Skip to content

#3537135: Install updates to vulnerable UI dependencies

Bálint Klérirequested to merge
issue/experience_builder-3537135:3537135-npm-audit-fix into 1.x

Output of npm audit fix:

added 179 packages, removed 51 packages, changed 331 packages, and audited 1549 packages in 17s

424 packages are looking for funding
  run `npm fund` for details

# npm audit report

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
fix available via `npm audit fix --force`
Will install vite@6.3.5, which is a breaking change
node_modules/vite/node_modules/esbuild
  vite  0.11.0 - 6.1.6
  Depends on vulnerable versions of esbuild
  node_modules/vite

2 moderate severity vulnerabilities

I went on to do npm audit fix --force, which already updates Vite to v6. The goal of the issue would be v7 (along with Storybook 9), but that presents some problems with importing WASM files from @swc/wasm-web and tailwindcss-in-browser. Before fixing those, let's land the updates targeting security vulnerabilities.

Merge request reports