Skip to content

chore: dependency audit 2026-05 — fix high vite CVEs and moderate postcss XSS #155

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
Copilot wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

chore: dependency audit 2026-05 — fix high vite CVEs and moderate postcss XSS #155

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bfc4b4c
Initial plan
Copilot May 1, 2026
db75911
chore: monthly dependency audit 2026-05 - fix vite and postcss vulner…
Copilot May 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,13 @@ This is the living history of Chimera's evolution. Each entry represents a day o

---

### Day 64: 2026-05-01
**Feature/Change**: Monthly Dependency Audit - 2026-05
**Description**: Performed the monthly dependency security audit. Fixed 1 high severity vulnerability and 1 moderate severity vulnerability via `npm audit fix`. (1) vite 7.0.0–7.3.1 had three security issues: path traversal in optimized deps `.map` handling (GHSA-4w7w-66w2-5vf9), `server.fs.deny` bypass with queries (GHSA-v2wj-q39q-566r), and arbitrary file read via dev server WebSocket (GHSA-p9ff-h696-f583) — updated from 7.2.x to 7.3.2. (2) postcss <8.5.10 had an XSS vulnerability via unescaped `</style>` in CSS Stringify output (GHSA-qx2v-qp2m-jg93) — updated to 8.5.13. No packages were outdated per `npm outdated`. Build and all 2653 tests continue to pass with no regressions.
**Files Modified**: package-lock.json, README.md, public/README.md

---

### Day 63: 2026-04-19

**Feature/Change**: Frontend Polish - Hero Surface, Heading Rhythm & Timeline Card Refinement
Expand Down
12 changes: 6 additions & 6 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

7 changes: 7 additions & 0 deletions public/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,13 @@ This is the living history of Chimera's evolution. Each entry represents a day o

---

### Day 64: 2026-05-01
**Feature/Change**: Monthly Dependency Audit - 2026-05
**Description**: Performed the monthly dependency security audit. Fixed 1 high severity vulnerability and 1 moderate severity vulnerability via `npm audit fix`. (1) vite 7.0.0–7.3.1 had three security issues: path traversal in optimized deps `.map` handling (GHSA-4w7w-66w2-5vf9), `server.fs.deny` bypass with queries (GHSA-v2wj-q39q-566r), and arbitrary file read via dev server WebSocket (GHSA-p9ff-h696-f583) — updated from 7.2.x to 7.3.2. (2) postcss <8.5.10 had an XSS vulnerability via unescaped `</style>` in CSS Stringify output (GHSA-qx2v-qp2m-jg93) — updated to 8.5.13. No packages were outdated per `npm outdated`. Build and all 2653 tests continue to pass with no regressions.
**Files Modified**: package-lock.json, README.md, public/README.md

---

### Day 63: 2026-04-19

**Feature/Change**: Frontend Polish - Hero Surface, Heading Rhythm & Timeline Card Refinement
Expand Down