chore(security): override vite + esbuild past vitepress's vulnerable transitives #159
Reference in New Issue
Block a user
Delete Branch "chore/security-vite-esbuild-overrides"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Unblocks
pnpm ci:audit. Two moderate vulnerabilities surfaced after the docs-site chantier (#154):. > vitepress > vite > esbuild. > vitepress > viteBoth come from VitePress 1.6.4's pinned dep tree (
vite@5.4.21 → esbuild@0.21.5). The rest of the workspace was already on vite 8.0.13 + esbuild 0.27.3 — only the VitePress branch was stuck on the vulnerable line.What lands
Two new entries in
package.json's existingpnpm.overridesblock:Same version-selector pattern as the other overrides already in the file (axios, follow-redirects, ip-address, …). The override only kicks in when the resolved version is in the vulnerable range, so it becomes a no-op the day the underlying dep ships a clean version of its own.
After
pnpm install, the resolver picks vite 7.3.2 + esbuild 0.27.3 for the VitePress branch (the workspace's other vite consumers stay on 8.0.13, deduped on esbuild).Why couldn't we pin a patched vite 5.x?
The vite team did not backport the security fix to the 5.x line.
vite@5.4.22is not published — the latest 5.x stays at 5.4.21, which is vulnerable. The only path forward is to let pnpm pick a patched 6.x or 7.x major. Verified that VitePress 1.6.4 still:pnpm docs:buildsucceeds in ~4 s, down from 9 s on the older vite);.gitea/workflows/docs-site.ymlstill grep-matchesclass="mermaid"/<svg>in ADR-0009's HTML);pnpm docs:devboots, the dayjs CJS-interop fix from #156 still applies for the same reason — Mermaid's CJS deps need pre-bundling regardless of vite major).Why didn't Renovate propose this PR itself?
Root cause: both vite and esbuild are transitive dependencies — declared by vitepress, not by us. Renovate's
vulnerabilityAlertsflow handles direct package.json deps. For pnpm transitives, the remediation would have to land inpnpm.overrides, which the renovatebot/renovate:40 image doesn't write automatically.Adjacent points:
workflow_dispatch— fire it once from the Gitea Actions UI.ignorePaths, no exclude of vite/esbuild/vitepress. The silence was purely about the transitive-remediation gap, not a config bug.Test plan
pnpm install— clean, no peer warnings beyond the pre-existingnestjs-prisma → chokidarone.pnpm audit --audit-level=moderate— "No known vulnerabilities found".pnpm docs:build— clean build in ~4 s.grep 'class="mermaid"' docs/.vitepress/dist/decisions/0009-…htmlmatches.pnpm ci:auditon CI — should now pass (the goal of this PR).pnpm docs:dev, navigate to/decisions/0009-…, confirm the OIDC sequence diagram renders. Dark-mode toggle still flips theme.Follow-ups (optional)
renovateConfig.transitiveRemediationstory or switching the workflow torenovate/renovate:latest— newer point releases sometimes ship better pnpm-overrides authoring. Not urgent.