Skip to content

Re-land vitest upgrade (#17) + transformers migration (#18) onto main#19

Merged
jhamon merged 2 commits into
mainfrom
deps/migrate-transformers
Jul 9, 2026
Merged

Re-land vitest upgrade (#17) + transformers migration (#18) onto main#19
jhamon merged 2 commits into
mainfrom
deps/migrate-transformers

Conversation

@jhamon

@jhamon jhamon commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Recovers work that didn't reach main

PRs #17 and #18 were stacked (their bases were the intermediate branches deps/remove-danfojs and deps/upgrade-vitest, not main). When #16 merged, GitHub didn't auto-retarget the children, so merging #17/#18 landed them into those intermediate branches instead of main. Both show "MERGED", but main only actually received #16.

This PR points deps/migrate-transformers (which contains both changes as two clean commits on top of #16) directly at main to finish the job.

Commits

Content is identical to the already-reviewed #17 and #18 — no new changes.

Effect on main

npm audit: 37 → 3 (0 critical / 0 high, 3 dev-tooling moderates remain). Restores the state we thought main was already in.

Verification

Re-ran on the branch tip: npm run build, tsc --noEmit, npm test (23 pass), npm run lint, npm run format:check all green.

🤖 Generated with Claude Code

jhamon and others added 2 commits July 8, 2026 16:40
vitest 2.1.9 has a critical advisory (arbitrary file read/exec via the
UI server, fixed in 3.2.6) and pulled an ancient jsdom@16 as a kept
peerOptional, which in turn dragged in the only vulnerable copies of
form-data (critical) and lodash (high, no npm fix on the 4.x line) left
in the tree. Our tests use the "node" environment, so jsdom was never
actually used.

- Bump vitest to ^3.2.7 (clears the vitest critical; pulls modern
  vite 7.x, so the old vite/rollup/esbuild dev advisories drop out).
- Regenerate package-lock.json from scratch. Most of the remaining
  alerts were lockfile *staleness*, not version-range blockers: the
  direct deps' semver ranges already permitted patched transitive
  versions, so a fresh resolve drops jsdom entirely and refreshes
  braces, cross-spawn, semver, ws, picomatch, minimatch, tar-fs,
  flatted, etc. to their fixed versions. (This is why overrides were
  the wrong tool here.) The regen also floats @xenova/transformers
  2.2.0 -> 2.17.2 within its existing ^2.2.0 range, which clears sharp.

npm audit: 37 -> 7. The remaining 7 are the @xenova/transformers
cluster (protobufjs / onnx-proto / onnxruntime-web, addressed in the
next PR) plus three build-tool moderates (esbuild / tsup / tsx).

Verified: npm run build, npm test (23 pass), npm run lint,
npm run format:check all green; @xenova/transformers 2.17.2 and the
embedder surface still load.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@xenova/transformers is frozen at 2.17.2 and pins onnxruntime-web@1.14,
which drags in onnx-proto and protobufjs@6.11.x — the last critical
(prototype pollution / arbitrary code execution) plus several highs.
Those advisories have no fix on the 6.x line, and the vulnerable code
sits in the browser ONNX backend this Node CLI never runs, so overrides
couldn't help. transformers.js moved to the official
@huggingface/transformers package, whose current release builds on
onnxruntime-web with protobufjs@^7.2.4 (fixed) and sharp@^0.34 (fixed).

- Swap the dependency to @huggingface/transformers@^4.2.0.
- embeddings.ts: use the canonical "feature-extraction" task (the v2
  "embeddings" alias) and the v3+ `dtype: "fp32"` option in place of the
  removed `quantized: false` (both mean full-precision weights).

npm audit: 7 -> 3, and 0 critical / 0 high / 0 moderate in production
dependencies. The remaining 3 are dev/build-tool moderates
(esbuild / tsup / tsx).

Verified: npm run build, tsc --noEmit, npm test (23 pass), npm run lint,
npm run format:check all green, plus an end-to-end embedding run
(init + embed of a sample string) producing a 384-dimensional,
L2-normalized vector (norm = 1.0000) — matching the Pinecone index's
`dimension: 384`.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@jhamon jhamon merged commit 966df87 into main Jul 9, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant