d11378c254
Some checks failed
CI / Unit & Component Tests (pull_request) Failing after 4m46s
CI / OCR Service Tests (pull_request) Successful in 24s
CI / Backend Unit Tests (pull_request) Successful in 5m42s
CI / fail2ban Regex (pull_request) Successful in 47s
CI / Semgrep Security Scan (pull_request) Successful in 21s
CI / Compose Bucket Idempotency (pull_request) Successful in 1m8s
CI / Unit & Component Tests (push) Successful in 5m23s
CI / OCR Service Tests (push) Successful in 24s
CI / Backend Unit Tests (push) Successful in 6m4s
CI / fail2ban Regex (push) Successful in 48s
CI / Semgrep Security Scan (push) Successful in 25s
CI / Compose Bucket Idempotency (push) Successful in 1m12s
nightly / deploy-staging (push) Successful in 5m20s
The CI step "Security audit (no dev deps)" (npm audit --audit-level=high --omit=dev) failed repo-wide on every PR: newly-published advisories landed against the already-pinned esbuild 0.27.7 (GHSA-gv7w-rqvm-qjhr, GHSA-g7r4-m6w7-qqqr — both high), pulled in transitively via vite -> @sveltejs/vite-plugin-svelte. The fix for both only exists at esbuild@0.28.1. A scoped vite@7 minor bump cannot help — all vite 7.x pin esbuild ^0.27.0. Add an overrides block: - esbuild 0.28.1 (exact, no caret — a future 0.29.x must not silently float in and re-break vite; let Renovate propose bumps explicitly) - cookie >=0.7.0 (clears the low GHSA-pxg6-pf52-xh8x reaching the prod tree via @sentry/sveltekit; drop-in, done in the same pass) npm audit --audit-level=high --omit=dev now exits 0 with 0 vulnerabilities. npm run build, lint, and a dev-server boot all succeed with the forced esbuild 0.28.1 (validated, not assumed — it sits outside vite@7.3.3's declared ^0.27.0 range). Closes #817 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
3.0 KiB
3.0 KiB