chore(deps): resolve all open security alerts + fix flaky 6h CI hang#29
Merged
Conversation
Consolidates every open Dependabot alert into one lockfile update and adds overrides for the transitive packages Dependabot could not bump. Root (package.json overrides + vitest floor): - ws -> 8.21.0 (GHSA memory-exhaustion DoS; alerts #40, #26) - form-data -> 4.0.6 (CRLF injection; alert #38) - vite -> 7.3.6 (fs.deny bypass + launch-editor NTLM; #36, #37) - esbuild -> 0.28.1 (dev-server arbitrary file read; alert #30) - vitest -> 3.2.7 (UI-server RCE, critical; alert #29) - protobufjs-> 7.6.5 (Any-expansion DoS + prop shadowing; #35, #33) example/ (override): - tar -> 7.5.19 (PAX header file smuggling; alert #39) protobufjs is transitive via @google/genai + onnxruntime-web, so no Dependabot PR covered it — pinned through an override instead. CI hardening: past dependency PRs hung 6h on `npx playwright install --with-deps chromium` (an apt-get stall) so `npm test` never ran. Add DEBIAN_FRONTEND=noninteractive and timeout-minutes so a stalled install fails fast instead of burning the full 6h job budget. Applied to ci.yml and publish.yml. Supersedes #22, #25, #26, #27, #28. Verified: npm run build + full suite (649 tests) pass locally.
This was referenced Jul 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Consolidates all 10 open Dependabot alerts into a single lockfile update, and fixes the flaky CI hang that was blocking every dependency PR.
Dependency bumps
ws,form-data,vite,esbuild,protobufjs, andtarare transitive — pinned via npmoverrides.protobufjs(via@google/genai+onnxruntime-web) had no Dependabot PR and needed a manual override.CI fix
Every recent dependency PR hung for 6 hours on
npx playwright install --with-deps chromium(anapt-getstall) — sonpm testnever ran, and each PR showed a false red X. Root cause was step 6, not the test suite.DEBIAN_FRONTEND=noninteractive(job env) to prevent the apt prompt stall.timeout-minutes(20 unit / 30 cross-browser / 30 publish) so a stalled install fails fast instead of burning the full 6h default budget.ci.ymlandpublish.yml.Supersedes
Closes out the 5 open Dependabot PRs: #22, #25, #26, #27, #28.
Verification
npm run build+ full suite pass locally: 649 tests, 58 files, ~4s.