fix(deps): bump vite 7.3.3 → 7.3.5 to clear the high-severity audit gate #852

Merged

marcel merged 1 commits from devops/vite-audit-high-fix into main 2026-06-16 11:32:38 +02:00

Conversation 0 Commits 1 Files Changed 1 +3 -3

marcel commented 2026-06-16 09:17:44 +02:00

Owner

Copy Link

What

Lockfile-only bump of vite 7.3.3 → 7.3.5 in frontend/.

Why

The CI gate npm audit --audit-level=high --omit=dev (.gitea/workflows/ci.yml §Security audit) was failing on vite 7.3.3's two high-severity advisories:

• GHSA-v6wh-96g9-6wx3 — launch-editor NTLMv2 hash disclosure via UNC path handling (Windows)
• GHSA-fx2h-pf6j-xcff — server.fs.deny bypass on Windows alternate paths

7.3.5 is in-range of the existing "vite": "^7.3.3" constraint, so no package.json change — only package-lock.json moves.

Verification

$ npm audit --audit-level=high --omit=dev   # the exact CI gate
8 vulnerabilities (1 low, 7 moderate)        # no high/critical
EXIT=0

Remaining advisories (babel, @sentry/opentelemetry, dompurify) are all moderate — below the --audit-level=high threshold, so non-gating. They can be cleared in a separate pass if desired.

🤖 Generated with Claude Code

## What Lockfile-only bump of `vite` **7.3.3 → 7.3.5** in `frontend/`. ## Why The CI gate `npm audit --audit-level=high --omit=dev` (`.gitea/workflows/ci.yml` §Security audit) was failing on vite 7.3.3's two high-severity advisories: - [GHSA-v6wh-96g9-6wx3](https://github.com/advisories/GHSA-v6wh-96g9-6wx3) — `launch-editor` NTLMv2 hash disclosure via UNC path handling (Windows) - [GHSA-fx2h-pf6j-xcff](https://github.com/advisories/GHSA-fx2h-pf6j-xcff) — `server.fs.deny` bypass on Windows alternate paths 7.3.5 is in-range of the existing `"vite": "^7.3.3"` constraint, so **no `package.json` change** — only `package-lock.json` moves. ## Verification ``` $ npm audit --audit-level=high --omit=dev # the exact CI gate 8 vulnerabilities (1 low, 7 moderate) # no high/critical EXIT=0 ``` Remaining advisories (babel, @sentry/opentelemetry, dompurify) are all **moderate** — below the `--audit-level=high` threshold, so non-gating. They can be cleared in a separate pass if desired. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

marcel added 1 commit 2026-06-16 09:17:45 +02:00

fix(deps): bump vite 7.3.3 -> 7.3.5 to clear the high-severity audit gate ... 109202246e

vite 7.3.3 carries two high-severity advisories (GHSA-v6wh-96g9-6wx3
NTLMv2 UNC disclosure, GHSA-fx2h-pf6j-xcff server.fs.deny bypass), both
flagged by the CI gate `npm audit --audit-level=high --omit=dev`. 7.3.5
is in-range of the existing `^7.3.3` constraint, so this is a
lockfile-only patch with no package.json change. Gate now exits 0.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

marcel added the devopssecurity labels 2026-06-16 09:18:11 +02:00

marcel merged commit 109202246e into main 2026-06-16 11:32:38 +02:00

marcel deleted branch devops/vite-audit-high-fix 2026-06-16 11:32:40 +02:00

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

P0-critical

Blocks a core user journey, causes data loss, or is a security/accessibility barrier. Work on this before P1+.

P1-high

Significant friction on a main user journey; workaround exists but is non-obvious. Next up after P0.

P2-medium

Noticeable improvement; doesn't block anything; schedule opportunistically.

P3-later

Cosmetic or parking-lot work; fine to stay open indefinitely.

audit

Read-only audit / assessment work; produces a report rather than changing code

bug

Something isn't working

cleanup

Removal of dead code, vague comments, naming violations, and scratch artifacts

collaboration

We want to extend the family archive to have more collaboration tools

conversation

descoped

We will do that later

devops

documentation

README, ARCHITECTURE, GLOSSARY, CONTRIBUTING, per-domain docs

epic

Marker for epic-level issues that group multiple child issues

feature

file-upload

legibility

Codebase Legibility Refactor — preparing the codebase for human evaluation and bus-factor reduction

needs-discussion

Has an open decision or design question that must be resolved before implementation can start.

needs-review

Spec is drafted and awaiting the multi-persona /review-issue gate.

notification

person

phase-1: security

Security hygiene — must be done first

phase-2: container-images

Production-ready multi-stage Docker images

phase-3: prod-compose

Production compose overlay + Caddy reverse proxy

phase-4: spring-prod-profile

Spring Boot production configuration profile

phase-5: backups

Database and object storage backup strategy

phase-6: deployment-docs

.env.example, DEPLOYMENT.md, runbook

phase-7: monitoring

Prometheus, Loki, Grafana, Alertmanager

redesign-mappe

Mappe visual redesign — consistency alignment across the app (shared components + pages). See the design_handoff bundle.

refactor

Code restructuring without behaviour change

security

spec-required

Feature whose contract is its issue body (EARS REQ-NNN); the spec must pass review before implementation.

test

ui

UI/UX and accessibility issues

user

No Label devops security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Jens renovate_bot marcel

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: marcel/familienarchiv#852