Bump dependencies to fix Dependabot security alerts by nlathia · Pull Request #3 · gradientlabs-ai/gradientlabs-nodejs

nlathia · 2026-06-17T15:21:16Z

Summary

This PR upgrades dev dependencies to address all open Dependabot security alerts.

Alert #	Severity	Package	Summary	Fixed In Version
7	Medium	vite	launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows	6.4.3
6	High	vite	`server.fs.deny` bypass on Windows alternate paths	6.4.3
4	Low	esbuild	esbuild allows arbitrary file read when running the development server on Windows	0.28.1
3	Critical	vitest	When Vitest UI server is listening, arbitrary file can be read and executed	3.2.6
2	Medium	vite	Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling	6.4.2
1	Medium	esbuild	esbuild enables any website to send any requests to the development server and read the response	0.25.0

Changes made:

Upgraded vitest from ^2.0.0 to ^3.2.6 — this pulls in vite@7.3.5 (well above the patched 6.4.3), resolving alerts 2, 6, and 7
Added overrides.esbuild: ">=0.28.1" to force esbuild to 0.28.1, resolving alerts 1 and 4 (alert 3 was already resolved by the vitest upgrade)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Bump dependencies to fix Dependabot security alerts

edfc0ed

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

nlathia requested review from a team as code owners June 17, 2026 15:21

gmtuca approved these changes Jun 17, 2026

View reviewed changes

nlathia merged commit c39cdf2 into main Jun 17, 2026
2 checks passed

nlathia deleted the fix/security-vulnerabilities branch June 17, 2026 16:36