fix(deps): bump simple-git in nuxt-api to patch GHSA-hffm-xvc3-vprc#307
Merged
Conversation
Resolves the high-severity Remote Code Execution advisory by bumping the transitive simple-git from 3.35.2 to 3.36.0 (via npm audit fix). Pulled in via nuxt → @nuxt/devtools → simple-git. Other packages in the monorepo do not depend on simple-git, so no other lockfiles change. CI's audit:ci:all step was failing on this advisory.
CI's `cd tanstack-start-ui && npm ci` step has been failing on every PR
against main with:
npm error Invalid: lock file's seroval@1.5.2 does not satisfy seroval@1.5.4
npm error Invalid: lock file's seroval-plugins@1.5.2 does not satisfy seroval-plugins@1.5.4
`npm install` in tanstack-start-ui/ regenerates the lockfile to 1.5.4
for both packages, restoring `npm ci` and `audit-ci` to working order.
Folded into this PR (the simple-git fix) because both are pre-existing
main-level CI breakages blocking every open PR; landing them together
unblocks the queue in one go.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
After the previous commit fixed tanstack-start-ui's lockfile, CI surfaced the same drift in react-apollo-ui — `cd react-apollo-ui && npm ci` was failing with the same seroval@1.5.2 vs 1.5.4 mismatch. `npm install` in react-apollo-ui/ regenerates its lockfile to match. tanstack-ui and nuxt-api both have seroval@1.5.2 in their lockfiles too, but their package.json constraints accept 1.5.2 cleanly — `npm install` didn't touch them. Only the two tanstack-start consumers (tanstack-start-ui, react-apollo-ui) needed bumping. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Copilot wasn't able to review any files in this pull request.
Files not reviewed (3)
- nuxt-api/package-lock.json: Language not supported
- react-apollo-ui/package-lock.json: Language not supported
- tanstack-start-ui/package-lock.json: Language not supported
Contributor
There was a problem hiding this comment.
Copilot wasn't able to review any files in this pull request.
Files not reviewed (3)
- nuxt-api/package-lock.json: Language not supported
- react-apollo-ui/package-lock.json: Language not supported
- tanstack-start-ui/package-lock.json: Language not supported
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves the high-severity Remote Code Execution advisory GHSA-hffm-xvc3-vprc by bumping the transitive
simple-gitfrom 3.35.2 → 3.36.0 (vianpm audit fix). Pulled in vianuxt → @nuxt/devtools → simple-git. Other packages in the monorepo do not depend onsimple-git, so no other lockfiles change.CI's
audit:ci:allstep has been failing on this advisory on every PR opened againstmain, blocking merges.This commit was cherry-picked from
feat/understand-codebase-graphs(commitf063bf3) so the fix can land independently of that feature branch's review cycle.Test plan
cd nuxt-api && npx -y audit-ci --config .auditconfig.jsonpasses locally.audit:ci:allpasses on this PR.🤖 Generated with Claude Code
Update — additional pre-existing CI breakages folded in (seroval lockfile sync)
After pushing the simple-git fix, CI surfaced additional pre-existing main-level breakages that had been masked by the audit failure:
npm ciwas failing in bothtanstack-start-ui/andreact-apollo-ui/with:npm installin each of those directories regenerates their lockfiles to 1.5.4 for both packages. Folded into this PR because (a) they're the same shape of pre-existing main breakage and (b) all three must land before any open PR can pass CI. PRs #305 and #306 are blocked on this PR landing.Commits in this PR:
9331aa9fix(deps): bump simple-git in nuxt-api to patch GHSA-hffm-xvc3-vprc1ade966fix(deps): sync tanstack-start-ui lockfile (seroval 1.5.2 → 1.5.4)ec44aeffix(deps): sync react-apollo-ui lockfile (seroval 1.5.2 → 1.5.4)