fix(deps): 清理 Dependabot 告警(vite → 8.1.3, undici → 7.28.0)#99
Open
chaxus wants to merge 1 commit into
Open
Conversation
- vite: bump range ^8.0.14 -> ^8.0.16 (resolves to 8.1.3), fixes GHSA affecting <=8.0.15 - undici: pnpm override to ^7.28.0 via pnpm-workspace.yaml, fixes GHSA-hm92-r4w5-c3mj on jsdom's transitive undici (was 7.26.0) Both are dev/test-only deps; no impact on the browser bundle. pnpm audit now reports 0 vulnerabilities; lint + 240 tests pass. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
背景
push 上个分支时 GitHub 报了 8 个 Dependabot 告警(3 high / 3 moderate / 2 low)。逐条看下来只涉及 2 个包,且都是 dev/test 链依赖,不进浏览器产物:
vite>=8.0.0 <=8.0.158.0.16^8.0.14undici>=7.0.0 <7.28.0(GHSA-hm92-r4w5-c3mj)7.28.0jsdom@29 → undici改动
^8.0.14 → ^8.0.16,实际解析到8.1.3^7.28.0(写在pnpm-workspace.yaml的overrides:——pnpm 10+ 起 overrides 从 package.json 迁到这里,写在 package.json 里不生效),固定 7.x 以留在 jsdom 支持范围内验证
pnpm audit→ No known vulnerabilities found(7 → 0)pnpm ls vite→ 8.1.3;pnpm why undici→ 7.28.0pnpm run lint:ts通过;pnpm run test→ 19 files / 240 tests 全过影响面
纯 dev 依赖,不影响浏览器产物 / 线上行为。详见
docs/explorations/2026-07-05-dependabot-vite-undici.md。🤖 Generated with Claude Code