Skip to content

chore(deps-dev): update vulnerable dev dependencies#9

Merged
oshtz merged 1 commit into
mainfrom
codex/dependabot-security-bundle-20260701
Jul 1, 2026
Merged

chore(deps-dev): update vulnerable dev dependencies#9
oshtz merged 1 commit into
mainfrom
codex/dependabot-security-bundle-20260701

Conversation

@oshtz

@oshtz oshtz commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Summary

  • updates vite to 8.1.2 and esbuild to 0.28.1
  • refreshes package-lock.json so js-yaml resolves to 4.3.0
  • combines the three Dependabot fixes because each individual PR leaves npm audit --audit-level=moderate red

Supersedes:

Verification

  • npm ci
  • npm run lint
  • npm run format:check
  • npm run typecheck
  • npm run test:run (93 files, 2863 tests)
  • npm run test:smoke (5 files, 102 tests)
  • npm run test:release-smoke
  • npm run test:release-artifacts
  • npm run test:release-prereqs
  • npm run test:release-version
  • npm run check:release-version
  • npm run build
  • npm audit --audit-level=moderate (0 vulnerabilities)
  • cargo check in src-tauri

Public model identifier gate: PASS. Candidate diff is package metadata only; the only scan hit was an unrelated lockfile integrity-hash substring.

@oshtz oshtz merged commit 95f203f into main Jul 1, 2026
6 checks passed
@oshtz

oshtz commented Jul 1, 2026

Copy link
Copy Markdown
Owner Author

Landed in merge commit 95f203f.

Verification before merge:

  • Local: npm ci, npm run lint, npm run format:check, npm run typecheck, npm run test:run (93 files, 2863 tests), npm run test:smoke (5 files, 102 tests), npm run test:release-smoke, npm run test:release-artifacts, npm run test:release-prereqs, npm run test:release-version, npm run check:release-version, npm run build, npm audit --audit-level=moderate (0 vulnerabilities), cargo check in src-tauri.
  • CI: Build / validate passed on push and pull_request runs: https://github.com/oshtz/noder/actions/runs/28508327312/job/84502172542 and https://github.com/oshtz/noder/actions/runs/28508337656/job/84502207634.
  • Live proof: package metadata/security update only; no external runtime boundary. Built-artifact/workflow proof covered by npm run build, cargo check, and CI validate.
  • Public model identifier gate: PASS. Candidate diff was package.json and package-lock.json; the only scan hit was an unrelated lockfile integrity-hash substring.

@oshtz oshtz deleted the codex/dependabot-security-bundle-20260701 branch July 13, 2026 12:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant