security: upgrade deps + add audit CI gate (#191 #192) #196

Merged
forgejo_admin merged 1 commit from fix/192-audit-deps into master 2026-05-22 18:48:43 +00:00

Summary

  • Upgrades @capacitor/cli to ^7.6.5 and vite to ^7.3.3 (direct dep bumps)
  • Adds resolutions block to force patched transitive versions for minimist, ansi-regex, rollup, picomatch, postcss, brace-expansion
  • Wires yarn audit --level high into the CI test job so future CVE regressions fail the build

Before: 42 vulnerabilities (2 critical, 21 high, 19 moderate)
After: 0 vulnerabilitiesyarn audit --level high exits 0

Why resolutions instead of upgrading every transitive package directly

  • gonzales-pe@4.3.0 (pulled by madge > dependency-tree > precinct) is the only published version and pins minimist: ^1.2.5, which yarn resolves to the vulnerable 1.2.5. The resolutions field forces the lockfile to use 1.2.8.
  • vitest@3.2.4 is pinned (no patch release after 3.2.4) and bundles its own nested vite@7.3.1, rollup@4.57.1, and picomatch@4.0.3. Resolutions promote those to patched versions without changing vitest's own version.
  • ansi-regex resolution is capped at ^5.0.1 (not >=5.0.1) because v6 is ESM-only and breaks ora's CJS strip-ansi — confirmed by a runtime crash in yarn check:deps during iteration.

None of these packages ship to the production browser bundle

All affected packages are devDependencies (build tooling, test runner, Capacitor CLI). Production deps (react, pdf-lib, jszip, @ffmpeg/core, @uswriting/exiftool) have zero audit findings.

Test plan

  • yarn audit --level high exits 0 locally
  • yarn lint passes
  • yarn typecheck passes
  • yarn test passes (568 tests)
  • yarn check:deps passes (no circular deps)
  • yarn build:web completes successfully

Closes #191
Closes #192

🤖 Generated with Claude Code

## Summary - Upgrades `@capacitor/cli` to `^7.6.5` and `vite` to `^7.3.3` (direct dep bumps) - Adds `resolutions` block to force patched transitive versions for `minimist`, `ansi-regex`, `rollup`, `picomatch`, `postcss`, `brace-expansion` - Wires `yarn audit --level high` into the CI `test` job so future CVE regressions fail the build Before: **42 vulnerabilities** (2 critical, 21 high, 19 moderate) After: **0 vulnerabilities** — `yarn audit --level high` exits 0 ### Why resolutions instead of upgrading every transitive package directly - `gonzales-pe@4.3.0` (pulled by `madge > dependency-tree > precinct`) is the only published version and pins `minimist: ^1.2.5`, which yarn resolves to the vulnerable `1.2.5`. The `resolutions` field forces the lockfile to use `1.2.8`. - `vitest@3.2.4` is pinned (no patch release after 3.2.4) and bundles its own nested `vite@7.3.1`, `rollup@4.57.1`, and `picomatch@4.0.3`. Resolutions promote those to patched versions without changing vitest's own version. - `ansi-regex` resolution is capped at `^5.0.1` (not `>=5.0.1`) because v6 is ESM-only and breaks `ora`'s CJS `strip-ansi` — confirmed by a runtime crash in `yarn check:deps` during iteration. ### None of these packages ship to the production browser bundle All affected packages are devDependencies (build tooling, test runner, Capacitor CLI). Production deps (`react`, `pdf-lib`, `jszip`, `@ffmpeg/core`, `@uswriting/exiftool`) have zero audit findings. ## Test plan - [x] `yarn audit --level high` exits 0 locally - [x] `yarn lint` passes - [x] `yarn typecheck` passes - [x] `yarn test` passes (568 tests) - [x] `yarn check:deps` passes (no circular deps) - [x] `yarn build:web` completes successfully Closes #191 Closes #192 🤖 Generated with [Claude Code](https://claude.com/claude-code)
forgejo_admin added 1 commit 2026-05-22 18:40:12 +00:00
security: upgrade deps + add audit CI gate to clear all advisories (#191 #192)
All checks were successful
CI / Lint, Typecheck & Unit Tests (pull_request) Successful in 1m32s
CI / Smoke build (VITE_ENABLE_FFMPEG_FALLBACK=false) (pull_request) Successful in 53s
CI / E2E (Standalone single-file) (pull_request) Successful in 5m41s
CI / E2E (Web) (pull_request) Successful in 5m59s
a3489869dd
Upgrades @capacitor/cli to ^7.6.5 and vite to ^7.3.3, and adds
yarn resolutions to force patched transitive versions for minimist,
ansi-regex, rollup, picomatch, postcss and brace-expansion — reducing
audit findings from 42 (2 critical, 21 high, 19 moderate) to zero.
Wires yarn audit --level high into the CI test job so future
regressions fail the build.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
forgejo_admin merged commit e35f8aad2d into master 2026-05-22 18:48:43 +00:00
Sign in to join this conversation.
No reviewers
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: forgejo_admin/exifcleaner-web#196
No description provided.