Security vulnerabilities (fix first)
vite is pulled in transitively via vitepress. The overrides block in package.json already pins vite — bump it from ^6.4.2 to ^6.4.3 to pull the fixed release.
dompurify is a transitive dep of mermaid. Add "dompurify": ">=3.4.11" to the overrides block to force the patched version.
Outdated packages
| Package |
Current |
Latest |
Bump type |
Notes |
| @e4a/pg-js |
1.10.0 |
2.1.0 |
major |
Check changelog; semver major may have breaking API changes |
| mermaid |
11.15.0 |
11.16.0 |
patch |
Safe minor/patch bump |
Worker instructions
CVEs first (all in one PR, severity order):
- In
package.json overrides, change "vite": "^6.4.2" → "vite": "^6.4.3" (fixes 2 vite CVEs).
- In
package.json overrides, add "dompurify": ">=3.4.11" (fixes 8 dompurify advisories).
- Run
npm install --legacy-peer-deps and verify npm audit shows no remaining fixable vulnerabilities.
- Run
npx vitepress build docs — must succeed.
Then minor/patch outdated:
5. Bump mermaid from ^11.15.0 to ^11.16.0; run build.
Majors individually (do not skip):
6. Bump @e4a/pg-js from ^1.10.0 to ^2.1.0; check for any API breakage in docs; run build.
PR:
- Open a DRAFT PR titled
chore: update dependencies, assign reviewer rubenhensen.
- Include on its own line:
Closes #<this issue number>
- Monitor CI; fix any failures; when CI is green run
gh pr ready.
Security vulnerabilities (fix first)
vite is pulled in transitively via
vitepress. Theoverridesblock inpackage.jsonalready pins vite — bump it from^6.4.2to^6.4.3to pull the fixed release.dompurify is a transitive dep of
mermaid. Add"dompurify": ">=3.4.11"to theoverridesblock to force the patched version.Outdated packages
Worker instructions
CVEs first (all in one PR, severity order):
package.jsonoverrides, change"vite": "^6.4.2"→"vite": "^6.4.3"(fixes 2 vite CVEs).package.jsonoverrides, add"dompurify": ">=3.4.11"(fixes 8 dompurify advisories).npm install --legacy-peer-depsand verifynpm auditshows no remaining fixable vulnerabilities.npx vitepress build docs— must succeed.Then minor/patch outdated:
5. Bump
mermaidfrom^11.15.0to^11.16.0; run build.Majors individually (do not skip):
6. Bump
@e4a/pg-jsfrom^1.10.0to^2.1.0; check for any API breakage in docs; run build.PR:
chore: update dependencies, assign reviewerrubenhensen.Closes #<this issue number>gh pr ready.