Skip to content

fix: resolve 72 of 79 Dependabot security alerts#2223

Open
shikanime wants to merge 14 commits into
mainfrom
fix/dependabot-security-patch-no-oxfmt
Open

fix: resolve 72 of 79 Dependabot security alerts#2223
shikanime wants to merge 14 commits into
mainfrom
fix/dependabot-security-patch-no-oxfmt

Conversation

@shikanime

@shikanime shikanime commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Member
  • pnpm overrides for 22 transitive dependencies to address security alerts
  • Dependency bumps for OpenTelemetry, Vitest, coverage tooling, and NestJS core
  • Vite 8 compatibility updates in client and server test configs
  • Package export metadata updates for workspace packages used by Vite/Vitest resolution
  • Lockfile and workspace metadata refreshed to match the patched dependency set

@shikanime shikanime force-pushed the fix/dependabot-security-patch-no-oxfmt branch from 17176c5 to cee95c9 Compare June 17, 2026 10:00
@shikanime shikanime marked this pull request as ready for review June 17, 2026 10:02
@github-actions github-actions Bot added the built label Jun 17, 2026
@github-actions

github-actions Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

2 similar comments
@github-actions

github-actions Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

@github-actions

github-actions Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

@shikanime shikanime force-pushed the fix/dependabot-security-patch-no-oxfmt branch from ff74e51 to 12b11b2 Compare June 17, 2026 11:46
@github-actions

github-actions Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

@shikanime shikanime force-pushed the fix/dependabot-security-patch-no-oxfmt branch from 12b11b2 to f872096 Compare June 17, 2026 13:15
@github-actions

github-actions Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

@shikanime shikanime force-pushed the fix/dependabot-security-patch-no-oxfmt branch from f872096 to 421d277 Compare June 17, 2026 13:56
@github-actions

github-actions Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

7 similar comments
@github-actions

github-actions Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

@github-actions

github-actions Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

@github-actions

github-actions Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

@github-actions

github-actions Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

@github-actions

github-actions Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

@github-actions

github-actions Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

@github-actions

github-actions Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

Shikanime and others added 11 commits June 18, 2026 10:49
@shikanime
fix: resolve 72 of 79 Dependabot security alerts via dependency upgrades
854e85f 
- Add pnpm overrides for 22 transitive dependencies (protobufjs, fast-jwt,
  esbuild, vite, serialize-javascript, uuid, lodash, picomatch, ws, and others)
- Upgrade direct dependencies: OTel packages, @nestjs/core, @nestjs/terminus,
  @nestjs/schematics, @nestjs/testing
- Update lodash to 4.18.1 (4.18.0 was a bad release removing assignWith)
- Fix vite build: change target from ESNext to es2022 for LightningCSS compat
- Disable stylelint no-invalid-position-declaration (false positive on Vue
  inline styles)
- Upgrade vitest from 4.15 to 4.19 for Node 24 compatibility

7 remaining alerts: 4 fastify false positives (current version is safe),
2 @keycloak/keycloak-admin-client (no fix available), 1 elliptic (no fix).
@shikanime
fix: add import condition to package.json exports for Vite 8 compatib…
86ddc48 
…ility
@shikanime
fix: add resolve.conditions for Vite 8 / Rolldown compatibility
5d11a95
@shikanime
fix: resolve Vite 8 / Rolldown workspace package exports issue
67d6307
@shikanime
fix: exclude .toml and .prisma files from coverage in Vite 8
ec7144b
@shikanime
fix: exclude migrations and sql files from coverage in Vite 8
913340b
@shikanime
fix: change coverage include to src/**/*.ts to exclude non-JS files i…
9d61a61 
…n Vite 8
@shikanime
fix: use optimizeDeps.exclude to prevent Rolldown dep scan of workspa…
f620c4c 
…ce packages
@shikanime
fix: replace exports field with main/module for Vite 8 / Rolldown com…
c4bbdde 
…patibility
@shikanime
fix: use resolve.alias to source files for workspace packages in vitest
5608691
@shikanime
fix: restore exports field for TypeScript resolution in plugins build
1e26993
shikanime added 2 commits June 18, 2026 10:49
@shikanime
fix: add plugin aliases and fix package.json key ordering for Vite 8 …
c2106c9 
…compat
@shikanime
fix: overrides in package.json
c472c4b 
Signed-off-by: William Phetsinorath <william.phetsinorath@shikanime.studio>
Change-Id: Ic763d3023170e3b631ec6a7d3f720a546a6a6964
@shikanime shikanime force-pushed the fix/dependabot-security-patch-no-oxfmt branch from 19be067 to c472c4b Compare June 18, 2026 08:50
@shikanime shikanime changed the title fix: resolve 72 of 79 Dependabot security alerts (no-oxfmt workspace) fix: resolve 72 of 79 Dependabot security alerts Jun 18, 2026
@github-actions

github-actions Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

@shikanime
chore: restore dev and integ command
7d71da3 
Signed-off-by: William Phetsinorath <william.phetsinorath@shikanime.studio>
Change-Id: Ie09101b6011c35a1a13f010820263e6e6a6a6964
@shikanime shikanime requested a review from StephaneTrebel June 18, 2026 09:09
@shikanime shikanime self-assigned this Jun 18, 2026
@cloud-pi-native-sonarqube

cloud-pi-native-sonarqube Bot commented Jun 18, 2026

Copy link
Copy Markdown

Passed Quality Gate passed

Issues

Measures

Project ID: cloud-pi-native_console_AYsa46O31ebDtzs-pYyZ

View in SonarQube

@github-actions

github-actions Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

🤖 Hey !

The security scan report for the current pull request is available here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@StephaneTrebel StephaneTrebel Awaiting requested review from StephaneTrebel

At least 1 approving review is required to merge this pull request.

Assignees

@shikanime shikanime

Labels

built

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@shikanime