You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The reason will be displayed to describe this comment to others. Learn more.
Stale comment
Security review — no findings
PR: chore(deps): bump vuetify from 2.7.2 to 3.0.0 in /web (#3987)
Scope:web/package.json, web/package-lock.json only (dependency bump).
Outcome: No medium, high, or critical vulnerabilities introduced or exposed by this change.
What was reviewed
Supply chain:vuetify@3.0.0 resolves from registry.npmjs.org with an integrity hash matching the published package (sha512-0olLmKWb+…). No typosquatting or unexpected package substitutions observed.
Known Vuetify CVEs: OSV/npm audit flag CVE-2025-8083 (prototype pollution, high) and CVE-2025-8082 (VDatePicker XSS, moderate) on Vuetify 2.x. Version 3.0.0 is outside the affected ranges; npm audit no longer reports a direct vuetify advisory after this bump.
Exploitability in this app: The codebase does not use v-date-picker / title-date-format. Vuetify is initialized from a static preset in web/src/plugins/vuetify.js (not attacker-controlled input), so the 2.x prototype-pollution path is not reachable via external input.
Runtime impact: Vuetify 3 requires Vue 3 (peer vue@^3.2.0); this project is on Vue 2. npm install / npm ci fail with a peer-dependency conflict, so this PR cannot produce a deployable frontend build without a full Vue/Vuetify migration. That is a compatibility blocker, not a new exploitable security issue from the version bump alone.
Prior automation threads
No previous automation review threads were found on this PR.
Slack summary: PR #3987 (Vuetify 2.7.2 → 3.0.0) — clean security review, no actionable findings. The bump would remediate known Vuetify 2.x CVEs but is incompatible with the current Vue 2 stack and fails dependency install; recommend closing or rebasing after a planned Vue 3 migration rather than merging as-is.
The reason will be displayed to describe this comment to others. Learn more.
Security review — no findings
PR: chore(deps): bump vuetify from 2.7.2 to 3.0.0 in /web (#3987)
Scope:web/package.json, web/package-lock.json only (dependency bump).
Outcome: No medium, high, or critical vulnerabilities introduced or exposed by this change.
What was reviewed
Supply chain:vuetify@3.0.0 resolves from registry.npmjs.org with integrity sha512-0olLmKWb+…, matching the published tarball. No typosquatting or unexpected package substitution.
Known Vuetify 2.x CVEs:CVE-2025-8083 (prototype pollution, high), CVE-2025-8082 (VDatePicker XSS, moderate), and CVE-2025-1461 (VCalendar XSS, moderate) affect Vuetify 2.x only. Version 3.0.0 is outside all affected ranges; npm audit reports no direct vuetify advisory after this bump.
Exploitability in this app: The codebase does not use v-date-picker, v-calendar, or attacker-controlled Vuetify presets. Vuetify is initialized from a static config in web/src/plugins/vuetify.js (not external input), so the 2.x prototype-pollution and date-picker XSS paths are not reachable via attacker-controlled input.
Runtime impact: Vuetify 3 requires Vue 3 (peer vue@^3.2.0); this project is on Vue 2. npm install fails with a peer-dependency conflict, so this PR cannot produce a deployable frontend build without a full Vue/Vuetify migration. That is a compatibility blocker, not a new exploitable security issue from the version bump alone.
Prior automation threads
No unresolved inline review threads were found. Previous top-level automation assessment validated; no findings remain applicable.
Slack summary: PR #3987 (Vuetify 2.7.2 → 3.0.0) — clean security review, no actionable findings. The bump would remediate known Vuetify 2.x CVEs but is incompatible with the current Vue 2 stack and fails dependency install; recommend closing or rebasing after a planned Vue 3 migration rather than merging as-is.
Sent by Cursor Automation: Find vulnerabilities
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dependenciesPull requests that update a dependency filejavascriptPull requests that update javascript code
0 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
dependabot
Bot
added
dependencies
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Bumps vuetify from 2.7.2 to 3.0.0.
Commits
3122b69chore(release): publish v3.0.0fce23d1fix(types): add shims to UMD typese23e92cfix(types): remove UMD package export3a2dbd3fix(types): expose LocaleMessages interface48ef134feat(VList): add keyboard navigation (#15998)18537d3feat(theme): rename code/kbd variables to match conventions6c5b180fix(VTabs): respect height prope6b0d7afix: don't destroy components when transition value changesfa841a3fix(VIcon): add collapse alias for mdi-svg (#15963)be3cecafix(VDialog): explicit prop definitions (#15971)