fix(deps): resolve all 6 Dependabot alerts (transitive tar & vite in lockfiles)#80
Conversation
…dabot alerts
All six open "Security and quality" (Dependabot) alerts are stale transitive
dev/build-tooling deps pinned in committed lockfiles — none reach consumers
(the npm package ships only .tsp files; the NuGet ships generated DTOs):
tar 7.5.15 -> 7.5.19 (patched 7.5.16) via @typespec/compiler (tar: ^7.5.13)
root, emitters/csharp, emitters/ts-types, emitters/otelconventions-lint
#22 #15 #19 #18 (file-smuggling / parser interpretation differential)
vite 8.0.14 -> 8.1.1 (patched 8.0.16) via vitest (vite: ^6||^7||^8)
emitters/otelconventions-lint
#16 (HIGH 8.2 server.fs.deny bypass) #17 (MOD 5.5 launch-editor NTLMv2)
Surgical transitive bump via per-dir `npm update <pkg> --package-lock-only`;
no package.json changes, so lockfiles stay `npm ci`-consistent. vite's minor
bump pulls its current rolldown/oxc bindings (dev-test toolchain only). npm
audit reports 0 vulnerabilities; root `npm ci` + build:emitters + lint +
lint:public all green. No version files touched — release is tag-derived.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Important Review skippedReview was skipped due to path filters ⛔ Files ignored due to path filters (5)
CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including ⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
Comment |
Checklist was stale (IN PROGRESS with open boxes) while PR #80 had merged and v0.2.2 shipped to both registries. Re-verified 2026-07-03: npm & NuGet at 0.2.2, publish run green, 0 open Dependabot alerts. Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
What & why
All 6 open "Security and quality" (Dependabot) alerts are stale transitive dev/build-tooling dependencies pinned in committed lockfiles. None reach consumers — the npm package ships only
.tspsource files; the NuGet ships generated DTOs. So this is a clean-tree lockfile hygiene PR, not a patch of a vulnerability reaching anyone who installs the published packages.server.fs.denybypassvitest(vite: ^6‖^7‖^8)vitest@typespec/compiler(tar: ^7.5.13)How
Surgical transitive bump via per-directory
npm update <pkg> --package-lock-only. Both parent ranges are carets, so the pins moved without anypackage.jsonchange → lockfiles stay strictlynpm ci-consistent. Nooverridesneeded.vite's minor bump (8.0→8.1) naturally pulls its current rolldown/oxc bindings (
@rolldown/binding-*,@oxc-project/types,postcss,nanoid, …) — all dev-test toolchain, none shipped. Chose the naturalnpm updateresult over pinning to 8.0.16 to avoid a permanentoverridespin on a dev lockfile.No version files touched — releases are tag-derived (CI-owned); v0.2.2 will be cut after merge.
Verification (local, all green)
npm audit→ 0 vulnerabilities (every changed pkg istaror part of vite's own tree)npm ciclean →prepare/build:emitterscompile all 4 emittersnpm run lint+npm run lint:public→ ✔ Compilation completed successfullynpm install --package-lock-onlyis a no-op)tar,vite, and vite's transitive subtree moved (+ a@qyl/telemetry-control-graphfile-link normalization in otelconventions-lint)Status: complete & verified — Nuke
./build.sh Check(the C# codegen/pack pipeline, untouched by a dev-lockfile change) runs as the authoritative CI gate.🤖 Generated with Claude Code