chore(deps): bump deps, clear advisories, automate releases#8
Merged
Conversation
Cleared 6 of 7 audit findings — the esbuild RCE was only reachable transitively through vite, so pinned esbuild ^0.28.1 via a pnpm override since vite still peers an older, vulnerable one. Left the js-yaml moderate: its fix (js-yaml 4) removed safeLoad() which changesets' read-yaml-file calls, so forcing it would break releases to patch a local-only DoS in a dev tool. Added dependabot and an automated changesets release workflow mirroring start-toast (OIDC publish), replacing the manual tag/publish steps in CLAUDE.md. No changeset: dev-only deps don't ship in dist/.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
pnpm.overridespinesbuild: ^0.28.1to clear the esbuild advisories that vite still peers transitively.biome.jsonto the 2.5.0 schema (recommended→preset)..github/dependabot.yml(npm + github-actions, weekly, grouped minor/patch)..github/workflows/release.yml— automated changesets release (OIDC publish), mirroring start-toast. UpdatedCLAUDE.mdto document the new flow and required setup.Security
pnpm audit: 7 → 1.The one remaining moderate is
js-yaml@3.14.2, pulled deep under@changesets/cli→read-yaml-file@1.1.0. The patchedjs-yaml@4removedsafeLoad(), whichread-yaml-filecalls directly — forcing it would break the release tooling to patch a local-only DoS in a dev tool parsing its own config. Left intentionally.No changeset
These are dev-only changes that don't affect the published
dist/, so they intentionally do not trigger a version bump.Required one-time setup (done)
ts-referer-parser→ this repo'srelease.yml.CHANGESETS_GITHUB_TOKENrepo secret added so the Release PR can trigger CI.Verification