wu-sheng opened a new pull request, #45:
URL: https://github.com/apache/skywalking-horizon-ui/pull/45

   Resolves the Dependabot **critical** alert (3 instances: apps/ui, apps/bff, 
lockfile).
   
   ## Advisory
   - **GHSA-5xrq-8626-4rwp / CVE-2026-47429** — CVSS **9.8**
   - *When the Vitest UI server is listening, an arbitrary file can be read and 
executed.*
   - Affects `vitest < 4.1.0`; first patched in **4.1.0**.
   
   ## Fix
   - Bump `vitest` `^3.2.4` → `^4.1.0` in **apps/ui** and **apps/bff** 
(devDependency, test runner). Resolves to **4.1.8**; lockfile updated, all 
`@vitest/*` now 4.1.8, no 3.x copy remains.
   - **No Vite bump needed** — vitest 4 accepts Vite `^6`/`^7`/`^8` (we're on 
`^6.4.2`), and Node `>=22` satisfies its engine range.
   - Test config is CLI-driven (`--environment jsdom --root src/`), so there 
was nothing to migrate.
   
   ## Exposure note
   We never run `vitest --ui`, so `@vitest/ui` — the package that hosts the 
vulnerable server — was not installed before or after. The bump clears the 
version-range alert regardless.
   
   ## Validation
   - **85** UI unit tests · **80** BFF unit tests — pass on 4.1.8
   - UI (`vue-tsc`) + BFF (`tsc`) type-checks clean
   - license-eye 0 invalid


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to