chore(deps): astro 5->6 + vitest 2->3 — clear 11 of 12 Scorecard advisories#129
chore(deps): astro 5->6 + vitest 2->3 — clear 11 of 12 Scorecard advisories#129harry-harish wants to merge 1 commit into
Conversation
|
Warning Review limit reached
Next review available in: 53 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (6)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
…dvisories The major-bump PR the Phase 4b notes deferred to "its own PR". Builds on main's existing override strategy and clears every Scorecard advisory except the one esbuild residual main already documented as accepted. - Astro 5 -> 6 (apps/peek-docs, apps/tracelane-docs): clears the 5 astro advisories (2pvr, 8hv8, j687, jrpj, xr5h; no 5.x backport exists). Astro 6 moved to Zod 4, so @cubenest/docs-shared's recipeSchema is rebuilt on zod@^4.3.6 (content validation was silently failing otherwise). Astro 6 needs Node >=22.12, declared in each docs app's engines (CI runs Node 24). - Vitest 2 -> 3 (root): clears the critical vitest GHSA-5xrq-8626-4rwp and retires the vitest@2 / Vite-5 toolchain — which also clears esbuild GHSA-67mh-4wv8-2f99 (the old esbuild@0.21.5 copy is gone). The @vitejs/plugin-react pin is now SCOPED to @wxt-dev/module-react (plugin-react 6 needs vite 7+ via vite/internal; WXT 0.20 stays on the Vite-6 line). - js-yaml@3 -> 3.15.0 / js-yaml@4 -> 4.2.0: clears GHSA-h67p-54hq-rp68 WITHIN the 3.x line — keeps safeLoad for @changesets/cli's read-yaml-file, so the release tooling is unaffected (the residual main was tracking). - vite reaches 6.4.3 (fx2h, v6wh) via peek-extension's direct vite dep instead of the vite@6 override, which rewrote vitefu / @tailwindcss-vite peers and broke strict-peer once astro@6 (Vite 7) and the demo (Vite 8) entered the tree. Residual (unchanged from main's documented decision): esbuild GHSA-g7r4-m6w7-qqqr — a global 0.28.1 pin breaks the WXT MV3 chrome87 build; the advisory is esbuild-dev-server-only, never invoked in this pipeline. Verified: pnpm build green (incl. the WXT MV3 extension and both Astro 6 docs sites); pnpm audit shows 11/12 cleared; peek-mcp / peek-cli / peek-extension and the core suites pass under vitest 3 (the remaining local failures are the pre-existing Windows-only tracelane path-guard tests that pass on CI Linux). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: harry-harish <harry652k15@gmail.com>
harry-harish
force-pushed
the
chore/scorecard-vuln-remediation
branch
from
7a70de0 to
f8decda
Compare
harry-harish
changed the title
1 participant
What
The astro 5→6 + vitest 2→3 major-bump PR that the Phase 4b override notes deferred to "its own PR". Rebased onto current
mainand built on its existing override strategy — clears 11 of the original 12 Scorecard advisories, leaving only the one esbuild residualmainalready documented as accepted.Clears
apps/peek-docs,apps/tracelane-docs) — the 5 astro advisories (2pvr,8hv8,j687,jrpj,xr5h; no 5.x backport exists).@cubenest/docs-shared'srecipeSchemais rebuilt onzod@^4.3.6— content validation was silently failing otherwise (astro checkflagged 32 cascading type errors).engines(CI runs Node 24).GHSA-5xrq-8626-4rwp, andesbuild GHSA-67mh-4wv8-2f99(retiring the vitest@2/Vite-5 toolchain drops the oldesbuild@0.21.5). The@vitejs/plugin-reactpin is now scoped to@wxt-dev/module-react(plugin-react 6 needs vite 7+ viavite/internal; WXT 0.20 stays on Vite 6).GHSA-h67p-54hq-rp68) —js-yaml@3 → 3.15.0/@4 → 4.2.0, fixed within the 3.x line so@changesets/cli'ssafeLoadis preserved (the residualmainwas tracking).GHSA-fx2h-pf6j-xcff,GHSA-v6wh-96g9-6wx3) → 6.4.3 via peek-extension's directvitedep, replacing thevite@6override (which rewrote vitefu/@tailwindcss-vite peers and broke strict-peer once astro@6/Vite-7 and the demo/Vite-8 entered the tree).Residual (accepted, unchanged from
main)esbuild GHSA-g7r4-m6w7-qqqr— a global 0.28.1 pin breaks the WXT MV3 build (esbuild 0.28 can't lower for-of destructuring to chrome87/es2020); the advisory is esbuild-dev-server-only, never invoked in this build-only pipeline.Verification
pnpm audit→ 11/12 cleared (onlyg7r4residual).pnpm buildgreen — incl. the WXT MV3 extension (esbuild 0.27.7 retained) and both Astro 6 docs sites.pnpm test— peek-mcp (35), peek-cli (25), peek-extension (45), rrweb-core, tracelane-core/security all pass under vitest 3. Remaining local failures are the pre-existing Windows-only@tracelane/reportassets.tspath-guard tests (andtracelane-cli/detect) — they pass on CI Linux.🤖 Generated with Claude Code