From 3c89bd50e7a2c8af8c8ab5fbc40b547e8ad7727c Mon Sep 17 00:00:00 2001 From: Zachary Stence Date: Mon, 15 Dec 2025 10:40:56 -0600 Subject: [PATCH 1/7] chore(deps): override node-forge to address CVE-2025-66031 --- package.json | 3 ++- pnpm-lock.yaml | 7 ++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/package.json b/package.json index 071d8e732e..6ff3d5e16f 100644 --- a/package.json +++ b/package.json @@ -115,7 +115,8 @@ "cookie": ">=0.7.1", "nanoid": "3.3.8", "esbuild": ">=0.25.0", - "serialize-javascript": ">=6.0.2" + "serialize-javascript": ">=6.0.2", + "node-forge": ">=1.3.2" } }, "packageManager": "pnpm@8.15.9+sha512.499434c9d8fdd1a2794ebf4552b3b25c0a633abcee5bb15e7b5de90f32f47b513aca98cd5cfd001c31f0db454bc3804edccd578501e4ca293a6816166bbd9f81" diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 4a556b6204..3524b76e23 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -18,6 +18,7 @@ overrides: nanoid: 3.3.8 esbuild: '>=0.25.0' serialize-javascript: '>=6.0.2' + node-forge: '>=1.3.2' importers: @@ -12868,7 +12869,7 @@ packages: deprecated: Package is no longer maintained hasBin: true dependencies: - node-forge: 1.3.1 + node-forge: 1.3.3 dev: false /gopd@1.2.0: @@ -15503,8 +15504,8 @@ packages: fetch-blob: 3.2.0 formdata-polyfill: 4.0.10 - /node-forge@1.3.1: - resolution: {integrity: sha512-dPEtOeMvF9VMcYV/1Wb8CPoVAXtp6MKMlcbAt4ddqmGqUJ6fQZFXkNZNkNlfevtNkGtaSoXf/vNNNSvgrdXwtA==} + /node-forge@1.3.3: + resolution: {integrity: sha512-rLvcdSyRCyouf6jcOIPe/BgwG/d7hKjzMKOas33/pHEr6gbq18IK9zV7DiPvzsz0oBJPme6qr6H6kGZuI9/DZg==} engines: {node: '>= 6.13.0'} dev: false From 69323bf96d74aa5a96cb3232d3c678ab7421b7cd Mon Sep 17 00:00:00 2001 From: Zachary Stence Date: Mon, 15 Dec 2025 10:51:55 -0600 Subject: [PATCH 2/7] chore(deps): override glob to address CVE-2025-64756 --- package.json | 3 ++- pnpm-lock.yaml | 9 +++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/package.json b/package.json index 6ff3d5e16f..6b021c08ae 100644 --- a/package.json +++ b/package.json @@ -116,7 +116,8 @@ "nanoid": "3.3.8", "esbuild": ">=0.25.0", "serialize-javascript": ">=6.0.2", - "node-forge": ">=1.3.2" + "node-forge": ">=1.3.2", + "glob@>=10.2.0 <11": "10.5.0" } }, "packageManager": "pnpm@8.15.9+sha512.499434c9d8fdd1a2794ebf4552b3b25c0a633abcee5bb15e7b5de90f32f47b513aca98cd5cfd001c31f0db454bc3804edccd578501e4ca293a6816166bbd9f81" diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 3524b76e23..34b5d13c1c 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -19,6 +19,7 @@ overrides: esbuild: '>=0.25.0' serialize-javascript: '>=6.0.2' node-forge: '>=1.3.2' + glob@>=10.2.0 <11: 10.5.0 importers: @@ -12735,8 +12736,8 @@ packages: resolution: {integrity: sha512-lkX1HJXwyMcprw/5YUZc2s7DrpAiHB21/V+E1rHUrVNokkvB6bqMzT0VfV6/86ZNabt1k14YOIaT7nDvOX3Iiw==} dev: true - /glob@10.4.5: - resolution: {integrity: sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==} + /glob@10.5.0: + resolution: {integrity: sha512-DfXN8DfhJ7NH3Oe7cFmu3NCu1wKbkReJ8TorzSAFbSKrlNaQSKfIzqYqVY8zlbs2NLBbWpRiU52GX2PbaBVNkg==} hasBin: true dependencies: foreground-child: 3.3.1 @@ -17922,7 +17923,7 @@ packages: dependencies: '@jridgewell/gen-mapping': 0.3.13 commander: 4.1.1 - glob: 10.4.5 + glob: 10.5.0 lines-and-columns: 1.2.4 mz: 2.7.0 pirates: 4.0.7 @@ -18416,7 +18417,7 @@ packages: engines: {node: '>=18'} dependencies: '@istanbuljs/schema': 0.1.3 - glob: 10.4.5 + glob: 10.5.0 minimatch: 9.0.5 /text-hex@1.0.0: From bd954e0a407cbb64e8dd754258855065ab5818fb Mon Sep 17 00:00:00 2001 From: Zachary Stence Date: Mon, 15 Dec 2025 10:55:52 -0600 Subject: [PATCH 3/7] chore(deps): override jwsto address CVE-2025-65945 --- package.json | 3 ++- pnpm-lock.yaml | 7 ++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/package.json b/package.json index 6b021c08ae..443649c0dd 100644 --- a/package.json +++ b/package.json @@ -117,7 +117,8 @@ "esbuild": ">=0.25.0", "serialize-javascript": ">=6.0.2", "node-forge": ">=1.3.2", - "glob@>=10.2.0 <11": "10.5.0" + "glob@>=10.2.0 <11": "10.5.0", + "jws@>=3 <4": "3.2.3" } }, "packageManager": "pnpm@8.15.9+sha512.499434c9d8fdd1a2794ebf4552b3b25c0a633abcee5bb15e7b5de90f32f47b513aca98cd5cfd001c31f0db454bc3804edccd578501e4ca293a6816166bbd9f81" diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 34b5d13c1c..2dc6efeb3f 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -20,6 +20,7 @@ overrides: serialize-javascript: '>=6.0.2' node-forge: '>=1.3.2' glob@>=10.2.0 <11: 10.5.0 + jws@>=3 <4: 3.2.3 importers: @@ -14423,7 +14424,7 @@ packages: resolution: {integrity: sha512-PRp66vJ865SSqOlgqS8hujT5U4AOgMfhrwYIuIhfKaoSCZcirrmASQr8CX7cUg+RMih+hgznrjp99o+W4pJLHQ==} engines: {node: '>=12', npm: '>=6'} dependencies: - jws: 3.2.2 + jws: 3.2.3 lodash.includes: 4.3.0 lodash.isboolean: 3.0.3 lodash.isinteger: 4.0.4 @@ -14449,8 +14450,8 @@ packages: safe-buffer: 5.2.1 dev: false - /jws@3.2.2: - resolution: {integrity: sha512-YHlZCB6lMTllWDtSPHz/ZXTsi8S00usEV6v1tjq8tOUZzw7DpSDWVXjXDre6ed1w/pd495ODpHZYSdkRTsa0HA==} + /jws@3.2.3: + resolution: {integrity: sha512-byiJ0FLRdLdSVSReO/U4E7RoEyOCKnEnEPMjq3HxWtvzLsV08/i5RQKsFVNkCldrCaPr2vDNAOMsfs8T/Hze7g==} dependencies: jwa: 1.4.2 safe-buffer: 5.2.1 From 58b683f832c8ba274fc6baf7b1cd49014c40a505 Mon Sep 17 00:00:00 2001 From: Zachary Stence Date: Mon, 15 Dec 2025 11:00:04 -0600 Subject: [PATCH 4/7] chore(deps): upgrade vite to address CVE-2025-46565, CVE-2025-62522, CVE-2025-32395, CVE-2025-30208, CVE-2025-31125, CVE-2025-31486, CVE-2025-58751, CVE-2025-58752 --- e2e/dev-server-startup/package.json | 4 +- package.json | 2 +- packages/evidence/package.json | 4 +- packages/lib/sdk/package.json | 4 +- packages/ui/core-components/package.json | 4 +- pnpm-lock.yaml | 211 ++++++++++++++--------- sites/example-project/package.json | 4 +- 7 files changed, 144 insertions(+), 89 deletions(-) diff --git a/e2e/dev-server-startup/package.json b/e2e/dev-server-startup/package.json index 9a1a67a2cf..988748a470 100644 --- a/e2e/dev-server-startup/package.json +++ b/e2e/dev-server-startup/package.json @@ -19,7 +19,7 @@ "@evidence-dev/core-components": "workspace:*", "@evidence-dev/duckdb": "workspace:*", "@evidence-dev/evidence": "workspace:*", - "vite": "5.4.14", + "vite": "5.4.21", "vitest": "^2.1.9" }, "overrides": { @@ -33,4 +33,4 @@ "@types/node": "^22.10.6", "cross-env": "^7.0.3" } -} +} \ No newline at end of file diff --git a/package.json b/package.json index 443649c0dd..cd4581bd97 100644 --- a/package.json +++ b/package.json @@ -69,7 +69,7 @@ "unified": "9.1.0", "unist-util-visit": "4.1.2", "uvu": "0.5.2", - "vite": "5.4.14" + "vite": "5.4.21" }, "scripts": { "release": "run-s package:core-components build:tailwind build:evidence && pnpm changeset publish", diff --git a/packages/evidence/package.json b/packages/evidence/package.json index b5d5c2869d..72e61f3569 100644 --- a/packages/evidence/package.json +++ b/packages/evidence/package.json @@ -35,7 +35,7 @@ "@evidence-dev/tailwind": "workspace:*", "@sveltejs/kit": "2.8.4", "svelte": "4.2.19", - "vite": "5.4.14" + "vite": "5.4.21" }, "dependencies": { "@evidence-dev/preprocess": "workspace:*", @@ -62,7 +62,7 @@ "tailwindcss": "3.4.18", "typescript": "5.4.2", "unist-util-visit": "4.1.2", - "vite": "5.4.14" + "vite": "5.4.21" }, "engines": { "node": ">=18" diff --git a/packages/lib/sdk/package.json b/packages/lib/sdk/package.json index 57fcf128ac..6ee98a1adb 100644 --- a/packages/lib/sdk/package.json +++ b/packages/lib/sdk/package.json @@ -133,7 +133,7 @@ "recast": "^0.23.4", "svelte-sequential-preprocessor": "^2.0.1", "sveltekit-autoimport": "^1.7.1", - "vite": "5.4.14", + "vite": "5.4.21", "vitest": "^2.1.9", "yaml": "^2.3.4", "zod": "^3.23.7" @@ -161,4 +161,4 @@ "optional": true } } -} +} \ No newline at end of file diff --git a/packages/ui/core-components/package.json b/packages/ui/core-components/package.json index f8e001c72d..55ab4b1f51 100644 --- a/packages/ui/core-components/package.json +++ b/packages/ui/core-components/package.json @@ -118,7 +118,7 @@ "tailwindcss": "3.4.18", "tslib": "^2.6.2", "typescript": "5.4.2", - "vite": "5.4.14", + "vite": "5.4.21", "vitest": "^2.1.9" }, "overrides": { @@ -141,4 +141,4 @@ }, "readme": "ERROR: No README data found!", "_id": "@evidence-dev/core-components@0.0.1" -} +} \ No newline at end of file diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 2dc6efeb3f..defc730e0f 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -118,10 +118,10 @@ importers: version: 3.0.1(@sveltejs/kit@2.8.4) '@sveltejs/kit': specifier: 2.8.4 - version: 2.8.4(@sveltejs/vite-plugin-svelte@3.0.2)(svelte@4.2.19)(vite@5.4.14) + version: 2.8.4(@sveltejs/vite-plugin-svelte@3.0.2)(svelte@4.2.19)(vite@5.4.21) '@sveltejs/vite-plugin-svelte': specifier: 3.0.2 - version: 3.0.2(svelte@4.2.19)(vite@5.4.14) + version: 3.0.2(svelte@4.2.19)(vite@5.4.21) '@tidyjs/tidy': specifier: 2.5.2 version: 2.5.2 @@ -234,8 +234,8 @@ importers: specifier: 0.5.2 version: 0.5.2 vite: - specifier: 5.4.14 - version: 5.4.14(@types/node@20.11.28) + specifier: 5.4.21 + version: 5.4.21(@types/node@20.11.28) e2e: devDependencies: @@ -374,8 +374,8 @@ importers: specifier: workspace:* version: link:../../packages/evidence vite: - specifier: 5.4.14 - version: 5.4.14(@types/node@22.19.0) + specifier: 5.4.21 + version: 5.4.21(@types/node@22.19.0) vitest: specifier: ^2.1.9 version: 2.1.9(@types/node@22.19.0) @@ -847,10 +847,10 @@ importers: version: 3.0.1(@sveltejs/kit@2.8.4) '@sveltejs/kit': specifier: 2.8.4 - version: 2.8.4(@sveltejs/vite-plugin-svelte@3.1.2)(svelte@4.2.19)(vite@5.4.14) + version: 2.8.4(@sveltejs/vite-plugin-svelte@3.1.2)(svelte@4.2.19)(vite@5.4.21) '@sveltejs/vite-plugin-svelte': specifier: 3.1.2 - version: 3.1.2(svelte@4.2.19)(vite@5.4.14) + version: 3.1.2(svelte@4.2.19)(vite@5.4.21) autoprefixer: specifier: ^10.4.7 version: 10.4.21(postcss@8.5.6) @@ -907,8 +907,8 @@ importers: specifier: 4.2.19 version: 4.2.19 vite: - specifier: 5.4.14 - version: 5.4.14(@types/node@20.11.28) + specifier: 5.4.21 + version: 5.4.21(@types/node@20.11.28) packages/extension: dependencies: @@ -1223,8 +1223,8 @@ importers: specifier: ^1.7.1 version: 1.8.1(@sveltejs/kit@2.8.4) vite: - specifier: 5.4.14 - version: 5.4.14(@types/node@20.19.24) + specifier: 5.4.21 + version: 5.4.21(@types/node@20.19.24) vitest: specifier: ^2.1.9 version: 2.1.9(@types/node@20.19.24)(jsdom@23.2.0) @@ -1462,7 +1462,7 @@ importers: version: 8.6.14(react@17.0.2)(storybook@8.6.14) '@storybook/addon-svelte-csf': specifier: ^4.1.3 - version: 4.2.0(@storybook/svelte@8.6.14)(@sveltejs/vite-plugin-svelte@3.0.2)(storybook@8.6.14)(svelte@4.2.19)(vite@5.4.14) + version: 4.2.0(@storybook/svelte@8.6.14)(@sveltejs/vite-plugin-svelte@3.0.2)(storybook@8.6.14)(svelte@4.2.19)(vite@5.4.21) '@storybook/addon-themes': specifier: ^8.3.4 version: 8.6.14(storybook@8.6.14) @@ -1471,7 +1471,7 @@ importers: version: 8.6.14(react-dom@17.0.2)(react@17.0.2)(storybook@8.6.14) '@storybook/builder-vite': specifier: ^8.3.4 - version: 8.6.14(storybook@8.6.14)(vite@5.4.14) + version: 8.6.14(storybook@8.6.14)(vite@5.4.21) '@storybook/jest': specifier: ^0.2.3 version: 0.2.3 @@ -1483,7 +1483,7 @@ importers: version: 8.6.14(storybook@8.6.14)(svelte@4.2.19) '@storybook/sveltekit': specifier: ^8.3.4 - version: 8.6.14(@sveltejs/vite-plugin-svelte@3.0.2)(postcss-load-config@4.0.2)(postcss@8.5.6)(storybook@8.6.14)(svelte@4.2.19)(vite@5.4.14) + version: 8.6.14(@sveltejs/vite-plugin-svelte@3.0.2)(postcss-load-config@4.0.2)(postcss@8.5.6)(storybook@8.6.14)(svelte@4.2.19)(vite@5.4.21) '@storybook/testing-library': specifier: ^0.2.2 version: 0.2.2 @@ -1495,13 +1495,13 @@ importers: version: 3.1.1(@sveltejs/kit@2.8.4) '@sveltejs/kit': specifier: 2.8.4 - version: 2.8.4(@sveltejs/vite-plugin-svelte@3.0.2)(svelte@4.2.19)(vite@5.4.14) + version: 2.8.4(@sveltejs/vite-plugin-svelte@3.0.2)(svelte@4.2.19)(vite@5.4.21) '@sveltejs/package': specifier: ^2.3.1 version: 2.5.4(svelte@4.2.19)(typescript@5.4.2) '@sveltejs/vite-plugin-svelte': specifier: 3.0.2 - version: 3.0.2(svelte@4.2.19)(vite@5.4.14) + version: 3.0.2(svelte@4.2.19)(vite@5.4.21) '@types/chroma-js': specifier: ^2.4.4 version: 2.4.5 @@ -1575,8 +1575,8 @@ importers: specifier: 5.4.2 version: 5.4.2 vite: - specifier: 5.4.14 - version: 5.4.14(@types/node@20.11.28) + specifier: 5.4.21 + version: 5.4.21(@types/node@20.11.28) vitest: specifier: ^2.1.9 version: 2.1.9 @@ -1734,7 +1734,7 @@ importers: version: 2.1.1 '@sveltejs/kit': specifier: 2.8.4 - version: 2.8.4(@sveltejs/vite-plugin-svelte@3.0.2)(svelte@4.2.19)(vite@5.4.14) + version: 2.8.4(@sveltejs/vite-plugin-svelte@3.0.2)(svelte@4.2.19)(vite@5.4.21) '@tidyjs/tidy': specifier: 2.5.2 version: 2.5.2 @@ -1801,7 +1801,7 @@ importers: version: 2.2.7(svelte@4.2.19)(typescript@5.4.2) '@sveltejs/vite-plugin-svelte': specifier: 3.0.2 - version: 3.0.2(svelte@4.2.19)(vite@5.4.14) + version: 3.0.2(svelte@4.2.19)(vite@5.4.21) '@types/esm': specifier: ^3.2.0 version: 3.2.2 @@ -1821,8 +1821,8 @@ importers: specifier: 3.4.18 version: 3.4.18 vite: - specifier: 5.4.14 - version: 5.4.14(@types/node@20.11.28) + specifier: 5.4.21 + version: 5.4.21(@types/node@20.11.28) vitest: specifier: ^2.1.9 version: 2.1.9 @@ -7588,7 +7588,7 @@ packages: ts-dedent: 2.2.0 dev: true - /@storybook/addon-svelte-csf@4.2.0(@storybook/svelte@8.6.14)(@sveltejs/vite-plugin-svelte@3.0.2)(storybook@8.6.14)(svelte@4.2.19)(vite@5.4.14): + /@storybook/addon-svelte-csf@4.2.0(@storybook/svelte@8.6.14)(@sveltejs/vite-plugin-svelte@3.0.2)(storybook@8.6.14)(svelte@4.2.19)(vite@5.4.21): resolution: {integrity: sha512-ius5C6vp+55upbi7MAiJvBSkXxZuokNwkBfmUgY3sAdvp4IAvBp8A+Yvk6bWZqo2TJTfM4ccT3WAmNTxa9m0sw==} peerDependencies: '@storybook/svelte': ^7.0.0 || ^8.0.0 || ^8.0.0-beta.0 || ^8.2.0-beta.0 @@ -7607,11 +7607,11 @@ packages: '@babel/runtime': 7.28.4 '@storybook/svelte': 8.6.14(storybook@8.6.14)(svelte@4.2.19) '@storybook/types': 8.6.14(storybook@8.6.14) - '@sveltejs/vite-plugin-svelte': 3.0.2(svelte@4.2.19)(vite@5.4.14) + '@sveltejs/vite-plugin-svelte': 3.0.2(svelte@4.2.19)(vite@5.4.21) dedent: 1.7.0 magic-string: 0.30.21 svelte: 4.2.19 - vite: 5.4.14(@types/node@20.11.28) + vite: 5.4.21(@types/node@20.11.28) transitivePeerDependencies: - babel-plugin-macros - storybook @@ -7662,7 +7662,7 @@ packages: ts-dedent: 2.2.0 dev: true - /@storybook/builder-vite@8.6.14(storybook@8.6.14)(vite@5.4.14): + /@storybook/builder-vite@8.6.14(storybook@8.6.14)(vite@5.4.21): resolution: {integrity: sha512-ajWYhy32ksBWxwWHrjwZzyC0Ii5ZTeu5lsqA95Q/EQBB0P5qWlHWGM3AVyv82Mz/ND03ebGy123uVwgf6olnYQ==} peerDependencies: storybook: ^8.6.14 @@ -7672,7 +7672,7 @@ packages: browser-assert: 1.2.1 storybook: 8.6.14(prettier@3.6.2) ts-dedent: 2.2.0 - vite: 5.4.14(@types/node@20.11.28) + vite: 5.4.21(@types/node@20.11.28) dev: true /@storybook/components@8.6.14(storybook@8.6.14): @@ -7798,7 +7798,7 @@ packages: storybook: 8.6.14(prettier@3.6.2) dev: true - /@storybook/svelte-vite@8.6.14(@sveltejs/vite-plugin-svelte@3.0.2)(postcss-load-config@4.0.2)(postcss@8.5.6)(storybook@8.6.14)(svelte@4.2.19)(vite@5.4.14): + /@storybook/svelte-vite@8.6.14(@sveltejs/vite-plugin-svelte@3.0.2)(postcss-load-config@4.0.2)(postcss@8.5.6)(storybook@8.6.14)(svelte@4.2.19)(vite@5.4.21): resolution: {integrity: sha512-SYN1c6FkTqhXxsZYQc9+oTtJszolr8lKV/uAWB9qpiOiAKrYSFCy+Zl34AL53N2Yr5pYH4hViC7BuEZYTnoQpQ==} engines: {node: '>=18.0.0'} peerDependencies: @@ -7807,9 +7807,9 @@ packages: svelte: ^4.0.0 || ^5.0.0 vite: ^4.0.0 || ^5.0.0 || ^6.0.0 dependencies: - '@storybook/builder-vite': 8.6.14(storybook@8.6.14)(vite@5.4.14) + '@storybook/builder-vite': 8.6.14(storybook@8.6.14)(vite@5.4.21) '@storybook/svelte': 8.6.14(storybook@8.6.14)(svelte@4.2.19) - '@sveltejs/vite-plugin-svelte': 3.0.2(svelte@4.2.19)(vite@5.4.14) + '@sveltejs/vite-plugin-svelte': 3.0.2(svelte@4.2.19)(vite@5.4.21) magic-string: 0.30.21 storybook: 8.6.14(prettier@3.6.2) svelte: 4.2.19 @@ -7818,7 +7818,7 @@ packages: sveltedoc-parser: 4.2.1 ts-dedent: 2.2.0 typescript: 5.9.3 - vite: 5.4.14(@types/node@20.11.28) + vite: 5.4.21(@types/node@20.11.28) transitivePeerDependencies: - '@babel/core' - coffeescript @@ -7854,7 +7854,7 @@ packages: - supports-color dev: true - /@storybook/sveltekit@8.6.14(@sveltejs/vite-plugin-svelte@3.0.2)(postcss-load-config@4.0.2)(postcss@8.5.6)(storybook@8.6.14)(svelte@4.2.19)(vite@5.4.14): + /@storybook/sveltekit@8.6.14(@sveltejs/vite-plugin-svelte@3.0.2)(postcss-load-config@4.0.2)(postcss@8.5.6)(storybook@8.6.14)(svelte@4.2.19)(vite@5.4.21): resolution: {integrity: sha512-N8Zp5wWf/tPcbs3EufvQhLM4yX5FQ6c6UdT5GrhVAi1UPH9oCpdyJFMHju5tFYe+rn64sRaETKeM3j5kkbp18A==} engines: {node: '>=18.0.0'} peerDependencies: @@ -7863,12 +7863,12 @@ packages: vite: ^4.0.0 || ^5.0.0 || ^6.0.0 dependencies: '@storybook/addon-actions': 8.6.14(storybook@8.6.14) - '@storybook/builder-vite': 8.6.14(storybook@8.6.14)(vite@5.4.14) + '@storybook/builder-vite': 8.6.14(storybook@8.6.14)(vite@5.4.21) '@storybook/svelte': 8.6.14(storybook@8.6.14)(svelte@4.2.19) - '@storybook/svelte-vite': 8.6.14(@sveltejs/vite-plugin-svelte@3.0.2)(postcss-load-config@4.0.2)(postcss@8.5.6)(storybook@8.6.14)(svelte@4.2.19)(vite@5.4.14) + '@storybook/svelte-vite': 8.6.14(@sveltejs/vite-plugin-svelte@3.0.2)(postcss-load-config@4.0.2)(postcss@8.5.6)(storybook@8.6.14)(svelte@4.2.19)(vite@5.4.21) storybook: 8.6.14(prettier@3.6.2) svelte: 4.2.19 - vite: 5.4.14(@types/node@20.11.28) + vite: 5.4.21(@types/node@20.11.28) transitivePeerDependencies: - '@babel/core' - '@sveltejs/vite-plugin-svelte' @@ -7926,7 +7926,7 @@ packages: peerDependencies: '@sveltejs/kit': ^2.0.0 dependencies: - '@sveltejs/kit': 2.8.4(@sveltejs/vite-plugin-svelte@3.0.2)(svelte@4.2.19)(vite@5.4.14) + '@sveltejs/kit': 2.8.4(@sveltejs/vite-plugin-svelte@3.0.2)(svelte@4.2.19)(vite@5.4.21) import-meta-resolve: 4.2.0 dev: true @@ -7935,9 +7935,9 @@ packages: peerDependencies: '@sveltejs/kit': ^2.0.0 dependencies: - '@sveltejs/kit': 2.8.4(@sveltejs/vite-plugin-svelte@3.1.2)(svelte@4.2.19)(vite@5.4.14) + '@sveltejs/kit': 2.8.4(@sveltejs/vite-plugin-svelte@3.1.2)(svelte@4.2.19)(vite@5.4.21) - /@sveltejs/kit@2.8.4(@sveltejs/vite-plugin-svelte@3.0.2)(svelte@4.2.19)(vite@5.4.14): + /@sveltejs/kit@2.8.4(@sveltejs/vite-plugin-svelte@3.0.2)(svelte@4.2.19)(vite@5.4.21): resolution: {integrity: sha512-oDSBHPokbP2iaQlHiEWAkVLsIugsXve8YtABtlyHBUljA63Wgx0UtV8MSOQOGpRft1M+Cd5rzer+0SFlppQwOg==} engines: {node: '>=18.13'} hasBin: true @@ -7947,7 +7947,7 @@ packages: svelte: ^4.0.0 || ^5.0.0-next.0 vite: ^5.0.3 dependencies: - '@sveltejs/vite-plugin-svelte': 3.0.2(svelte@4.2.19)(vite@5.4.14) + '@sveltejs/vite-plugin-svelte': 3.0.2(svelte@4.2.19)(vite@5.4.21) '@types/cookie': 0.6.0 cookie: 1.0.2 devalue: 5.4.2 @@ -7961,9 +7961,9 @@ packages: sirv: 3.0.2 svelte: 4.2.19 tiny-glob: 0.2.9 - vite: 5.4.14(@types/node@20.19.24) + vite: 5.4.21(@types/node@20.19.24) - /@sveltejs/kit@2.8.4(@sveltejs/vite-plugin-svelte@3.1.2)(svelte@4.2.19)(vite@5.4.14): + /@sveltejs/kit@2.8.4(@sveltejs/vite-plugin-svelte@3.1.2)(svelte@4.2.19)(vite@5.4.21): resolution: {integrity: sha512-oDSBHPokbP2iaQlHiEWAkVLsIugsXve8YtABtlyHBUljA63Wgx0UtV8MSOQOGpRft1M+Cd5rzer+0SFlppQwOg==} engines: {node: '>=18.13'} hasBin: true @@ -7973,7 +7973,7 @@ packages: svelte: ^4.0.0 || ^5.0.0-next.0 vite: ^5.0.3 dependencies: - '@sveltejs/vite-plugin-svelte': 3.1.2(svelte@4.2.19)(vite@5.4.14) + '@sveltejs/vite-plugin-svelte': 3.1.2(svelte@4.2.19)(vite@5.4.21) '@types/cookie': 0.6.0 cookie: 1.0.2 devalue: 5.4.2 @@ -7987,7 +7987,7 @@ packages: sirv: 3.0.2 svelte: 4.2.19 tiny-glob: 0.2.9 - vite: 5.4.14(@types/node@20.11.28) + vite: 5.4.21(@types/node@20.11.28) /@sveltejs/package@2.2.7(svelte@4.2.19)(typescript@5.4.2): resolution: {integrity: sha512-/vvmrQO2mMvROdM/iGRHtRn+ValnK9xzB50pqRcX0IvoeVoTq7uhYf+KifrZTluBA+km6AX/WXRXajrgrgbmvw==} @@ -8023,7 +8023,7 @@ packages: - typescript dev: true - /@sveltejs/vite-plugin-svelte-inspector@2.1.0(@sveltejs/vite-plugin-svelte@3.0.2)(svelte@4.2.19)(vite@5.4.14): + /@sveltejs/vite-plugin-svelte-inspector@2.1.0(@sveltejs/vite-plugin-svelte@3.0.2)(svelte@4.2.19)(vite@5.4.21): resolution: {integrity: sha512-9QX28IymvBlSCqsCll5t0kQVxipsfhFFL+L2t3nTWfXnddYwxBuAEtTtlaVQpRz9c37BhJjltSeY4AJSC03SSg==} engines: {node: ^18.0.0 || >=20} peerDependencies: @@ -8031,14 +8031,14 @@ packages: svelte: ^4.0.0 || ^5.0.0-next.0 vite: ^5.0.0 dependencies: - '@sveltejs/vite-plugin-svelte': 3.0.2(svelte@4.2.19)(vite@5.4.14) + '@sveltejs/vite-plugin-svelte': 3.0.2(svelte@4.2.19)(vite@5.4.21) debug: 4.4.3 svelte: 4.2.19 - vite: 5.4.14(@types/node@20.19.24) + vite: 5.4.21(@types/node@20.19.24) transitivePeerDependencies: - supports-color - /@sveltejs/vite-plugin-svelte-inspector@2.1.0(@sveltejs/vite-plugin-svelte@3.1.2)(svelte@4.2.19)(vite@5.4.14): + /@sveltejs/vite-plugin-svelte-inspector@2.1.0(@sveltejs/vite-plugin-svelte@3.1.2)(svelte@4.2.19)(vite@5.4.21): resolution: {integrity: sha512-9QX28IymvBlSCqsCll5t0kQVxipsfhFFL+L2t3nTWfXnddYwxBuAEtTtlaVQpRz9c37BhJjltSeY4AJSC03SSg==} engines: {node: ^18.0.0 || >=20} peerDependencies: @@ -8046,48 +8046,48 @@ packages: svelte: ^4.0.0 || ^5.0.0-next.0 vite: ^5.0.0 dependencies: - '@sveltejs/vite-plugin-svelte': 3.1.2(svelte@4.2.19)(vite@5.4.14) + '@sveltejs/vite-plugin-svelte': 3.1.2(svelte@4.2.19)(vite@5.4.21) debug: 4.4.3 svelte: 4.2.19 - vite: 5.4.14(@types/node@20.11.28) + vite: 5.4.21(@types/node@20.11.28) transitivePeerDependencies: - supports-color - /@sveltejs/vite-plugin-svelte@3.0.2(svelte@4.2.19)(vite@5.4.14): + /@sveltejs/vite-plugin-svelte@3.0.2(svelte@4.2.19)(vite@5.4.21): resolution: {integrity: sha512-MpmF/cju2HqUls50WyTHQBZUV3ovV/Uk8k66AN2gwHogNAG8wnW8xtZDhzNBsFJJuvmq1qnzA5kE7YfMJNFv2Q==} engines: {node: ^18.0.0 || >=20} peerDependencies: svelte: ^4.0.0 || ^5.0.0-next.0 vite: ^5.0.0 dependencies: - '@sveltejs/vite-plugin-svelte-inspector': 2.1.0(@sveltejs/vite-plugin-svelte@3.0.2)(svelte@4.2.19)(vite@5.4.14) + '@sveltejs/vite-plugin-svelte-inspector': 2.1.0(@sveltejs/vite-plugin-svelte@3.0.2)(svelte@4.2.19)(vite@5.4.21) debug: 4.4.3 deepmerge: 4.3.1 kleur: 4.1.5 magic-string: 0.30.21 svelte: 4.2.19 svelte-hmr: 0.15.3(svelte@4.2.19) - vite: 5.4.14(@types/node@20.19.24) - vitefu: 0.2.5(vite@5.4.14) + vite: 5.4.21(@types/node@20.19.24) + vitefu: 0.2.5(vite@5.4.21) transitivePeerDependencies: - supports-color - /@sveltejs/vite-plugin-svelte@3.1.2(svelte@4.2.19)(vite@5.4.14): + /@sveltejs/vite-plugin-svelte@3.1.2(svelte@4.2.19)(vite@5.4.21): resolution: {integrity: sha512-Txsm1tJvtiYeLUVRNqxZGKR/mI+CzuIQuc2gn+YCs9rMTowpNZ2Nqt53JdL8KF9bLhAf2ruR/dr9eZCwdTriRA==} engines: {node: ^18.0.0 || >=20} peerDependencies: svelte: ^4.0.0 || ^5.0.0-next.0 vite: ^5.0.0 dependencies: - '@sveltejs/vite-plugin-svelte-inspector': 2.1.0(@sveltejs/vite-plugin-svelte@3.1.2)(svelte@4.2.19)(vite@5.4.14) + '@sveltejs/vite-plugin-svelte-inspector': 2.1.0(@sveltejs/vite-plugin-svelte@3.1.2)(svelte@4.2.19)(vite@5.4.21) debug: 4.4.3 deepmerge: 4.3.1 kleur: 4.1.5 magic-string: 0.30.21 svelte: 4.2.19 svelte-hmr: 0.16.0(svelte@4.2.19) - vite: 5.4.14(@types/node@20.11.28) - vitefu: 0.2.5(vite@5.4.14) + vite: 5.4.21(@types/node@20.11.28) + vitefu: 0.2.5(vite@5.4.21) transitivePeerDependencies: - supports-color @@ -9045,7 +9045,24 @@ packages: '@vitest/spy': 2.1.9 estree-walker: 3.0.3 magic-string: 0.30.21 - vite: 5.4.14(@types/node@20.11.28) + vite: 5.4.14 + dev: true + + /@vitest/mocker@2.1.9(vite@5.4.21): + resolution: {integrity: sha512-tVL6uJgoUdi6icpxmdrn5YNo3g3Dxv+IHJBr0GXHaEdTcw3F+cPKnsXFhli6nO+f/6SDKPHEK1UN+k+TQv0Ehg==} + peerDependencies: + msw: ^2.4.9 + vite: ^5.0.0 + peerDependenciesMeta: + msw: + optional: true + vite: + optional: true + dependencies: + '@vitest/spy': 2.1.9 + estree-walker: 3.0.3 + magic-string: 0.30.21 + vite: 5.4.21(@types/node@20.11.28) /@vitest/pretty-format@2.0.5: resolution: {integrity: sha512-h8k+1oWHfwTkyTkb9egzwNMfJAEx4veaPSnMeKbVSjp4euqGSbQlm5+6VHwTr7u4FJslVVsUG5nopCaAYdOmSQ==} @@ -18199,7 +18216,7 @@ packages: '@sveltejs/kit': '>=1.0.0' dependencies: '@rollup/pluginutils': 4.2.1 - '@sveltejs/kit': 2.8.4(@sveltejs/vite-plugin-svelte@3.0.2)(svelte@4.2.19)(vite@5.4.14) + '@sveltejs/kit': 2.8.4(@sveltejs/vite-plugin-svelte@3.0.2)(svelte@4.2.19)(vite@5.4.21) estree-walker: 2.0.2 magic-string: 0.26.7 dev: false @@ -19163,7 +19180,7 @@ packages: debug: 4.4.3 es-module-lexer: 1.7.0 pathe: 1.1.2 - vite: 5.4.14(@types/node@20.11.28) + vite: 5.4.21(@types/node@20.11.28) transitivePeerDependencies: - '@types/node' - less @@ -19185,7 +19202,7 @@ packages: debug: 4.4.3 es-module-lexer: 1.7.0 pathe: 1.1.2 - vite: 5.4.14(@types/node@20.11.28) + vite: 5.4.21(@types/node@20.11.28) transitivePeerDependencies: - '@types/node' - less @@ -19207,7 +19224,7 @@ packages: debug: 4.4.3 es-module-lexer: 1.7.0 pathe: 1.1.2 - vite: 5.4.14(@types/node@20.19.24) + vite: 5.4.21(@types/node@20.19.24) transitivePeerDependencies: - '@types/node' - less @@ -19228,7 +19245,7 @@ packages: debug: 4.4.3 es-module-lexer: 1.7.0 pathe: 1.1.2 - vite: 5.4.14(@types/node@22.19.0) + vite: 5.4.21(@types/node@22.19.0) transitivePeerDependencies: - '@types/node' - less @@ -19241,10 +19258,48 @@ packages: - terser dev: false - /vite@5.4.14(@types/node@20.11.28): + /vite@5.4.14: resolution: {integrity: sha512-EK5cY7Q1D8JNhSaPKVK4pwBFvaTmZxEnoKXLG/U9gmdDcihQGNzFlgIvaxezFR4glP1LsuiedwMBqCXH3wZccA==} engines: {node: ^18.0.0 || >=20.0.0} hasBin: true + peerDependencies: + '@types/node': ^18.0.0 || >=20.0.0 + less: '*' + lightningcss: ^1.21.0 + sass: '*' + sass-embedded: '*' + stylus: '*' + sugarss: '*' + terser: ^5.4.0 + peerDependenciesMeta: + '@types/node': + optional: true + less: + optional: true + lightningcss: + optional: true + sass: + optional: true + sass-embedded: + optional: true + stylus: + optional: true + sugarss: + optional: true + terser: + optional: true + dependencies: + esbuild: 0.25.12 + postcss: 8.5.6 + rollup: 4.52.5 + optionalDependencies: + fsevents: 2.3.3 + dev: true + + /vite@5.4.21(@types/node@20.11.28): + resolution: {integrity: sha512-o5a9xKjbtuhY6Bi5S3+HvbRERmouabWbyUcpXXUA1u+GNUKoROi9byOJ8M0nHbHYHkYICiMlqxkg1KkYmm25Sw==} + engines: {node: ^18.0.0 || >=20.0.0} + hasBin: true peerDependencies: '@types/node': ^18.0.0 || >=20.0.0 less: '*' @@ -19279,8 +19334,8 @@ packages: optionalDependencies: fsevents: 2.3.3 - /vite@5.4.14(@types/node@20.19.24): - resolution: {integrity: sha512-EK5cY7Q1D8JNhSaPKVK4pwBFvaTmZxEnoKXLG/U9gmdDcihQGNzFlgIvaxezFR4glP1LsuiedwMBqCXH3wZccA==} + /vite@5.4.21(@types/node@20.19.24): + resolution: {integrity: sha512-o5a9xKjbtuhY6Bi5S3+HvbRERmouabWbyUcpXXUA1u+GNUKoROi9byOJ8M0nHbHYHkYICiMlqxkg1KkYmm25Sw==} engines: {node: ^18.0.0 || >=20.0.0} hasBin: true peerDependencies: @@ -19317,8 +19372,8 @@ packages: optionalDependencies: fsevents: 2.3.3 - /vite@5.4.14(@types/node@22.19.0): - resolution: {integrity: sha512-EK5cY7Q1D8JNhSaPKVK4pwBFvaTmZxEnoKXLG/U9gmdDcihQGNzFlgIvaxezFR4glP1LsuiedwMBqCXH3wZccA==} + /vite@5.4.21(@types/node@22.19.0): + resolution: {integrity: sha512-o5a9xKjbtuhY6Bi5S3+HvbRERmouabWbyUcpXXUA1u+GNUKoROi9byOJ8M0nHbHYHkYICiMlqxkg1KkYmm25Sw==} engines: {node: ^18.0.0 || >=20.0.0} hasBin: true peerDependencies: @@ -19356,7 +19411,7 @@ packages: fsevents: 2.3.3 dev: false - /vitefu@0.2.5(vite@5.4.14): + /vitefu@0.2.5(vite@5.4.21): resolution: {integrity: sha512-SgHtMLoqaeeGnd2evZ849ZbACbnwQCIwRH57t18FxcXoZop0uQu0uzlIhJBlF/eWVzuce0sHeqPcDo+evVcg8Q==} peerDependencies: vite: ^3.0.0 || ^4.0.0 || ^5.0.0 @@ -19364,7 +19419,7 @@ packages: vite: optional: true dependencies: - vite: 5.4.14(@types/node@20.11.28) + vite: 5.4.21(@types/node@20.11.28) /vitest@2.1.9: resolution: {integrity: sha512-MSmPM9REYqDGBI8439mA4mWhV5sKmDlBKWIYbA3lRb2PTHACE0mgKwA8yQ2xq9vxDTuk4iPrECBAEW2aoFXY0Q==} @@ -19408,7 +19463,7 @@ packages: tinyexec: 0.3.2 tinypool: 1.1.1 tinyrainbow: 1.2.0 - vite: 5.4.14(@types/node@20.11.28) + vite: 5.4.14 vite-node: 2.1.9 why-is-node-running: 2.3.0 transitivePeerDependencies: @@ -19450,7 +19505,7 @@ packages: dependencies: '@types/node': 20.11.28 '@vitest/expect': 2.1.9 - '@vitest/mocker': 2.1.9(vite@5.4.14) + '@vitest/mocker': 2.1.9(vite@5.4.21) '@vitest/pretty-format': 2.1.9 '@vitest/runner': 2.1.9 '@vitest/snapshot': 2.1.9 @@ -19466,7 +19521,7 @@ packages: tinyexec: 0.3.2 tinypool: 1.1.1 tinyrainbow: 1.2.0 - vite: 5.4.14(@types/node@20.11.28) + vite: 5.4.21(@types/node@20.11.28) vite-node: 2.1.9(@types/node@20.11.28) why-is-node-running: 2.3.0 transitivePeerDependencies: @@ -19508,7 +19563,7 @@ packages: dependencies: '@types/node': 20.19.24 '@vitest/expect': 2.1.9 - '@vitest/mocker': 2.1.9(vite@5.4.14) + '@vitest/mocker': 2.1.9(vite@5.4.21) '@vitest/pretty-format': 2.1.9 '@vitest/runner': 2.1.9 '@vitest/snapshot': 2.1.9 @@ -19525,7 +19580,7 @@ packages: tinyexec: 0.3.2 tinypool: 1.1.1 tinyrainbow: 1.2.0 - vite: 5.4.14(@types/node@20.19.24) + vite: 5.4.21(@types/node@20.19.24) vite-node: 2.1.9(@types/node@20.19.24) why-is-node-running: 2.3.0 transitivePeerDependencies: @@ -19566,7 +19621,7 @@ packages: dependencies: '@types/node': 22.19.0 '@vitest/expect': 2.1.9 - '@vitest/mocker': 2.1.9(vite@5.4.14) + '@vitest/mocker': 2.1.9(vite@5.4.21) '@vitest/pretty-format': 2.1.9 '@vitest/runner': 2.1.9 '@vitest/snapshot': 2.1.9 @@ -19582,7 +19637,7 @@ packages: tinyexec: 0.3.2 tinypool: 1.1.1 tinyrainbow: 1.2.0 - vite: 5.4.14(@types/node@22.19.0) + vite: 5.4.21(@types/node@22.19.0) vite-node: 2.1.9(@types/node@22.19.0) why-is-node-running: 2.3.0 transitivePeerDependencies: diff --git a/sites/example-project/package.json b/sites/example-project/package.json index 82a8d8b930..a9c12362a0 100644 --- a/sites/example-project/package.json +++ b/sites/example-project/package.json @@ -62,7 +62,7 @@ "postcss-load-config": "^4.0.1", "svelte-preprocess": "^5.1.3", "tailwindcss": "3.4.18", - "vite": "5.4.14", + "vite": "5.4.21", "vitest": "^2.1.9" } -} +} \ No newline at end of file From cbdb78a0bd1b82ec9b7842c14d11ad5bc0969356 Mon Sep 17 00:00:00 2001 From: Zachary Stence Date: Mon, 15 Dec 2025 11:03:01 -0600 Subject: [PATCH 5/7] chore(deps): override js-yaml to address CVE-2025-64718 --- package.json | 3 +- pnpm-lock.yaml | 129 ++++++++++++++++++++++++++++++++++++------------- 2 files changed, 97 insertions(+), 35 deletions(-) diff --git a/package.json b/package.json index cd4581bd97..6656e347f7 100644 --- a/package.json +++ b/package.json @@ -118,7 +118,8 @@ "serialize-javascript": ">=6.0.2", "node-forge": ">=1.3.2", "glob@>=10.2.0 <11": "10.5.0", - "jws@>=3 <4": "3.2.3" + "jws@>=3 <4": "3.2.3", + "js-yaml@>=3 <3.14.2": "3.14.2" } }, "packageManager": "pnpm@8.15.9+sha512.499434c9d8fdd1a2794ebf4552b3b25c0a633abcee5bb15e7b5de90f32f47b513aca98cd5cfd001c31f0db454bc3804edccd578501e4ca293a6816166bbd9f81" diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index defc730e0f..7a619d30d3 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -21,6 +21,7 @@ overrides: node-forge: '>=1.3.2' glob@>=10.2.0 <11: 10.5.0 jws@>=3 <4: 3.2.3 + js-yaml@>=3 <3.14.2: 3.14.2 importers: @@ -3519,14 +3520,14 @@ packages: resolution: {integrity: sha512-127JKNd167ayAuBjUggZBkmDS5fIKsthnr9jr6bdnuUljroiERW7FBTDNnNVyJ4l69PzR57pk6mXQdtJyBCJKg==} dependencies: '@changesets/types': 5.2.1 - js-yaml: 3.14.1 + js-yaml: 3.14.2 dev: true /@changesets/parse@0.4.1: resolution: {integrity: sha512-iwksMs5Bf/wUItfcg+OXrEpravm5rEd9Bf4oyIPL4kVTmJQ7PNDSd6MDYkpSJR1pn7tz/k8Zf2DhTCqX08Ou+Q==} dependencies: '@changesets/types': 6.1.0 - js-yaml: 3.14.1 + js-yaml: 3.14.2 dev: true /@changesets/pre@1.0.14: @@ -4602,7 +4603,7 @@ packages: camelcase: 5.3.1 find-up: 4.1.0 get-package-type: 0.1.0 - js-yaml: 3.14.1 + js-yaml: 3.14.2 resolve-from: 5.0.0 dev: true @@ -9045,24 +9046,7 @@ packages: '@vitest/spy': 2.1.9 estree-walker: 3.0.3 magic-string: 0.30.21 - vite: 5.4.14 - dev: true - - /@vitest/mocker@2.1.9(vite@5.4.21): - resolution: {integrity: sha512-tVL6uJgoUdi6icpxmdrn5YNo3g3Dxv+IHJBr0GXHaEdTcw3F+cPKnsXFhli6nO+f/6SDKPHEK1UN+k+TQv0Ehg==} - peerDependencies: - msw: ^2.4.9 - vite: ^5.0.0 - peerDependenciesMeta: - msw: - optional: true - vite: - optional: true - dependencies: - '@vitest/spy': 2.1.9 - estree-walker: 3.0.3 - magic-string: 0.30.21 - vite: 5.4.21(@types/node@20.11.28) + vite: 5.4.14(@types/node@20.11.28) /@vitest/pretty-format@2.0.5: resolution: {integrity: sha512-h8k+1oWHfwTkyTkb9egzwNMfJAEx4veaPSnMeKbVSjp4euqGSbQlm5+6VHwTr7u4FJslVVsUG5nopCaAYdOmSQ==} @@ -14324,8 +14308,8 @@ packages: /js-tokens@4.0.0: resolution: {integrity: sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==} - /js-yaml@3.14.1: - resolution: {integrity: sha512-okMH7OXXJ7YrN9Ok3/SXrnu4iX9yOk+25nqX4imS2npuvTYDmo/QEZoqwZkYaIDk3jVvBOTOIEgEhaLOynBS9g==} + /js-yaml@3.14.2: + resolution: {integrity: sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==} hasBin: true dependencies: argparse: 1.0.10 @@ -14723,7 +14707,7 @@ packages: engines: {node: '>=6'} dependencies: graceful-fs: 4.2.11 - js-yaml: 3.14.1 + js-yaml: 3.14.2 pify: 4.0.1 strip-bom: 3.0.0 dev: true @@ -16812,7 +16796,7 @@ packages: engines: {node: '>=6'} dependencies: graceful-fs: 4.2.11 - js-yaml: 3.14.1 + js-yaml: 3.14.2 pify: 4.0.1 strip-bom: 3.0.0 dev: true @@ -19258,7 +19242,7 @@ packages: - terser dev: false - /vite@5.4.14: + /vite@5.4.14(@types/node@20.11.28): resolution: {integrity: sha512-EK5cY7Q1D8JNhSaPKVK4pwBFvaTmZxEnoKXLG/U9gmdDcihQGNzFlgIvaxezFR4glP1LsuiedwMBqCXH3wZccA==} engines: {node: ^18.0.0 || >=20.0.0} hasBin: true @@ -19289,12 +19273,89 @@ packages: terser: optional: true dependencies: + '@types/node': 20.11.28 esbuild: 0.25.12 postcss: 8.5.6 rollup: 4.52.5 optionalDependencies: fsevents: 2.3.3 - dev: true + + /vite@5.4.14(@types/node@20.19.24): + resolution: {integrity: sha512-EK5cY7Q1D8JNhSaPKVK4pwBFvaTmZxEnoKXLG/U9gmdDcihQGNzFlgIvaxezFR4glP1LsuiedwMBqCXH3wZccA==} + engines: {node: ^18.0.0 || >=20.0.0} + hasBin: true + peerDependencies: + '@types/node': ^18.0.0 || >=20.0.0 + less: '*' + lightningcss: ^1.21.0 + sass: '*' + sass-embedded: '*' + stylus: '*' + sugarss: '*' + terser: ^5.4.0 + peerDependenciesMeta: + '@types/node': + optional: true + less: + optional: true + lightningcss: + optional: true + sass: + optional: true + sass-embedded: + optional: true + stylus: + optional: true + sugarss: + optional: true + terser: + optional: true + dependencies: + '@types/node': 20.19.24 + esbuild: 0.25.12 + postcss: 8.5.6 + rollup: 4.52.5 + optionalDependencies: + fsevents: 2.3.3 + + /vite@5.4.14(@types/node@22.19.0): + resolution: {integrity: sha512-EK5cY7Q1D8JNhSaPKVK4pwBFvaTmZxEnoKXLG/U9gmdDcihQGNzFlgIvaxezFR4glP1LsuiedwMBqCXH3wZccA==} + engines: {node: ^18.0.0 || >=20.0.0} + hasBin: true + peerDependencies: + '@types/node': ^18.0.0 || >=20.0.0 + less: '*' + lightningcss: ^1.21.0 + sass: '*' + sass-embedded: '*' + stylus: '*' + sugarss: '*' + terser: ^5.4.0 + peerDependenciesMeta: + '@types/node': + optional: true + less: + optional: true + lightningcss: + optional: true + sass: + optional: true + sass-embedded: + optional: true + stylus: + optional: true + sugarss: + optional: true + terser: + optional: true + dependencies: + '@types/node': 22.19.0 + esbuild: 0.25.12 + postcss: 8.5.6 + rollup: 4.52.5 + optionalDependencies: + fsevents: 2.3.3 + dev: false /vite@5.4.21(@types/node@20.11.28): resolution: {integrity: sha512-o5a9xKjbtuhY6Bi5S3+HvbRERmouabWbyUcpXXUA1u+GNUKoROi9byOJ8M0nHbHYHkYICiMlqxkg1KkYmm25Sw==} @@ -19463,7 +19524,7 @@ packages: tinyexec: 0.3.2 tinypool: 1.1.1 tinyrainbow: 1.2.0 - vite: 5.4.14 + vite: 5.4.14(@types/node@20.11.28) vite-node: 2.1.9 why-is-node-running: 2.3.0 transitivePeerDependencies: @@ -19505,7 +19566,7 @@ packages: dependencies: '@types/node': 20.11.28 '@vitest/expect': 2.1.9 - '@vitest/mocker': 2.1.9(vite@5.4.21) + '@vitest/mocker': 2.1.9(vite@5.4.14) '@vitest/pretty-format': 2.1.9 '@vitest/runner': 2.1.9 '@vitest/snapshot': 2.1.9 @@ -19521,7 +19582,7 @@ packages: tinyexec: 0.3.2 tinypool: 1.1.1 tinyrainbow: 1.2.0 - vite: 5.4.21(@types/node@20.11.28) + vite: 5.4.14(@types/node@20.11.28) vite-node: 2.1.9(@types/node@20.11.28) why-is-node-running: 2.3.0 transitivePeerDependencies: @@ -19563,7 +19624,7 @@ packages: dependencies: '@types/node': 20.19.24 '@vitest/expect': 2.1.9 - '@vitest/mocker': 2.1.9(vite@5.4.21) + '@vitest/mocker': 2.1.9(vite@5.4.14) '@vitest/pretty-format': 2.1.9 '@vitest/runner': 2.1.9 '@vitest/snapshot': 2.1.9 @@ -19580,7 +19641,7 @@ packages: tinyexec: 0.3.2 tinypool: 1.1.1 tinyrainbow: 1.2.0 - vite: 5.4.21(@types/node@20.19.24) + vite: 5.4.14(@types/node@20.19.24) vite-node: 2.1.9(@types/node@20.19.24) why-is-node-running: 2.3.0 transitivePeerDependencies: @@ -19621,7 +19682,7 @@ packages: dependencies: '@types/node': 22.19.0 '@vitest/expect': 2.1.9 - '@vitest/mocker': 2.1.9(vite@5.4.21) + '@vitest/mocker': 2.1.9(vite@5.4.14) '@vitest/pretty-format': 2.1.9 '@vitest/runner': 2.1.9 '@vitest/snapshot': 2.1.9 @@ -19637,7 +19698,7 @@ packages: tinyexec: 0.3.2 tinypool: 1.1.1 tinyrainbow: 1.2.0 - vite: 5.4.21(@types/node@22.19.0) + vite: 5.4.14(@types/node@22.19.0) vite-node: 2.1.9(@types/node@22.19.0) why-is-node-running: 2.3.0 transitivePeerDependencies: From aff6f859d0cef56c4306da4122aa3a7f07d814d7 Mon Sep 17 00:00:00 2001 From: Zachary Stence Date: Mon, 15 Dec 2025 11:07:04 -0600 Subject: [PATCH 6/7] chore: changeset --- .changeset/stale-boxes-push.md | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 .changeset/stale-boxes-push.md diff --git a/.changeset/stale-boxes-push.md b/.changeset/stale-boxes-push.md new file mode 100644 index 0000000000..98ad828f1d --- /dev/null +++ b/.changeset/stale-boxes-push.md @@ -0,0 +1,8 @@ +--- +'@evidence-dev/evidence': patch +'@evidence-dev/sdk': patch +'@evidence-dev/core-components': patch +'@evidence-dev/components': patch +--- + +Package updates for CVEs. See https://github.com/evidence-dev/evidence/pull/3253 From 7d15dbf63ccd9fa516a553ad1f2ef708a176ac76 Mon Sep 17 00:00:00 2001 From: Zachary Stence Date: Mon, 15 Dec 2025 11:12:36 -0600 Subject: [PATCH 7/7] chore: format --- packages/datasources/duckdb/CHANGELOG.md | 2 -- packages/lib/db-commons/CHANGELOG.md | 2 -- packages/lib/universal-sql/CHANGELOG.md | 2 -- packages/ui/core-components/CHANGELOG.md | 3 --- 4 files changed, 9 deletions(-) diff --git a/packages/datasources/duckdb/CHANGELOG.md b/packages/datasources/duckdb/CHANGELOG.md index 248bfc9cb1..8705e96dc9 100644 --- a/packages/datasources/duckdb/CHANGELOG.md +++ b/packages/datasources/duckdb/CHANGELOG.md @@ -5,12 +5,10 @@ ### Major Changes - b28f63f23: Update DuckDB to latest packages: - - Switch to @duckdb/node-api from duckdb-async - Update duckdb-wasm to latest release This release also has small data fixes across several packages: - - Better handling of NULL values when discovering column types - Fix batch processing of parquet files - Fix error with temporary parquet files when reloading data in dev environment diff --git a/packages/lib/db-commons/CHANGELOG.md b/packages/lib/db-commons/CHANGELOG.md index 7fa87e8a85..8a8dbce3ea 100644 --- a/packages/lib/db-commons/CHANGELOG.md +++ b/packages/lib/db-commons/CHANGELOG.md @@ -5,12 +5,10 @@ ### Minor Changes - b28f63f23: Update DuckDB to latest packages: - - Switch to @duckdb/node-api from duckdb-async - Update duckdb-wasm to latest release This release also has small data fixes across several packages: - - Better handling of NULL values when discovering column types - Fix batch processing of parquet files - Fix error with temporary parquet files when reloading data in dev environment diff --git a/packages/lib/universal-sql/CHANGELOG.md b/packages/lib/universal-sql/CHANGELOG.md index 23f7ce5df6..7dbd86bfef 100644 --- a/packages/lib/universal-sql/CHANGELOG.md +++ b/packages/lib/universal-sql/CHANGELOG.md @@ -5,12 +5,10 @@ ### Major Changes - b28f63f23: Update DuckDB to latest packages: - - Switch to @duckdb/node-api from duckdb-async - Update duckdb-wasm to latest release This release also has small data fixes across several packages: - - Better handling of NULL values when discovering column types - Fix batch processing of parquet files - Fix error with temporary parquet files when reloading data in dev environment diff --git a/packages/ui/core-components/CHANGELOG.md b/packages/ui/core-components/CHANGELOG.md index eb71a60d4f..d0bea78e41 100644 --- a/packages/ui/core-components/CHANGELOG.md +++ b/packages/ui/core-components/CHANGELOG.md @@ -5,12 +5,10 @@ ### Minor Changes - b28f63f23: Update DuckDB to latest packages: - - Switch to @duckdb/node-api from duckdb-async - Update duckdb-wasm to latest release This release also has small data fixes across several packages: - - Better handling of NULL values when discovering column types - Fix batch processing of parquet files - Fix error with temporary parquet files when reloading data in dev environment @@ -27,7 +25,6 @@ - 6d2782e64: Fixed base path not being applied to data file (parquet) URLs. This resolves an issue where applications deployed with a base path would fail to load data files, resulting in 404 errors. The fix restores the dependency injection pattern for the `addBasePath` function in `setParquetURLs`, ensuring that base paths are correctly applied to all data requests in both monorepo and published package environments. - - @evidence-dev/component-utilities@4.0.10 - @evidence-dev/tailwind@3.1.1