Re-land vitest upgrade (#17) + transformers migration (#18) onto main#19
Merged
Conversation
vitest 2.1.9 has a critical advisory (arbitrary file read/exec via the UI server, fixed in 3.2.6) and pulled an ancient jsdom@16 as a kept peerOptional, which in turn dragged in the only vulnerable copies of form-data (critical) and lodash (high, no npm fix on the 4.x line) left in the tree. Our tests use the "node" environment, so jsdom was never actually used. - Bump vitest to ^3.2.7 (clears the vitest critical; pulls modern vite 7.x, so the old vite/rollup/esbuild dev advisories drop out). - Regenerate package-lock.json from scratch. Most of the remaining alerts were lockfile *staleness*, not version-range blockers: the direct deps' semver ranges already permitted patched transitive versions, so a fresh resolve drops jsdom entirely and refreshes braces, cross-spawn, semver, ws, picomatch, minimatch, tar-fs, flatted, etc. to their fixed versions. (This is why overrides were the wrong tool here.) The regen also floats @xenova/transformers 2.2.0 -> 2.17.2 within its existing ^2.2.0 range, which clears sharp. npm audit: 37 -> 7. The remaining 7 are the @xenova/transformers cluster (protobufjs / onnx-proto / onnxruntime-web, addressed in the next PR) plus three build-tool moderates (esbuild / tsup / tsx). Verified: npm run build, npm test (23 pass), npm run lint, npm run format:check all green; @xenova/transformers 2.17.2 and the embedder surface still load. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@xenova/transformers is frozen at 2.17.2 and pins onnxruntime-web@1.14, which drags in onnx-proto and protobufjs@6.11.x — the last critical (prototype pollution / arbitrary code execution) plus several highs. Those advisories have no fix on the 6.x line, and the vulnerable code sits in the browser ONNX backend this Node CLI never runs, so overrides couldn't help. transformers.js moved to the official @huggingface/transformers package, whose current release builds on onnxruntime-web with protobufjs@^7.2.4 (fixed) and sharp@^0.34 (fixed). - Swap the dependency to @huggingface/transformers@^4.2.0. - embeddings.ts: use the canonical "feature-extraction" task (the v2 "embeddings" alias) and the v3+ `dtype: "fp32"` option in place of the removed `quantized: false` (both mean full-precision weights). npm audit: 7 -> 3, and 0 critical / 0 high / 0 moderate in production dependencies. The remaining 3 are dev/build-tool moderates (esbuild / tsup / tsx). Verified: npm run build, tsc --noEmit, npm test (23 pass), npm run lint, npm run format:check all green, plus an end-to-end embedding run (init + embed of a sample string) producing a 384-dimensional, L2-normalized vector (norm = 1.0000) — matching the Pinecone index's `dimension: 384`. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Recovers work that didn't reach
mainPRs #17 and #18 were stacked (their bases were the intermediate branches
deps/remove-danfojsanddeps/upgrade-vitest, notmain). When #16 merged, GitHub didn't auto-retarget the children, so merging #17/#18 landed them into those intermediate branches instead ofmain. Both show "MERGED", butmainonly actually received #16.This PR points
deps/migrate-transformers(which contains both changes as two clean commits on top of #16) directly atmainto finish the job.Commits
Content is identical to the already-reviewed #17 and #18 — no new changes.
Effect on
mainnpm audit: 37 → 3 (0 critical / 0 high, 3 dev-tooling moderates remain). Restores the state we thought main was already in.Verification
Re-ran on the branch tip:
npm run build,tsc --noEmit,npm test(23 pass),npm run lint,npm run format:checkall green.🤖 Generated with Claude Code