fix(deps): resolve all 78 open Dependabot alerts#605
Merged
Conversation
Bump vite directly and pin transitive dependencies (mostly under @ownclouders/web-pkg) via pnpm overrides to their first patched versions. Verified with a clean `pnpm install` + `pnpm vite build` (vite 5 -> 6 major bump builds cleanly, 56 modules, same as baseline). Runtime: - @casl/ability 6.5.0 -> 6.8.1 (#59 critical, prototype pollution, needs >= 6.7.5) - axios 1.13.5/1.17.0 -> 1.18.1 (#100,102,106-113,121-125,132-134,136-139, needs >= 1.16.0) - follow-redirects 1.15.11 -> 1.16.0 (#99, needs >= 1.16.0) - form-data 4.0.5 -> 4.0.6 (#146 CRLF injection, needs >= 4.0.6) - lodash-es 4.17.21 -> 4.18.1 (#52,84,85, needs >= 4.18.0) - postcss 8.5.6 -> 8.5.16 (#105 XSS, needs >= 8.5.10) - qs 6.14.1 -> 6.15.3 (#60,126 DoS, needs >= 6.15.2) - uuid 9.0.0 -> 11.1.1 (#127 bounds check, needs >= 11.1.1; major bump) - yaml 1.10.2 -> 1.10.3 (#79 stack overflow, needs >= 1.10.3) Development: - @babel/core 7.22.1 -> 7.29.7 (#147, needs >= 7.29.6) - @hono/node-server 1.19.9 -> 1.19.14 (#73,88, needs >= 1.19.13) - @modelcontextprotocol/sdk 1.25.3 -> 1.29.0 (#57, needs >= 1.26.0) - esbuild 0.21.5 -> 0.25.12 (#28, needs >= 0.25.0) - fast-uri 3.1.0 -> 3.1.3 (#116,118, needs >= 3.1.2) - flatted 3.3.3 -> 3.4.2 (#78 prototype pollution, needs >= 3.4.2) - hono 4.11.7 -> 4.12.28 (#63,70-72,76,89-93,101,115,117,119,120,128-131,141-145, needs >= 4.12.25) - js-yaml 4.1.1 -> 4.3.0 (#153 DoS, needs >= 4.2.0) - lodash 4.17.21 -> 4.18.1 (#53,86,87, needs >= 4.18.0) - minimatch 3.1.2 -> 3.1.5 (#68 ReDoS, needs >= 3.1.3) - picomatch 2.3.1 -> 2.3.2 (#81, needs >= 2.3.2) - rollup 4.52.5 -> 4.62.2 (#69 path traversal, needs >= 4.59.0) - vite 5.4.21 -> 6.4.3 (#94,96,148,149,151,152, needs >= 6.4.3; major bump) No-fix / accept-risk: none - every open alert has an upstream patch and is covered above. All alerts remain open until this PR merges to master (Dependabot rescans the default branch). Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
phil-davis
approved these changes
Jul 9, 2026
phil-davis
left a comment
Contributor
There was a problem hiding this comment.
Note: the webUI acceptance tests only test a number of combinations of things that would prevent a share recipient "Brian" from being able to access the "raw" content of a file. They don't actually test what happens when Brian views the file on the UI, and should be shown an image rendering of the file with some watermark on it.
After all these version bumps to JS, someone should check that the rendering of the image with watermark is happening correctly.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves all 78 open Dependabot alerts (1 critical, 24 high, 48 moderate, 5 low).
viteis bumped directly (5 → 6); every other package is a transitive dependency (mostly under@ownclouders/web-pkg) pinned to its first patched version viapnpm.overrides.Test plan
pnpm install— clean resolution, all overrides landed on a single version per package.pnpm vite build— passes (vite v6.4.3, 56 modules transformed — same module count as the pre-change baseline). The vite 5 → 6 major bump builds cleanly.make dist. vite 6 supports Node^18 || ^20 || >=22, so no engine-floor regression.pnpm lintfails on both this branch andmasterwithESLint couldn't find an eslint.config file— a pre-existing eslint v9 config-migration issue unrelated to these dependency bumps.Fixed (resolved version ≥ first patched)
Runtime
Development
No fix available
None — every open alert has an upstream patch and is covered above.
Blocked on merge
All 78 alerts stay open until this PR merges to
master; Dependabot only rescans the default branch. The code fix is complete and pushed.🤖 Generated with Claude Code