Skip to content

chore(deps): dependency + security-alert sweep#114

Merged
Musiker15 merged 1 commit into
mainfrom
chore/deps-alert-sweep
Jul 13, 2026
Merged

chore(deps): dependency + security-alert sweep#114
Musiker15 merged 1 commit into
mainfrom
chore/deps-alert-sweep

Conversation

@Musiker15

Copy link
Copy Markdown
Member

Clears the open Dependabot PRs and the 10 open Dependabot alerts. All alerts
were development-scope (the pnpm audit --prod --audit-level=high gate was
already clean); this closes them at all severities.

Version bumps

Override-based alert fixes (pnpm-workspace.yaml)

Superseded Dependabot PRs (to close, already past these versions on the sweep)

Verification

pnpm audit (all severities) reports no known vulnerabilities. typecheck +
lint + 315 tests + build green.

Clears the open Dependabot PRs and the 10 open Dependabot alerts (all
development-scope; `pnpm audit --prod` was already clean).

Version bumps:
- nodemailer 9.0.1 -> 9.0.3
- next 16.2.6 -> 16.2.9, react + react-dom 19.2.6 -> 19.2.7,
  react-hook-form 7.77.0 -> 7.80.0 (the "next group")
- @types/node 25 -> 26, prettier 3.8.3 -> 3.9.5 (+ one-off tree reformat)
- CI actions: actions/checkout v6 -> v7, actions/cache v5 -> v6

pnpm-workspace.yaml overrides (close dev-transitive advisories):
- vite -> ^6.4.3 (GHSA-4w7w-66w2-5vf9, GHSA-jqfw-vq24-v9c3)
- js-yaml 4.x -> ^4.2.0 (GHSA-mh29-5h37-fv8m)
- @babel/core -> ^7.29.6 (GHSA-67hx-6x53-jw92)
- undici is intentionally NOT overridden: a clean resolve already lands on the
  patched 7.28.0 that jsdom accepts; forcing it broke the vitest jsdom worker.

`pnpm audit` (all severities) now reports no known vulnerabilities.
typecheck + lint + 315 tests + build green.

Signed-off-by: Musiker15 <info@musiker15.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant