Skip to content

fix(frontend): resolve 6 Dependabot dependency vulnerabilities#183

Merged
touchthesun merged 1 commit into
mainfrom
fix/frontend-dependency-vulnerabilities
Jul 2, 2026
Merged

fix(frontend): resolve 6 Dependabot dependency vulnerabilities#183
touchthesun merged 1 commit into
mainfrom
fix/frontend-dependency-vulnerabilities

Conversation

@touchthesun

Copy link
Copy Markdown
Contributor

Resolves all 6 open Dependabot alerts. Every flagged advisory was in the Vite/React reference frontend under frontend/ — no Python (uv.lock) dependencies were affected. npm audit now reports 0 vulnerabilities.

Fixes

In-range (semver-compatible, applied via npm audit fix — no manifest change)

Package From → To Severity Advisory
vite 6.4.2 → 6.4.3 high + med server.fs.deny bypass on Windows alt paths; launch-editor NTLMv2 hash disclosure
react-router 7.14.0 → 7.18.1 high (npm) / low (Dependabot) CSRF via PUT/PATCH/DELETE; also clears vendored turbo-stream RCE, open-redirect, and DoS advisories
@babel/core 7.29.0 → 7.29.7 low Arbitrary file read via sourceMappingURL comment (transitive)

Major bump (manifest change)

Package From → To Severity Advisory
echarts ^5.6.0^6.1.0 medium XSS (GHSA-fgmj-fm8m-jvvx); patched in 6.1.0

echarts risk assessment (low):

  • echarts-for-react@3.0.6 already declares echarts ^6.0.0 as a supported peer — no wrapper change needed.
  • echarts is used in exactly one component (FacilityChart.tsx), only via the echarts-for-react wrapper (no direct core imports). It's a basic bar chart using stable, non-deprecated options and an explicit SVG renderer.

Verification

  • npm run typecheck — clean
  • npm run build — succeeds (echarts 6 + vite 6.4.3)
  • npm audit0 vulnerabilities

🤖 Generated with Claude Code

All flagged advisories were in the Vite/React reference frontend (no Python
deps affected). `npm audit` now reports 0 vulnerabilities.

In-range (semver-compatible, via `npm audit fix`):
- vite 6.4.2 -> 6.4.3   (high: server.fs.deny bypass; med: launch-editor NTLM)
- react-router 7.14.0 -> 7.18.1  (CSRF + turbo-stream RCE / open-redirect / DoS)
- @babel/core 7.29.0 -> 7.29.7   (low: arbitrary file read via sourceMappingURL)

Major bump (manifest change):
- echarts ^5.6.0 -> ^6.1.0  (med: XSS). echarts-for-react@3.0.6 already lists
  echarts ^6 as a supported peer, and the sole usage (FacilityChart) is a basic
  bar chart with no deprecated APIs, so the bump is low-risk.

Verified: `npm run typecheck` clean, `npm run build` succeeds, `npm audit` 0.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@touchthesun touchthesun merged commit 34d5cfc into main Jul 2, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants