Skip to content

[DependOnMe] Critical security fix - 2 issue(s)#22

Open
dependonme-deriv wants to merge 2 commits into
masterfrom
dependonme/bulk-fix-ea59f65e
Open

[DependOnMe] Critical security fix - 2 issue(s)#22
dependonme-deriv wants to merge 2 commits into
masterfrom
dependonme/bulk-fix-ea59f65e

Conversation

@dependonme-deriv
Copy link
Copy Markdown

@dependonme-deriv dependonme-deriv commented Jun 3, 2026

Bulk Security Fix

This pull request was automatically generated by DependOnMe to fix 2 critical security issue(s).

Issues Fixed

  • Critical: 2
  • High: 0
  • Medium: 0
  • Low: 0

Files Modified

  • package.json

AI Summary

Fixed 2 security issues (both are the same CVE on the same package, reported twice):

  • CVE-2026-47429 (Critical): Updated vitest from ^3.1.2 to ^4.1.0. The vulnerability allows arbitrary file read and execution when the Vitest UI server is listening. Fixed by upgrading to the patched version 4.1.0+.

What was changed and why:

  • vitest: ^3.1.2^4.1.0 — Direct fix for CVE-2026-47429
  • @vitest/coverage-istanbul: ^3.1.2^4.1.0 — Required to match vitest major version (peer dependency alignment)
  • @vitest/coverage-v8: ^3.1.2^4.1.0 — Required to match vitest major version (peer dependency alignment)
  • @vitest/ui: ^3.1.2^4.1.0 — Required to match vitest major version (peer dependency alignment)

All @vitest/* ecosystem packages must share the same major version as vitest itself to avoid peer dependency conflicts. Failing to update them would result in npm install errors or runtime incompatibilities.

⚠️ Risk Assessment:

  • Medium-High Risk: This is a major version bump (3.x → 4.x). While Vitest 4.x largely maintains backward-compatible test APIs, there may be subtle behavioral or configuration changes.
  • vite ^6.3.4 (already present) satisfies Vitest 4.x peer dependency requirements — no vite upgrade needed.
  • No source code changes were required; only version bumps in package.json.

Manual Steps Required:

  1. Delete node_modules and package-lock.json
  2. Run npm install to regenerate the lock file with the patched versions
  3. Run the full test suite to verify compatibility

🧪 Testing Checklist:

  • Run npm install successfully (no peer dependency errors)
  • Run npm test — verify all tests pass under Vitest 4.x
  • Run npm run test:coverage — verify coverage reporting still works
  • Run npm run report — verify Vitest UI (--ui) still launches correctly
  • Run npm run build — verify the library build is unaffected
  • Check for any TypeScript/type errors introduced by the upgrade
  • Review Vitest 4.x migration guide for any config-level breaking changes: https://vitest.dev/guide/migration

This PR was created by DependOnMe - Automated Security Issue Management

dependonme-deriv and others added 2 commits June 3, 2026 20:21
@dependonme-deriv
fix(security): Bulk fix for 2 security issues
2315d42
chore(deps): update lock file after dependency fix
f1e198d 
Automatically regenerated by DependOnMe bot after package.json update.
Branch: dependonme/bulk-fix-ea59f65e
Package manager: npm
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jun 3, 2026

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails

Scanned Manifest Files

package-lock.json
  • vitest@3.1.2
  • flatted@3.3.3
  • @babel/code-frame@7.29.7
  • @babel/compat-data@7.29.7
  • @babel/core@7.29.7
  • @babel/generator@7.29.7
  • @babel/helper-compilation-targets@7.29.7
  • @babel/helper-globals@7.29.7
  • @babel/helper-module-imports@7.29.7
  • @babel/helper-module-transforms@7.29.7
  • @babel/helper-string-parser@7.29.7
  • @babel/helper-validator-identifier@7.29.7
  • @babel/helper-validator-option@7.29.7
  • @babel/helpers@7.29.7
  • @babel/parser@7.29.7
  • @babel/template@7.29.7
  • @babel/traverse@7.29.7
  • @babel/types@7.29.7
  • @jridgewell/gen-mapping@0.3.13
  • @jridgewell/remapping@2.3.5
  • @jridgewell/sourcemap-codec@1.5.5
  • @jridgewell/trace-mapping@0.3.31
  • @standard-schema/spec@1.1.0
  • @types/chai@5.2.3
  • @types/deep-eql@4.0.2
  • @vitest/coverage-istanbul@4.1.8
  • @vitest/coverage-v8@4.1.8
  • @vitest/expect@4.1.8
  • @vitest/mocker@4.1.8
  • @vitest/pretty-format@4.1.8
  • @vitest/runner@4.1.8
  • @vitest/snapshot@4.1.8
  • @vitest/spy@4.1.8
  • @vitest/ui@4.1.8
  • @vitest/utils@4.1.8
  • ast-v8-to-istanbul@1.0.3
  • baseline-browser-mapping@2.10.33
  • browserslist@4.28.2
  • caniuse-lite@1.0.30001793
  • chai@6.2.2
  • electron-to-chromium@1.5.366
  • es-module-lexer@2.1.0
  • escalade@3.2.0
  • expect-type@1.3.0
  • fdir@6.5.0
  • flatted@3.4.2
  • istanbul-reports@3.2.0
  • js-tokens@10.0.0
  • jsesc@3.1.0
  • magic-string@0.30.21
  • magicast@0.5.3
  • node-releases@2.0.47
  • obug@2.1.1
  • picomatch@4.0.4
  • sirv@3.0.2
  • std-env@4.1.0
  • tinyexec@1.2.4
  • tinyglobby@0.2.17
  • tinyrainbow@3.1.0
  • update-browserslist-db@1.2.3
  • vitest@4.1.8
  • @ampproject/remapping@2.3.0
  • @babel/code-frame@7.26.2
  • @babel/compat-data@7.25.2
  • @babel/core@7.25.2
  • @babel/generator@7.25.0
  • @babel/helper-compilation-targets@7.25.2
  • @babel/helper-module-imports@7.24.7
  • @babel/helper-module-transforms@7.25.2
  • @babel/helper-simple-access@7.24.7
  • @babel/helper-string-parser@7.25.9
  • @babel/helper-validator-identifier@7.25.9
  • @babel/helper-validator-option@7.24.8
  • @babel/helpers@7.27.0
  • @babel/parser@7.27.0
  • @babel/template@7.27.0
  • @babel/traverse@7.25.3
  • @babel/types@7.27.0
  • @isaacs/cliui@8.0.2
  • @jridgewell/gen-mapping@0.3.5
  • @jridgewell/set-array@1.2.1
  • @jridgewell/sourcemap-codec@1.5.0
  • @jridgewell/trace-mapping@0.3.25
  • @pkgjs/parseargs@0.11.0
  • @vitest/coverage-istanbul@3.1.2
  • @vitest/coverage-v8@3.1.2
  • @vitest/expect@3.1.2
  • @vitest/mocker@3.1.2
  • @vitest/pretty-format@3.1.2
  • @vitest/runner@3.1.2
  • @vitest/snapshot@3.1.2
  • @vitest/spy@3.1.2
  • @vitest/ui@3.1.2
  • @vitest/utils@3.1.2
  • ansi-regex@6.0.1
  • ansi-regex@5.0.1
  • ansi-styles@4.3.0
  • ansi-styles@6.2.1
  • browserslist@4.23.3
  • cac@6.7.14
  • caniuse-lite@1.0.30001651
  • chai@5.2.0
  • check-error@2.1.1
  • color-convert@2.0.1
  • color-name@1.1.4
  • cross-spawn@7.0.6
  • deep-eql@5.0.2
  • eastasianwidth@0.2.0
  • electron-to-chromium@1.5.7
  • emoji-regex@9.2.2
  • emoji-regex@8.0.0
  • es-module-lexer@1.7.0
  • escalade@3.1.2
  • expect-type@1.2.1
  • fdir@6.4.4
  • foreground-child@3.3.0
  • glob@10.5.0
  • globals@11.12.0
  • is-fullwidth-code-point@3.0.0
  • isexe@2.0.0
  • istanbul-lib-instrument@6.0.3
  • istanbul-lib-source-maps@5.0.6
  • istanbul-reports@3.1.7
  • jackspeak@3.4.3
  • jsesc@2.5.2
  • loupe@3.1.3
  • lru-cache@10.4.3
  • magic-string@0.30.17
  • magicast@0.3.5
  • minipass@7.1.2
  • node-releases@2.0.18
  • package-json-from-dist@1.0.0
  • path-key@3.1.1
  • path-scurry@1.11.1
  • pathval@2.0.0
  • shebang-command@2.0.0
  • shebang-regex@3.0.0
  • signal-exit@4.1.0
  • sirv@3.0.1
  • std-env@3.9.0
  • string-width@5.1.2
  • string-width@4.2.3
  • string-width-cjs@4.2.3
  • strip-ansi@6.0.1
  • strip-ansi@7.1.0
  • strip-ansi-cjs@6.0.1
  • test-exclude@7.0.1
  • tinyexec@0.3.2
  • tinyglobby@0.2.13
  • tinypool@1.0.2
  • tinyrainbow@2.0.0
  • tinyspy@3.0.2
  • update-browserslist-db@1.1.0
  • vite-node@3.1.2
  • which@2.0.2
  • wrap-ansi@8.1.0
  • wrap-ansi-cjs@7.0.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dependonme-deriv