Skip to content

fix(deps): resolve all 6 Dependabot alerts (transitive tar & vite in lockfiles)#80

Merged
ANcpLua merged 1 commit into
mainfrom
fix/dependabot-tar-vite-lockfiles
Jun 30, 2026
Merged

fix(deps): resolve all 6 Dependabot alerts (transitive tar & vite in lockfiles)#80
ANcpLua merged 1 commit into
mainfrom
fix/dependabot-tar-vite-lockfiles

Conversation

@ANcpLua

@ANcpLua ANcpLua commented Jun 30, 2026

Copy link
Copy Markdown
Owner

What & why

All 6 open "Security and quality" (Dependabot) alerts are stale transitive dev/build-tooling dependencies pinned in committed lockfiles. None reach consumers — the npm package ships only .tsp source files; the NuGet ships generated DTOs. So this is a clean-tree lockfile hygiene PR, not a patch of a vulnerability reaching anyone who installs the published packages.

Alert Pkg Was → Now Patched in Via Lockfiles
#16 (HIGH 8.2) server.fs.deny bypass vite 8.0.14 → 8.1.1 8.0.16 vitest (vite: ^6‖^7‖^8) otelconventions-lint
#17 (MOD 5.5) launch-editor NTLMv2 vite 8.0.14 → 8.1.1 8.0.16 vitest otelconventions-lint
#18 #19 #22 #15 (MOD 6.9) tar file-smuggling tar 7.5.15 → 7.5.19 7.5.16 @typespec/compiler (tar: ^7.5.13) otelconventions-lint, ts-types, root, csharp

How

Surgical transitive bump via per-directory npm update <pkg> --package-lock-only. Both parent ranges are carets, so the pins moved without any package.json change → lockfiles stay strictly npm ci-consistent. No overrides needed.

vite's minor bump (8.0→8.1) naturally pulls its current rolldown/oxc bindings (@rolldown/binding-*, @oxc-project/types, postcss, nanoid, …) — all dev-test toolchain, none shipped. Chose the natural npm update result over pinning to 8.0.16 to avoid a permanent overrides pin on a dev lockfile.

No version files touched — releases are tag-derived (CI-owned); v0.2.2 will be cut after merge.

Verification (local, all green)

  • npm audit0 vulnerabilities (every changed pkg is tar or part of vite's own tree)
  • npm ci clean → prepare/build:emitters compile all 4 emitters
  • npm run lint + npm run lint:public → ✔ Compilation completed successfully
  • Lockfiles idempotent/stable (re-running npm install --package-lock-only is a no-op)
  • Minimal-diff verified: only tar, vite, and vite's transitive subtree moved (+ a @qyl/telemetry-control-graph file-link normalization in otelconventions-lint)

Status: complete & verified — Nuke ./build.sh Check (the C# codegen/pack pipeline, untouched by a dev-lockfile change) runs as the authoritative CI gate.

🤖 Generated with Claude Code

…dabot alerts

All six open "Security and quality" (Dependabot) alerts are stale transitive
dev/build-tooling deps pinned in committed lockfiles — none reach consumers
(the npm package ships only .tsp files; the NuGet ships generated DTOs):

  tar  7.5.15 -> 7.5.19   (patched 7.5.16) via @typespec/compiler (tar: ^7.5.13)
    root, emitters/csharp, emitters/ts-types, emitters/otelconventions-lint
    #22 #15 #19 #18 (file-smuggling / parser interpretation differential)
  vite 8.0.14 -> 8.1.1    (patched 8.0.16) via vitest (vite: ^6||^7||^8)
    emitters/otelconventions-lint
    #16 (HIGH 8.2 server.fs.deny bypass) #17 (MOD 5.5 launch-editor NTLMv2)

Surgical transitive bump via per-dir `npm update <pkg> --package-lock-only`;
no package.json changes, so lockfiles stay `npm ci`-consistent. vite's minor
bump pulls its current rolldown/oxc bindings (dev-test toolchain only). npm
audit reports 0 vulnerabilities; root `npm ci` + build:emitters + lint +
lint:public all green. No version files touched — release is tag-derived.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (5)
  • .claude/TASK.md is excluded by none and included by none
  • emitters/csharp/package-lock.json is excluded by !**/package-lock.json, !**/package-lock.json and included by none
  • emitters/otelconventions-lint/package-lock.json is excluded by !**/package-lock.json, !**/package-lock.json and included by none
  • emitters/ts-types/package-lock.json is excluded by !**/package-lock.json, !**/package-lock.json and included by none
  • package-lock.json is excluded by !**/package-lock.json, !**/package-lock.json and included by none

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 857f20f4-58fb-46a3-bdfc-e12f725e8346

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Comment @coderabbitai help to get the list of available commands.

@ANcpLua ANcpLua merged commit 3234cc4 into main Jun 30, 2026
4 checks passed
@ANcpLua ANcpLua deleted the fix/dependabot-tar-vite-lockfiles branch June 30, 2026 13:54
ANcpLua added a commit that referenced this pull request Jul 3, 2026
Checklist was stale (IN PROGRESS with open boxes) while PR #80 had merged and
v0.2.2 shipped to both registries. Re-verified 2026-07-03: npm & NuGet at
0.2.2, publish run green, 0 open Dependabot alerts.

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant