wu-sheng opened a new pull request, #45: URL: https://github.com/apache/skywalking-horizon-ui/pull/45
Resolves the Dependabot **critical** alert (3 instances: apps/ui, apps/bff, lockfile). ## Advisory - **GHSA-5xrq-8626-4rwp / CVE-2026-47429** — CVSS **9.8** - *When the Vitest UI server is listening, an arbitrary file can be read and executed.* - Affects `vitest < 4.1.0`; first patched in **4.1.0**. ## Fix - Bump `vitest` `^3.2.4` → `^4.1.0` in **apps/ui** and **apps/bff** (devDependency, test runner). Resolves to **4.1.8**; lockfile updated, all `@vitest/*` now 4.1.8, no 3.x copy remains. - **No Vite bump needed** — vitest 4 accepts Vite `^6`/`^7`/`^8` (we're on `^6.4.2`), and Node `>=22` satisfies its engine range. - Test config is CLI-driven (`--environment jsdom --root src/`), so there was nothing to migrate. ## Exposure note We never run `vitest --ui`, so `@vitest/ui` — the package that hosts the vulnerable server — was not installed before or after. The bump clears the version-range alert regardless. ## Validation - **85** UI unit tests · **80** BFF unit tests — pass on 4.1.8 - UI (`vue-tsc`) + BFF (`tsc`) type-checks clean - license-eye 0 invalid -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
