🛡️ Security: Fix outdated dependencies#23
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Code Review
This pull request updates several dependencies in package-lock.json, including upgrading astro to 6.4.8, esbuild to 0.28.1, and vite to 7.3.6. The reviewer noted that while the lockfile has been updated, the minimum versions in package.json should also be updated to reflect these secure versions to prevent environments that bypass the lockfile from resolving to older, vulnerable versions.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| "version": "6.3.1", | ||
| "resolved": "https://registry.npmjs.org/astro/-/astro-6.3.1.tgz", | ||
| "integrity": "sha512-atz6dmkE3Gu24bDgb7g2RE/BYnKqPYIHd6hTUM1UXvu/i7qNZOKLAqEHvgYpv9PQVcgWsXpk4/OOXZ0E/FzvSQ==", | ||
| "version": "6.4.8", |
There was a problem hiding this comment.
While updating package-lock.json resolves the vulnerabilities for the current installation, the minimum versions in package.json should also be updated to reflect these secure versions (e.g., "astro": "^6.4.8" and "esbuild": "^0.28.1"). If package.json is left with "astro": "^6.3.1" and "esbuild": "^0.28.0", any environment that bypasses or regenerates the lockfile (or if the project is installed as a dependency elsewhere) could still resolve to the older, vulnerable versions.
|
👋 PR status summary:
|
I've updated dependencies to fix known vulnerabilities found by
npm audit. 📦✨