chore(deps): security fixes and dependency hygiene from stack audit#7
Merged
Merged
Conversation
Resolve open advisories and align packages with the Node 22 LTS target, keeping deliberate version choices (AI SDK v5, ESLint 9, TS 5.9) intact. Security (pnpm audit: 6 moderate + 1 low -> 1 low): - override postcss >=8.5.10 (clears GHSA-qx2v-qp2m-jg93, bundled via Next) - override qs >=6.15.2 and hono >=4.12.21 (dev-only, via shadcn CLI) Hygiene: - @types/node ^20 -> ^22 to match the Node 22 runtime (Node 20 is EOL) - add engines.node ">=22" to enforce the LTS floor - pin @tailwindcss/postcss "latest" -> "^4.3.0" for reproducible installs Notes: - remaining low (@ai-sdk/provider-utils) is not patchable within AI SDK v5; the fix requires the v6 major and is intentionally deferred - better-auth stays at 1.6.17: the pnpm minimumReleaseAge cooldown holds 1.6.18 (just published); the caret range picks it up automatically once the cooldown lapses - @react-email/components carries a blanket npm deprecation flag but remains the current component API (render not deprecated, react-email is the CLI); no migration performed Verified: pnpm lint, pnpm typecheck, pnpm build all pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Kontext
Ergebnis eines Stack- & Paket-Audits. Umgesetzt sind die risikoarmen P1/P2-Punkte
(Security-Fixes + Hygiene). Die bewussten Versionsentscheidungen des Templates bleiben erhalten
(AI SDK v5, ESLint 9, TypeScript 5.9, Next 16) — diese Majors werden absichtlich nicht angefasst.
Security (
pnpm audit: 6 moderate + 1 low → 1 low)>=8.5.10— schließtGHSA-qx2v-qp2m-jg93(CSS-Stringify-XSS, über Next gebündelt, Build-Zeit)>=6.15.2& hono>=4.12.21— dev-only über dasshadcn-CLI (@modelcontextprotocol/sdk), nicht ausgeliefertHygiene
^20→^22— passend zur Node-22-Runtime (Node 20 ist EOL)">=22"ergänzt — sichert den LTS-Floor ab"latest"→"^4.3.0"— reproduzierbare InstallsBewusst nicht geändert
@ai-sdk/provider-utils): innerhalb AI SDK v5 nicht patchbar (3.0.98existiert nicht); Fix nur über v6-Major → aufgeschoben.minimumReleaseAge-Cooldown hält das gestern erschienene 1.6.18 zurück; der Caret-Range zieht es automatisch nach, sobald die Sperrfrist abläuft. Die Sicherheitssperre wird nicht umgangen.@react-email/rendernicht deprecated,react-email= CLI). Keine Migration des auth-kritischen Mail-Codes auf wackliger Quellenbasis.Verifikation
pnpm lintpnpm typecheckpnpm build🤖 Generated with Claude Code