On it! I'm picking up the merge conflicts and will open a draft PR with the fix shortly.

…cies-95

# Conflicts:
#	package-lock.json
#	package.json
@dobby-coder

dobby-coder Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

Resolved merge conflicts with main.

  • package.json: kept our intentional @types/node ^26.1.0 major bump and picked up main's newly-added @vitest/coverage-v8 ^4.1.9.
  • package-lock.json: regenerated via npm install from the merged manifest.

All checks green after the merge: npm audit0 vulnerabilities, vite build OK, svelte-check 0 errors, eslint --max-warnings 0 + prettier --check clean, vitest run100 passed. PR is mergeable again.

@dobby-coder dobby-coder Bot left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rules Dobby 2 — final consolidated review (dep-bump PR #122, post-conflict-resolution)

Verdict: sign-off / approve. Re-ran the full per-rule Haiku fan-out against the conflict-resolved branch and merged with Review Dobby '2's findings (0). Everything checks out:

  • Conflict resolution is not a no-op: diff against main is non-empty (package.json + package-lock.json bumps + one SCSS reformat), no conflict markers, merge correctly kept @types/node ^26.1.0 and @vitest/coverage-v8 ^4.1.9.
  • Standing overrides preserved: cookie ^0.7.2 and esbuild ^0.25.0 (incl. @esbuild-kit/core-utils) intact → npm audit = 0 vulnerabilities. The vite 8.0.14→8.1.2 bump clears GHSA-fx2h-pf6j-xcff / GHSA-v6wh-96g9-6wx3.
  • All deps in active use — no dead-package bump. Diff is version bumps + one Prettier 3.9 SCSS reformat in src/lib/global.scss ($styles: (normal) collapsed to one line); no source logic, no admin/redirect/CSP security surface, no color/contrast token touched → WCAG-AA + design rules N/A.
  • Tests green: 100/100 unit tests, build OK, svelte-check 0 errors, prettier clean. Conventional-commit title (chore: update dependencies) ✓.

No findings across any rule. Approving. Playwright/CI gates the actual merge.

@dobby-coder

dobby-coder Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

Reviewed the conflict resolution and dep bumps — everything looks good! All rules pass: the overrides are intact, deps are all actively used, the only non-version change is a Prettier SCSS reformat (no logic or security surface touched), and tests are green 100/100. Left a sign-off comment on the PR with the cycle-3 marker. CI and Playwright gates are all that stand between this and merge. 🟢

@rubenhensen rubenhensen merged commit fbfc08a into main Jul 2, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

chore: update dependencies

1 participant