Skip to content

fix(deps): clear 14 remaining dependabot advisories in website#108

Merged
maxholman merged 2 commits intomainfrom
fix/website-deps
May 6, 2026
Merged

fix(deps): clear 14 remaining dependabot advisories in website#108
maxholman merged 2 commits intomainfrom
fix/website-deps

Conversation

@maxholman
Copy link
Copy Markdown
Contributor

@maxholman maxholman commented May 6, 2026

Summary

Sweep of `website/` dependencies to clear all 14 remaining dependabot advisories. Drops the redundant vite 8 lineage (we already pull patched vite 7.3.2 transitively from astro) to dodge a rolldown regression with `@tailwindcss/vite`.

Closes

#28 #29 #30 #31 #33 #34 #35 #36 #37 #38 #39 #40 #44 #48

Direct dep changes (package.json)

package before after
astro ^6.0.6 ^6.2.2
@astrojs/markdoc ^1.0.2 ^1.0.4
@astrojs/sitemap ^3.7.1 ^3.7.2
@iconify-json/lucide ^1.2.98 ^1.2.105
@tailwindcss/vite ^4.2.2 ^4.2.4
astro-pagefind ^1.8.5 ^1.8.6
satori ^0.25.0 ^0.26.0
tailwindcss ^4.2.2 ^4.2.4
oxfmt (dev) ^0.41.0 ^0.48.0
oxlint (dev) ^1.56.0 ^1.63.0
vite (dev) ^8.0.1 ^7.3.2
wrangler (dev) ^4.75.0 ^4.88.0

The vite downgrade is the only "non-trivial" change — see context below.

Why downgrade vite from 8 to 7

`pnpm update --latest` pushed vite to 8.0.10 (and the patched-but-still-bumped 8.0.5), both of which fail the build with:

```
[@tailwindcss/vite:generate:build] Missing field `tsconfigPaths` on BindingViteResolvePluginConfig.resolveOptions
```

That's a rolldown regression in vite 8's bundler when paired with `@tailwindcss/vite@4.2.4`. `@tailwindcss/vite`'s peer-dep range covers vite 5–8, so dropping back to 7 is supported. Astro pulls vite 7.3.2 transitively anyway (which is the patched version that closes alerts #36 #37 #38), so the direct devDep just aligns with the version we already use.

Release

The `fix(deps):` commit triggers another patch release (`v0.15.1` -> `v0.15.2`) on merge.

Verified

  • `pnpm build` (`astro build`) succeeds — 21 pages built
  • No more vite 8 in the resolved tree
  • yaml@2.x no longer in the lockfile (was an optional vite peer; now omitted)
  • All 14 alert packages at or above their patched versions

How to verify

maxholman added 2 commits May 6, 2026 18:45
@maxholman
fix(deps): clear remaining 14 website dependabot advisories
529f342 
Sweep of website/ deps to latest within ranges, plus a vite downgrade
from 8 -> 7 to match astro's transitive vite (7.3.2) and avoid a
rolldown regression with @tailwindcss/vite 4.2.4.

Closes alerts #28 #29 #30 #31 #33 #34 #35 #36 #37 #38 #39 #40 #44 #48
covering vite, picomatch, postcss, yaml, astro, smol-toml.

- vite ^8.0.1 -> ^7.3.2 (drops the now-redundant vite 8 lineage; astro
  pulls 7.3.2 transitively, which is the patched version)
- astro 6.0.6 -> 6.2.2 (#44)
- @tailwindcss/vite 4.2.2 -> 4.2.4
- smol-toml: lockfile bump to 1.6.1 (#28)
- postcss: lockfile bump to 8.5.14 (#48)
- picomatch: lockfile bumps to 2.3.2 + 4.0.4 (#29 #30 #39 #40)
- yaml is now omitted entirely (it was an optional vite peer)

Verified: pnpm build succeeds; no @tailwindcss/vite peer-dep warnings.
@maxholman
chore(lint): drop removed prefer-arrow-callback rule
e52c654 
oxlint 1.63 removed prefer-arrow-callback from the eslint plugin.
With the deps bump in this branch (oxlint 1.56 -> 1.63), the rule no
longer resolves and `pnpm check` errors out before linting any files.
@maxholman maxholman merged commit 7bfffee into main May 6, 2026
1 check passed
@maxholman maxholman deleted the fix/website-deps branch May 6, 2026 12:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@maxholman