Commit
Dependency remediation: clear all critical/high vulnerabilities
Commit details
Commit notes
bun audit: 81 vulnerabilities (2 critical, 34 high) -> 5 (0 critical, 0 high, 3 moderate, 2 low).
- Add root overrides forcing patched transitive versions: protobufjs (RCE advisory), fast-xml-parser (entity-encoding bypass), devalue, ws, fast-uri, file-type, socket.io-parser. - Re-resolve stale lockfile entries that were pinning dozens of vulnerable transitive versions. - Update in-range direct deps: elysia 1.4.28, svelte 5.56.3, vite 7.3.5, @sveltejs/kit 2.64, drizzle-orm 0.45.2 (patch), @elysiajs/eden 1.4.9 aligned across workspaces. - Bump OpenTelemetry series 0.208 -> 0.217 (+ auto-instrumentations 0.75); telemetry init/shutdown smoke-tested. - Remove @ai-sdk/openai + ai from the root manifest (used only by the backend) and align the backend to the newer resolved versions, eliminating cross-workspace version skew. - Reformat 3 svelte files whose Prettier output changed with the toolchain bump.
Residual (documented, deliberate): nodemailer <8.0.4 (low/moderate advisories only; fix is a major bump), esbuild <=0.24.2 (dev-only chains: drizzle-kit, react-email, adapter-netlify), cookie <0.7.0 (pinned by @sveltejs/kit; overriding would break elysia's cookie 1.x).
Validated: 217 backend tests pass against live Postgres/Redis, tsc + biome clean, frontend svelte-check 0 errors, prettier/eslint clean, production builds of both workspaces succeed.
[private session redacted]
- Files changed
- 7
- Lines added
- +475
- Lines removed
- −605