fix: vulnerable dependencies in repo#10
Conversation
There was a problem hiding this comment.
Pull request overview
Updates the repo’s JavaScript toolchain dependencies to address reported vulnerabilities, including enforcing a patched @xmldom/xmldom version via pnpm overrides.
Changes:
- Bump key dev dependencies (Marp CLI, Vite, Vitest, Prettier, lint-staged, tsx, tar-fs) to newer versions.
- Add pnpm overrides to force
@xmldom/xmldomto>=0.9.9. - Refresh
pnpm-lock.yamlto reflect the updated dependency graph.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| package.json | Updates devDependency versions and adds pnpm.overrides for @xmldom/xmldom. |
| pnpm-lock.yaml | Lockfile regeneration reflecting upgraded packages and the new override. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "tar-fs": "^3.1.2", | ||
| "tsx": "^4.21.0", | ||
| "typescript": "^5.9.3", | ||
| "vite": "^8.0.0", | ||
| "vitest": "^4.1.0" | ||
| "vite": "^8.0.3", | ||
| "vitest": "^4.1.2" |
There was a problem hiding this comment.
The updated toolchain (notably vite@8.0.3 and lint-staged@16.4.0 per the lockfile) now requires Node 20.17+/20.19+, but package.json doesn’t declare a Node engine. Consider adding an "engines.node" constraint (and optionally "engineStrict") so local/dev/CI environments fail fast with a clear requirement.
| }, | ||
| "pnpm": { | ||
| "overrides": { | ||
| "@xmldom/xmldom": ">=0.9.9" |
There was a problem hiding this comment.
Using a broad override range (">=0.9.9") can unintentionally jump to a future breaking release when the lockfile is regenerated. For reproducible installs, prefer pinning the override to a specific safe version (or a narrower range) and letting the lockfile control the exact resolution.
| "@xmldom/xmldom": ">=0.9.9" | |
| "@xmldom/xmldom": "0.9.9" |
No description provided.