Security: Fix remaining esbuild vulnerability (requires breaking vite upgrade) #275
Description
Summary
There is 1 remaining moderate security vulnerability in the esbuild dependency that requires a breaking change to fix. This was intentionally deferred from PR #274 to avoid forcing breaking changes in the security fix.
Vulnerability Details
Current Status
- Fixed in PR Fix: Security vulnerabilities in npm dependencies (#267) #274: 8/9 vulnerabilities resolved via
npm audit fix - Remaining: 1 esbuild vulnerability requires
npm audit fix --force - Breaking Change: Will upgrade vite from v5.x to v6.x+
- Current Workaround: Security audit is non-blocking in CI (temporary)
Required Fix
Run npm audit fix --force which will:
- Upgrade vite to v6.x or v7.x (major version bump)
- Fix the esbuild vulnerability completely
- Potentially require frontend build configuration updates
Testing Requirements
Before merging the fix:
- Verify frontend builds successfully with new vite version
- Test development server (
npm run dev) - Test production build (
npm run build) - Verify all existing frontend functionality works
- Run full test suite to ensure no regressions
- Test hot module replacement and other dev features
Follow-up Actions
After fixing the vulnerability:
- Remove
continue-on-error: truefrom security audit CI step - Make security audit blocking again in
.github/workflows/tests.yml - Verify
make security-auditshows 0 vulnerabilities
Context
This issue was created as follow-up to PR #274 which established automated security monitoring. The 5xWhy root cause analysis identified that forcing this breaking change in the security fix PR would violate the principle of conservative, incremental changes.
References
- Original issue: 🔒 Security: Critical npm vulnerabilities detected in dependencies #267
- Security fix PR: Fix: Security vulnerabilities in npm dependencies (#267) #274
- Investigation artifact:
.claude/PRPs/issues/completed/issue-267.md
Priority: Medium (security issue but affects dev environment only)
Type: Security + Breaking Change