Commit d1ce1eb
fix(security): bump vite to 7.3.6 + minimatch to 9.0.9 (clears 8 Dependabot alerts)
5 vite alerts (vercel-labs#44/vercel-labs#45/vercel-labs#46/vercel-labs#94/vercel-labs#95, <=7.3.4) + 3 minimatch alerts (vercel-labs#23/vercel-labs#26/vercel-labs#28, <9.0.7) were all in pnpm-lock.yaml. The existing pnpm.overrides were recorded but never applied to the lockfile: vite enters only as vitest's peer (auto-installed peers bypass overrides under the repo's lowest-direct resolution), and the minimatch range-selector override missed the eslint-plugin-react>minimatch edge. Fix: add vite as a direct devDependency (^7.3.5 -> resolves 7.3.6) and add a deterministic nested override eslint-plugin-react>minimatch ^9.0.7 (-> 9.0.9); consolidated the redundant/overlapping vite+minimatch selectors. Targeted lockfile update (33/48 lines), vitest and all other deps unchanged. Verified: pnpm audit clean, type-check 5/5, turbo build 5/5, 166 tests pass.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01HWrTgpQ6CZV7tbVCNib9Pi1 parent dd6cf02 commit d1ce1eb
2 files changed
Lines changed: 37 additions & 53 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
31 | 31 | | |
32 | 32 | | |
33 | 33 | | |
| 34 | + | |
34 | 35 | | |
35 | 36 | | |
36 | 37 | | |
| |||
44 | 45 | | |
45 | 46 | | |
46 | 47 | | |
47 | | - | |
48 | 48 | | |
49 | | - | |
| 49 | + | |
| 50 | + | |
50 | 51 | | |
51 | 52 | | |
52 | 53 | | |
| |||
55 | 56 | | |
56 | 57 | | |
57 | 58 | | |
58 | | - | |
59 | | - | |
| 59 | + | |
60 | 60 | | |
61 | 61 | | |
62 | 62 | | |
63 | | - | |
64 | 63 | | |
65 | 64 | | |
66 | 65 | | |
| |||
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
0 commit comments