Skip to content

fix(deps): 清理 Dependabot 告警(vite → 8.1.3, undici → 7.28.0)#99

Open
chaxus wants to merge 1 commit into
mainfrom
fix/deps-security
Open

fix(deps): 清理 Dependabot 告警(vite → 8.1.3, undici → 7.28.0)#99
chaxus wants to merge 1 commit into
mainfrom
fix/deps-security

Conversation

@chaxus

@chaxus chaxus commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

背景

push 上个分支时 GitHub 报了 8 个 Dependabot 告警(3 high / 3 moderate / 2 low)。逐条看下来只涉及 2 个包,且都是 dev/test 链依赖,不进浏览器产物:

受影响 补丁 引入
vite >=8.0.0 <=8.0.15 8.0.16 直接 devDependency ^8.0.14
undici >=7.0.0 <7.28.0 (GHSA-hm92-r4w5-c3mj) 7.28.0 传递依赖 jsdom@29 → undici

改动

  • vite:range ^8.0.14 → ^8.0.16,实际解析到 8.1.3
  • undici:pnpm override 到 ^7.28.0(写在 pnpm-workspace.yamloverrides:——pnpm 10+ 起 overrides 从 package.json 迁到这里,写在 package.json 里不生效),固定 7.x 以留在 jsdom 支持范围内

验证

  • pnpm auditNo known vulnerabilities found(7 → 0)
  • pnpm ls vite → 8.1.3;pnpm why undici → 7.28.0
  • pnpm run lint:ts 通过;pnpm run test → 19 files / 240 tests 全过

影响面

纯 dev 依赖,不影响浏览器产物 / 线上行为。详见 docs/explorations/2026-07-05-dependabot-vite-undici.md

🤖 Generated with Claude Code

- vite: bump range ^8.0.14 -> ^8.0.16 (resolves to 8.1.3), fixes
  GHSA affecting <=8.0.15
- undici: pnpm override to ^7.28.0 via pnpm-workspace.yaml, fixes
  GHSA-hm92-r4w5-c3mj on jsdom's transitive undici (was 7.26.0)

Both are dev/test-only deps; no impact on the browser bundle.
pnpm audit now reports 0 vulnerabilities; lint + 240 tests pass.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant