fix: pin vite ≥ 6.4.2 and postcss ≥ 8.5.10 to address CVE-2026-39365

[Copilot]

Summary

CVE-2026-39365 is a path traversal vulnerability in vite affecting versions 6.0.0–6.4.1 (also 7.x and 8.x ranges). The repo's vitepress@1.6.4 pulled in vite@5.4.21; scanners flag this as vulnerable due to a simple <= 6.4.1 version comparison. Adds npm overrides to force vite to the patched 6.4.3 (vitepress supports ^5 || ^6) and fixes a co-located moderate postcss < 8.5.10 XSS issue.

Changes in package.json:

• Added "vite": "^6.4.2" override → resolves to 6.4.3
• Added "postcss": "^8.5.10" override → clears GHSA-qx2v-qp2m-jg93

npm audit reports 0 vulnerabilities after these changes.

Type of change

• Refactor/Chore

Checklist

• I have read CONTRIBUTING.md and AGENTS.md.
• Unit tests added/updated where appropriate.
• vendor/bin/phpunit passes locally (unit suite at minimum).
• vendor/bin/psalm passes locally.
• Backwards compatible (no breaking public API changes) or clearly documented.
• Documentation updated (README.md and/or docs/), including examples if needed.
• Changes are minimal and scoped (one concern per PR).
• No tests depend on external secrets or network beyond the documented integration setup.

Integration tests (if applicable)

• Tested against a local K8s (e.g., Minikube) with addons and CRDs installed, as outlined in AGENTS.md.
  • Kubernetes version:
  • PHP version:
  • Laravel/Testbench versions:

Breaking changes

None. Dependency-only change; no public API affected.

Notes for reviewers

vitepress@1.6.4 declares "vite": "^5.0.0 || ^6.0.0", so bumping to vite 6.4.3 via override is within its supported peer range. The postcss override is similarly safe — it's a transitive dep with no API surface exposed to this project.

[greptile-apps]

Greptile Summary

This PR pins vite to ^6.4.2 and postcss to ^8.5.10 via npm overrides in response to CVE-2026-39365 and GHSA-qx2v-qp2m-jg93. Both changes only affect the documentation toolchain (vitepress), with no impact on the PHP library itself.

• The postcss bump (8.5.6 → 8.5.15) is legitimate and addresses a real XSS vulnerability in the transitive dependency.
• The vite override bumps from 5.4.21 → 6.4.3, but CVE-2026-39365 only affects vite 6.0.0–6.4.1; vite 5.x is outside the vulnerable range. This is effectively a major-version upgrade (v5 → v6) applied via overrides to resolve a scanner false positive, and the docs build should be verified to work cleanly with vite 6.

Confidence Score: 4/5

Safe to merge for the postcss fix; the vite override is a v5→v6 major bump applied to docs tooling under a CVE that doesn't cover v5, so a confirmed clean docs build would provide additional assurance.

The postcss change is straightforward and addresses a real vulnerability. The vite override, however, performs a silent major version upgrade (5→6) of a transitive dev dependency justified by a CVE that does not actually apply to the original v5 installation. Vite 6 has breaking changes relative to v5, and while the blast radius is limited to the documentation build, the upgrade path has not been explicitly tested here.

The package.json vite override deserves a closer look — running npm run docs:build against the resolved vite 6.4.3 would confirm the docs build is unaffected.

Important Files Changed

Filename	Overview
package.json	Adds vite: ^6.4.2 and postcss: ^8.5.10 npm overrides. The postcss fix is legitimate; the vite override addresses a scanner false positive (CVE-2026-39365 only affects 6.x, not the original 5.4.21), and silently performs a v5→v6 major version upgrade of a transitive dev dependency.
package-lock.json	Lock file updated to reflect vite 5.4.21→6.4.3, postcss 8.5.6→8.5.15, nanoid 3.3.11→3.3.12, and new transitive deps (fdir, picomatch, tinyglobby) pulled in by vite 6. Changes are consistent with the package.json overrides.

_{Reviews (1): Last reviewed commit: "fix: upgrade vite to 6.4.3 and postcss t..." | Re-trigger Greptile}

[greptile-apps]

CVE-2026-39365 does not affect vite 5.x — this override is addressing a scanner false positive

According to NVD and the GitHub Advisory (GHSA-4w7w-66w2-5vf9), CVE-2026-39365 specifically affects vite 6.0.0–6.4.1, 7.x–7.3.1, and 8.x–8.0.4. The original pinned version in the lock file was vite@5.4.21, which is outside all vulnerable ranges. The PR description acknowledges that scanners flag it "due to a simple <=6.4.1 version comparison" — that is the definition of a false positive.

The consequence is that this override silently performs a major version bump from v5 to v6 (via npm overrides) under the guise of a security patch. Vite 6 has breaking changes relative to v5. While vitepress@1.6.4 advertises support for both ^5 and ^6, it's worth verifying the docs build (npm run docs:build) still passes cleanly with the new resolution before merging.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[Copilot]

Pull request overview

This PR updates the docs toolchain dependency resolution to eliminate reported vulnerabilities by adding npm overrides, resulting in Vite and PostCSS being resolved to patched versions in the lockfile.

Changes:

• Add npm overrides to force vite to ^6.4.2 and postcss to ^8.5.10.
• Update package-lock.json to reflect resolved versions (vite@6.4.3, postcss@8.5.15) and associated transitive dependency changes.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

File	Description
package.json	Adds overrides entries to force patched Vite/PostCSS versions.
package-lock.json	Records the new resolved dependency graph (Vite 6.4.3, PostCSS 8.5.15, new transitive deps).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.