Skip to content

fix: upgrade vulnerable direct dependencies#1264

Open
sonukapoor wants to merge 1 commit into
immerjs:mainfrom
sonukapoor:fix/upgrade-vulnerable-direct-deps
Open

fix: upgrade vulnerable direct dependencies#1264
sonukapoor wants to merge 1 commit into
immerjs:mainfrom
sonukapoor:fix/upgrade-vulnerable-direct-deps

Conversation

@sonukapoor

Copy link
Copy Markdown

This PR upgrades two direct dev dependencies that have known vulnerabilities, identified by a CVE Lite CLI scan (see PR #1263 which adds the audit workflow).

vitest was pinned at 2.1.9, which has a critical severity vulnerability affecting all v2 and v3 releases. The fix upgrades it to 4.1.0, the first clean release line. vite was at 6.4.2, which has a high severity vulnerability patched in 6.4.3 - a minimal version bump.

Both packages are devDependencies only and do not affect the published immer library. The scan found 56 total findings across 1,310 resolved packages; the remaining findings are transitive and require parent package maintainers to release updates.

@mweststrate

Copy link
Copy Markdown
Collaborator

most of these were already updated earlier today by dependabot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants