Commit 8a4009b
chore(deps): bump vite to 6.4.2 and picomatch to 4.0.4 in /web (#1098)
Security patches for two advisories blocked on Dependabot:
- vite 6.4.1 → 6.4.2: path traversal in optimize deps sourcemap handler,
server.fs check for env transport (vitejs/vite#22161, #22159)
- picomatch 4.0.3 → 4.0.4: CVE-2026-33671, CVE-2026-33672
Replaces #1088 and #1058, which were stuck on CI because Dependabot's
lockfile regeneration produced a divergent lockfile vs. dev (dropped
@trpc/server and react-is resolved entries, added platform-specific
tailwindcss-oxide-wasm32-wasi nested entries). Rather than iterate on
@dependabot recreate, bundled both bumps into a single manual PR with
a lockfile regenerated from dev's current state.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>1 parent aa0c4f7 commit 8a4009b
2 files changed
Lines changed: 8 additions & 8 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
37 | 37 | | |
38 | 38 | | |
39 | 39 | | |
40 | | - | |
| 40 | + | |
41 | 41 | | |
42 | 42 | | |
0 commit comments