Skip to content

chore: patch dev dependency vulnerabilities#2

Merged
ju5t merged 1 commit into
mainfrom
security-dev-dependency-patches
Jun 9, 2026
Merged

chore: patch dev dependency vulnerabilities#2
ju5t merged 1 commit into
mainfrom
security-dev-dependency-patches

Conversation

@ju5t

@ju5t ju5t commented Jun 9, 2026

Copy link
Copy Markdown

Description

Resolves all open npm audit / Dependabot security findings, which were exclusively in dev-only dependencies (build and test tooling). Print.js ships no runtime dependencies, so none of these affected the published library — this cleans up the development and CI toolchain.

Changes:

  • Updated transitive build/test dependencies to patched versions via npm audit fix (vite, rollup, esbuild, fast-uri, flatted, immutable, ws, brace-expansion, etc.).
  • Bumped the vitest stack (vitest, @vitest/browser, @vitest/coverage-v8) from 2.x to 4.x to clear the critical Vitest UI advisory.
  • Removed the coveralls dependency and its npm script. It pinned the deprecated request package, pulling in unpatchable form-data (critical), qs, tough-cookie, and uuid advisories with no fix available. Coverage upload can run via the Coveralls GitHub Action instead.

npm audit now reports 0 vulnerabilities. Full test suite passes (62 tests across 10 files) on vitest 4.

Visual changes

None.

Functional changes

  • Changes have been tested to not break existing functionality.
  • Documentation is up-to-date.

bump vitest stack to 4.x, update transitive build/test deps, and drop coveralls (deprecated request chain). resolves all npm audit findings.
@ju5t ju5t merged commit 503f25c into main Jun 9, 2026
2 checks passed
@ju5t ju5t deleted the security-dev-dependency-patches branch June 9, 2026 12:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant