Dependabot alerts remain that can only be resolved by major-version bumps of build/test tooling and a couple of other deps. Each needs deliberate testing, so tracking them here as dedicated work.
vite 5 → 6 + vitest 2 → 3
Coupled bump (@vitest/mocker and vite-node track vite).
- vitest
< 3.2.6 — critical
- esbuild
<= 0.24.2 — moderate (dev server reachable by any website); clears transitively once vite is on 6+
Land on the minimum patched majors (vite 6, vitest 3); verify dev server, build, and test config.
openapi-typescript 5/6 → 7
Pulls patched undici >= 6.24.0 (currently high-severity: request smuggling, header injection, memory exhaustion). openapi-typescript 7 changed its output — regenerate and verify the generated API types.
uuid 9 → 11
uuid < 11.1.1 — moderate (missing buffer bounds check in v3/v5/v6). v7+ is ESM-only with import changes; verify usage.
elliptic — no fix available
GHSA-848j-6mx2-7j84: latest 6.6.1 is still vulnerable, no patch published. Pulled in via pdbe-molstar → crypto-browserify. Not actionable until upstream ships a fix; tracking for visibility.
Dependabot alerts remain that can only be resolved by major-version bumps of build/test tooling and a couple of other deps. Each needs deliberate testing, so tracking them here as dedicated work.
vite 5 → 6 + vitest 2 → 3
Coupled bump (
@vitest/mockerandvite-nodetrack vite).< 3.2.6— critical<= 0.24.2— moderate (dev server reachable by any website); clears transitively once vite is on 6+Land on the minimum patched majors (vite 6, vitest 3); verify dev server, build, and test config.
openapi-typescript 5/6 → 7
Pulls patched
undici >= 6.24.0(currently high-severity: request smuggling, header injection, memory exhaustion). openapi-typescript 7 changed its output — regenerate and verify the generated API types.uuid 9 → 11
uuid
< 11.1.1— moderate (missing buffer bounds check in v3/v5/v6). v7+ is ESM-only with import changes; verify usage.elliptic — no fix available
GHSA-848j-6mx2-7j84: latest6.6.1is still vulnerable, no patch published. Pulled in viapdbe-molstar→crypto-browserify. Not actionable until upstream ships a fix; tracking for visibility.