6700152416
Updated npm packages to latest semver-compatible versions. 4 remaining high-severity vulns are dev-only (serialize-javascript in vite-plugin-pwa chain). 515/515 tests pass, zero type errors, build clean. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
43 lines
1.5 KiB
Markdown
43 lines
1.5 KiB
Markdown
# Dependency Audit Log
|
|
|
|
Tracks monthly dependency updates per MAINT-01.
|
|
|
|
---
|
|
|
|
## 2026-03-11 — Initial Audit
|
|
|
|
### npm (neode-ui)
|
|
|
|
**Updated packages** (semver-compatible):
|
|
- `@types/node`: 24.10.9 → 24.12.0
|
|
- `@vitejs/plugin-vue`: 6.0.3 → 6.0.4
|
|
- `autoprefixer`: 10.4.23 → 10.4.27
|
|
- `postcss`: 8.5.6 → 8.5.8
|
|
- `vue`: 3.5.27 → 3.5.30
|
|
- `vue-tsc`: 3.2.3 → 3.2.5
|
|
- Net result: added 35 packages, removed 53, changed 63 (overall reduction)
|
|
|
|
**Audit results after update**: 4 high-severity vulnerabilities remaining
|
|
- All in `serialize-javascript` ≤7.0.2 (RCE via RegExp.flags)
|
|
- Dependency chain: `serialize-javascript` → `@rollup/plugin-terser` → `workbox-build` → `vite-plugin-pwa`
|
|
- **Risk**: Low — dev-only dependency, not shipped to users, not exploitable at build time
|
|
- **Action**: Monitor for `vite-plugin-pwa` update that pulls `serialize-javascript` ≥7.0.3
|
|
|
|
**Major versions available (not upgraded — breaking changes)**:
|
|
- `@types/node`: 25.x (Node 22+ types — we target Node 20)
|
|
- `@vitest/coverage-v8`: 4.x (needs vitest 4.x)
|
|
- `express`: 5.x (dev mock server only)
|
|
- `jsdom`: 28.x (test env only)
|
|
- `tailwindcss`: 4.x (major migration — defer to v1.1)
|
|
- `vitest`: 4.x (defer — 3.x working well)
|
|
- `vue-router`: 5.x (major migration — defer to v1.1)
|
|
|
|
### Cargo (core/)
|
|
|
|
**Status**: Deferred — `cargo update` must run on Linux dev server (not macOS). Will be run during next deploy cycle.
|
|
|
|
### Test results
|
|
- Type-check: 0 errors
|
|
- Build: success (2.67s)
|
|
- Tests: 515/515 pass (6.83s)
|