chore(deps): clear Dependabot alerts via lockfile regen + vitest v4 bump#36
Merged
Conversation
…abilities
Resolves the bulk of the 64 open Dependabot alerts surfaced after enabling
security updates on this repo. Three manifests were regenerated:
solution/MyHANAApp/package-lock.json
- npm audit: 6 -> 0 vulnerabilities (axios chain dropped by upstream)
solution/MyHANAApp/app/router/package-lock.json
- npm audit: 10 -> 2 vulnerabilities
- Remaining 2 (axios via @sap/approuter@21) require a major bump to
@sap/approuter@22; deferred to a separate validated PR since this
could affect xs-app.json / mta.yaml routing.
docs/package.json + docs/package-lock.json
- vitest devDependency bumped from ^2.1.9 to ^4 (compat verified: all
23 unit tests still pass, docs build still produces clean output)
- npm audit: 17 -> 4 vulnerabilities
- Remaining 4 are upstream-pending in the vitepress -> vite -> esbuild
chain, only reachable via the local dev server (npm run docs:dev),
not the production docs build. Will be dismissed in Dependabot with
'tolerable risk - dev server only' until vitepress publishes a fix.
No source-code changes; only lockfiles and one devDependency major bump.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Following the OSPO-driven enablement of Dependabot security updates in #35, GitHub surfaced 64 vulnerabilities that had been silently accumulating in stale lockfiles. This PR clears the bulk of them.
What changed
solution/MyHANAApp/package-lock.json@sap/cds-dkdropped itsaxiostransitive dep, eliminating the 39-alert axios chain.solution/MyHANAApp/app/router/package-lock.jsonaxios-via-approuter alerts deferred (see below).docs/package.json+docs/package-lock.jsonvitest^2.1.9 → ^4 (semver-major) to fix the critical vitest CVE; verified all 23 unit tests still pass andnpm run docs:buildsucceeds.🔴 critical · 🟠 high · 🟡 moderate
What's left and why
2 alerts in AppRouter (axios via
@sap/approuter@21)@sap/approuter21.x transitively pins an oldaxios. The fix requires@sap/approuter@22, a semver-major bump that may affect routing config. This is a workshop-content change deserving its own validated PR (re-test exercise 5/8 with the live AppRouter, confirmxs-app.jsonandmta.yamldestination routing). Will open a follow-up issue.4 alerts in docs (esbuild → vite → vitepress chain)
esbuildGHSA-67mh-4wv8-2f99 — dev server CORS issuevitepath-traversal in.maphandling — dev server onlyvitepressandvitepress-plugin-mermaid(no fix available;vitepress1.6.4 is latest stable).Risk: these only manifest while running
npm run docs:devand an attacker can already reachlocalhoston the developer's machine. The production output ofnpm run docs:build(the static site we deploy) is unaffected. Will dismiss in Dependabot as tolerable risk – dev server only with a note to re-evaluate when vitepress 2.x lands.Verification done
npm auditbefore/after captured for every manifest (numbers in the table above)docs/:npm test→ 23/23 passing on vitest v4docs/:npm run docs:build→ success, no errorssolution/MyHANAApp/:cds compile srv→ successNo source-code changes
Only lockfile regen and the single vitest devDependency bump. Workshop participant experience is unchanged for any exercise that uses these dependencies — they'll just install fresher transitive versions.