Skip to content

chore: update dependencies #115

Description

@dobby-coder

Security vulnerabilities (fix first)

CVE / Advisory Package Severity Current Fixed in
GHSA-fx2h-pf6j-xcff vite high 6.4.2 (override) 6.4.3+
GHSA-v6wh-96g9-6wx3 vite (launch-editor) moderate 6.4.2 (override) 6.4.3+
GHSA-cmwh-pvxp-8882 dompurify moderate <=3.4.10 (transitive) 3.4.11
GHSA-76mc-f452-cxcm dompurify moderate <=3.4.10 (transitive) 3.4.7+
GHSA-hpcv-96wg-7vj8 dompurify moderate <=3.4.10 (transitive) 3.4.6+
GHSA-r47g-fvhr-h676 dompurify moderate <=3.4.10 (transitive) 3.4.6+
GHSA-rp9w-3fw7-7cwq dompurify moderate <=3.4.10 (transitive) 3.4.7+
GHSA-x4vx-rjvf-j5p4 dompurify low <=3.4.10 (transitive) 3.4.7+
GHSA-vxr8-fq34-vvx9 dompurify low <=3.4.10 (transitive) 3.4.9+
GHSA-gvmj-g25r-r7wr dompurify low <=3.4.10 (transitive) 3.4.8+

vite is pulled in transitively via vitepress. The overrides block in package.json already pins vite — bump it from ^6.4.2 to ^6.4.3 to pull the fixed release.
dompurify is a transitive dep of mermaid. Add "dompurify": ">=3.4.11" to the overrides block to force the patched version.

Outdated packages

Package Current Latest Bump type Notes
@e4a/pg-js 1.10.0 2.1.0 major Check changelog; semver major may have breaking API changes
mermaid 11.15.0 11.16.0 patch Safe minor/patch bump

Worker instructions

CVEs first (all in one PR, severity order):

  1. In package.json overrides, change "vite": "^6.4.2""vite": "^6.4.3" (fixes 2 vite CVEs).
  2. In package.json overrides, add "dompurify": ">=3.4.11" (fixes 8 dompurify advisories).
  3. Run npm install --legacy-peer-deps and verify npm audit shows no remaining fixable vulnerabilities.
  4. Run npx vitepress build docs — must succeed.

Then minor/patch outdated:
5. Bump mermaid from ^11.15.0 to ^11.16.0; run build.

Majors individually (do not skip):
6. Bump @e4a/pg-js from ^1.10.0 to ^2.1.0; check for any API breakage in docs; run build.

PR:

  • Open a DRAFT PR titled chore: update dependencies, assign reviewer rubenhensen.
  • Include on its own line: Closes #<this issue number>
  • Monitor CI; fix any failures; when CI is green run gh pr ready.

Metadata

Metadata

Assignees

No one assigned

    Labels

    dependenciesPull requests that update a dependency file

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions