Skip to content

fix(security): patch pytest tmpdir and vite path-traversal advisories#43

Merged
hubertlim merged 2 commits into
mainfrom
fix/dependabot-security-advisories
May 27, 2026
Merged

fix(security): patch pytest tmpdir and vite path-traversal advisories#43
hubertlim merged 2 commits into
mainfrom
fix/dependabot-security-advisories

Conversation

@hubertlim

@hubertlim hubertlim commented May 27, 2026

Copy link
Copy Markdown
Owner

Summary

Resolves the 4 open Dependabot security advisories.

Changes

Advisory Package Before After
GHSA-6w46-j5rx-g56g pytest 8.4.2 9.0.3
GHSA-6w46-j5rx-g56g pytest-asyncio 0.26.0 1.4.0
(compatibility) pytest-cov 5.0.0 7.1.0
GHSA-4w7w-66w2-5vf9 vite ^5.2.12 ^6.4.2
GHSA-67mh-4wv8-2f99 esbuild (transitive) < 0.25 >= 0.25 (via vite 6)
(compatibility) vitest ^1.6.0 ^2.1.9
(compatibility) @vitejs/plugin-react ^4.3.0 ^4.7.0

Risks

  • pytest 9 is a major bump but the test suite uses standard pytest patterns that v9 supports.
  • vite 6 is a major bump, mostly internal changes; the build and dev server configuration in vite.config.ts is unchanged.
  • vitest 2 moves to vite 6 as the underlying engine.

Verification

  • All 17 backend tests pass with pytest 9
  • All 4 frontend tests pass with vitest 2
  • Production build succeeds (vite v6.4.2 building for production... ✓ 33 modules transformed)
  • Backend dependency lock regenerated with --require-hashes integrity
  • Frontend lockfile regenerated

hubertlim added 2 commits May 23, 2025 15:42
@hubertlim
fix(security): patch pytest tmpdir and vite path-traversal advisories
adf99df 
Resolves 4 Dependabot security alerts:

- GHSA-6w46-j5rx-g56g (pytest tmpdir): bump pytest 8.4.2 -> 9.0.3,
  pytest-asyncio 0.26.0 -> 1.4.0, pytest-cov 5.0.0 -> 7.1.0
- GHSA-4w7w-66w2-5vf9 (vite path traversal): bump vite ^5.2.12 -> ^6.4.2
- GHSA-67mh-4wv8-2f99 (esbuild dev-server CSRF): resolved transitively
  via vite 6 which uses esbuild >= 0.25

Also bumps vitest 1.6 -> 2.1.9 and @vitejs/plugin-react 4.3 -> 4.7 to
stay compatible with vite 6.

All 17 backend tests and 4 frontend tests pass on the new versions.
@hubertlim
fix(web): regenerate lockfile with optional platform-specific binaries
fc719f2 
vite/rollup require platform-specific native bindings (e.g. rollup-linux-x64-gnu)
that npm tracks as optional dependencies. The lockfile must include them for
CI to install them on Linux runners. Regenerated with --include=optional.
@hubertlim hubertlim merged commit 0d60d69 into main May 27, 2026
8 checks passed
@hubertlim hubertlim deleted the fix/dependabot-security-advisories branch May 27, 2026 10:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hubertlim