fix(deps): clear npm audit advisories blocking CI#15
Conversation
npm audit --audit-level=moderate (the CI audit gate) started failing on main and therefore on every open PR after new advisories were published: - vite 8.0.0-8.0.15 (high): server.fs.deny bypass + launch-editor NTLM hash - js-yaml <=4.1.1 (moderate): quadratic-complexity DoS in merge keys - markdown-it <=14.1.1 (moderate): quadratic-complexity DoS in smartquotes vite (transitive via vitest) bumps to 8.1.0 within range. js-yaml and markdown-it are exact-pinned by markdownlint-cli2, so override them to the patched 4.2.0 / 14.2.0 (same major, non-breaking). lint/typecheck/test/build all pass; audit reports 0 vulnerabilities.
|
Warning Review limit reached
More reviews will be available in 53 minutes and 49 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more credits in the billing tab to continue. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate. For paid Pro and Pro+ PR reviews, CodeRabbit uses rolling per-developer review limits. Reviews become available again as older review attempts age out of the rolling limit window. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces an overrides section in package.json for js-yaml, markdown-it, and vite, along with corresponding dependency updates in package-lock.json. The reviewer suggests removing vite from the overrides block, as it is already permitted by vitest and overriding it is unnecessary and could complicate future upgrades.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| "markdown-it": "14.2.0", | ||
| "vite": "^8.1.0" |
There was a problem hiding this comment.
Since vitest specifies its vite dependency as ^6.0.0 || ^7.0.0 || ^8.0.0, it already permits vite@8.1.0. Therefore, overriding vite is unnecessary because npm will naturally resolve it to 8.1.0 (as seen in the lockfile updates). Removing vite from overrides keeps package.json cleaner and avoids potential issues with future major version upgrades of vite when vitest is updated.
"markdown-it": "14.2.0"1 participant
Why
npm audit --audit-level=moderate(the CIauditgate) began failing onmain, so every open PR inherits a redlint / typecheck / test / audit / buildcheck — this is not caused by the dependabot bumps in #13/#14, it's newly-published advisories in existing deps.server.fs.denybypass (GHSA-fx2h-pf6j-xcff) + launch-editor NTLM hash (GHSA-v6wh-96g9-6wx3)Fix
vitestand within its^8.0.0range; pinned with an override for determinism.markdownlint-cli2@0.22.1, so they needoverrides→ patched4.2.0/14.2.0(same major, non-breaking).Verification
lint(markdownlint clean),typecheck,test(3 passing),buildall pass locally;npm audit --audit-level=moderatereports 0 vulnerabilities.After this merges, #13 and #14 just need a rebase to go green.