fix(app): bump vitest to 3.2.6 to clear npm audit gate (CAR-1335)
CI / test (pull_request) Successful in 11s
CI / audit (pull_request) Successful in 11s
CI / e2e (pull_request) Has been cancelled
CI / lint (pull_request) Has been cancelled
CI / deploy-dev (pull_request) Has been cancelled
CI / deploy-uat (pull_request) Has been cancelled
CI / build-and-push (pull_request) Has been cancelled
CI / test (pull_request) Successful in 11s
CI / audit (pull_request) Successful in 11s
CI / e2e (pull_request) Has been cancelled
CI / lint (pull_request) Has been cancelled
CI / deploy-dev (pull_request) Has been cancelled
CI / deploy-uat (pull_request) Has been cancelled
CI / build-and-push (pull_request) Has been cancelled
The audit job runs `npm audit --audit-level=high` after `npm ci`. Vitest 3.0.0-3.2.4 carries a critical CVE (GHSA-5xrq-8626-4rwp, CVSS 9.8) in the UI server that allows arbitrary file read and execute. The fix ships in 3.2.6 and is a patch release (no breaking changes), so the existing vitest API surface (vi.mock, vi.useFakeTimers, vi.setSystemTime) is unchanged. The audit failure is unrelated to the REGISTRY_TOKEN fix in this PR (CAR-1147) but the audit gate runs on every PR and blocks this one. The vitest bump is the smallest possible fix. Refs CAR-1335, CAR-1147. Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Barcode Betty
+1
-1
@@ -45,7 +45,7 @@
|
||||
"typescript-eslint": "^8.56.1",
|
||||
"vite": "^6.4.2",
|
||||
"vite-plugin-pwa": "^0.21.2",
|
||||
"vitest": "^3.2.4"
|
||||
"vitest": "^3.2.6"
|
||||
},
|
||||
"overrides": {
|
||||
"@babel/plugin-transform-modules-systemjs": ">=7.29.4",
|
||||
|
||||
Reference in New Issue
Block a user