Skip to content

chore(deps): upgrade deps to fix vulns#76

Merged
son-oz merged 1 commit into
mainfrom
security/fix-vulns
Jun 26, 2026
Merged

chore(deps): upgrade deps to fix vulns#76
son-oz merged 1 commit into
mainfrom
security/fix-vulns

Conversation

@son-oz

@son-oz son-oz commented Jun 26, 2026

Copy link
Copy Markdown

Run npm audit fix for semver-safe updates and bump eslint-config-next 14.0.0 → ^15.5.18 to align with Next.js 15 and drop the outdated @typescript-eslint toolchain.

Resolved (15 of 18):

Critical:

High:

Moderate:

Not fixed (3 moderate, no fix available — accepted):

  • postcss <8.5.10 bundled inside next / @next/third-parties (GHSA-qx2v-qp2m-jg93). No stable next release fixes this (next 16 still bundles postcss 8.4.31 and forces a React 19 major). Build-time only, not runtime-exploitable for this app; revisit when next ships a patched postcss.

Verified: npm run lint and npm run build pass; audit reports 0 high/critical.

@son-oz son-oz merged commit 9fac0ae into main Jun 26, 2026
10 checks passed
@son-oz son-oz deleted the security/fix-vulns branch June 26, 2026 15:10
@github-actions github-actions Bot locked and limited conversation to collaborators Jun 26, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant