lfg2025/archy

Dorian f32c95bb76 chore: run monthly dependency update cycle (MAINT-01)

Updated npm packages to latest semver-compatible versions. 4 remaining
high-severity vulns are dev-only (serialize-javascript in vite-plugin-pwa
chain). 515/515 tests pass, zero type errors, build clean.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-11 18:00:02 +00:00

1.5 KiB

Raw Blame History

Dependency Audit Log

Tracks monthly dependency updates per MAINT-01.

2026-03-11 — Initial Audit

npm (neode-ui)

Updated packages (semver-compatible):

@types/node: 24.10.9 → 24.12.0
@vitejs/plugin-vue: 6.0.3 → 6.0.4
autoprefixer: 10.4.23 → 10.4.27
postcss: 8.5.6 → 8.5.8
vue: 3.5.27 → 3.5.30
vue-tsc: 3.2.3 → 3.2.5
Net result: added 35 packages, removed 53, changed 63 (overall reduction)

Audit results after update: 4 high-severity vulnerabilities remaining

All in serialize-javascript ≤7.0.2 (RCE via RegExp.flags)
Dependency chain: serialize-javascript → @rollup/plugin-terser → workbox-build → vite-plugin-pwa
Risk: Low — dev-only dependency, not shipped to users, not exploitable at build time
Action: Monitor for vite-plugin-pwa update that pulls serialize-javascript ≥7.0.3

Major versions available (not upgraded — breaking changes):

@types/node: 25.x (Node 22+ types — we target Node 20)
@vitest/coverage-v8: 4.x (needs vitest 4.x)
express: 5.x (dev mock server only)
jsdom: 28.x (test env only)
tailwindcss: 4.x (major migration — defer to v1.1)
vitest: 4.x (defer — 3.x working well)
vue-router: 5.x (major migration — defer to v1.1)

Cargo (core/)

Status: Deferred — cargo update must run on Linux dev server (not macOS). Will be run during next deploy cycle.

Test results

Type-check: 0 errors
Build: success (2.67s)
Tests: 515/515 pass (6.83s)