背景
在 #136 修复一批 Dependabot 安全告警后,仍有 5 个无法在不破坏文档构建的前提下修复,已临时 dismiss(理由 tolerable_risk):
| Alert |
包 |
严重度 |
范围 |
备注 |
| #79 |
vite |
high |
≤ 6.4.2 |
server.fs.deny 绕过(Windows) |
| #80 |
vite |
medium |
≤ 6.4.2 |
launch-editor NTLM 泄露 |
| #58 |
vite |
medium |
≤ 6.4.1 |
Optimized Deps 路径穿越 |
| #75 |
esbuild |
high |
<0.28.1 |
仅 Deno 安装场景触发 |
| #74 |
esbuild |
low |
<0.28.1 |
dev-server 文件读取(Windows) |
根因:传递依赖 vite@5.x 由 vitepress@1.6.4 引入(其 pin vite ^5.4.14,@vitejs/plugin-vue@5.x peer 亦要求 vite ^5)。vite 的唯一补丁是 6.4.3,与之不兼容,强行 override 会破坏 docs:build。这些漏洞均为 dev-server / 构建工具链,不进入部署的静态产物,实际风险低。
vitepress@2.0 基于 vite 6+,升级后可一并清掉传递 vite/esbuild。截至建档时 vitepress 2.0 仍为 alpha(next: 2.0.0-alpha.x),不宜在文档站直接采用。
待办
Background
After #136 patched a batch of Dependabot advisories, 5 remained that cannot be fixed without breaking the docs build; they were dismissed as tolerable_risk. See the table above.
Root cause: the transitive vite@5.x is pulled in by vitepress@1.6.4 (which pins vite ^5.4.14; @vitejs/plugin-vue@5.x also peer-requires vite ^5). The only vite patch is 6.4.3, which is incompatible — forcing it via override breaks docs:build. All these advisories are dev-server / build-tooling only and do not ship in the static output, so practical risk is low.
vitepress@2.0 is built on vite 6+, so upgrading will clear the transitive vite/esbuild chain. As of filing, vitepress 2.0 is still alpha (next: 2.0.0-alpha.x) and not suitable for the docs site yet.
TODO
背景
在 #136 修复一批 Dependabot 安全告警后,仍有 5 个无法在不破坏文档构建的前提下修复,已临时 dismiss(理由
tolerable_risk):server.fs.deny绕过(Windows)根因:传递依赖
vite@5.x由vitepress@1.6.4引入(其 pinvite ^5.4.14,@vitejs/plugin-vue@5.xpeer 亦要求vite ^5)。vite 的唯一补丁是6.4.3,与之不兼容,强行 override 会破坏docs:build。这些漏洞均为 dev-server / 构建工具链,不进入部署的静态产物,实际风险低。vitepress@2.0基于 vite 6+,升级后可一并清掉传递 vite/esbuild。截至建档时 vitepress 2.0 仍为 alpha(next: 2.0.0-alpha.x),不宜在文档站直接采用。待办
vitepress@2.0转为 stable(latesttag)vitepress到 2.0,同步vitepress-plugin-mermaid到兼容版本pnpm.overrides(届时已可直接解析到补丁版本)pnpm docs:build+pnpm test,确认pnpm audit传递 vite/esbuild 告警清零Background
After #136 patched a batch of Dependabot advisories, 5 remained that cannot be fixed without breaking the docs build; they were dismissed as
tolerable_risk. See the table above.Root cause: the transitive
vite@5.xis pulled in byvitepress@1.6.4(which pinsvite ^5.4.14;@vitejs/plugin-vue@5.xalso peer-requiresvite ^5). The only vite patch is6.4.3, which is incompatible — forcing it via override breaksdocs:build. All these advisories are dev-server / build-tooling only and do not ship in the static output, so practical risk is low.vitepress@2.0is built on vite 6+, so upgrading will clear the transitive vite/esbuild chain. As of filing, vitepress 2.0 is still alpha (next: 2.0.0-alpha.x) and not suitable for the docs site yet.TODO
vitepress@2.0going stable (latesttag)vitepressto 2.0 and bumpvitepress-plugin-mermaidto a compatible releasepnpm.overridesfrom fix(deps): 补回丢失的 pnpm overrides 安全修复 #136 (patched versions will resolve directly)pnpm docs:build+pnpm test, and confirmpnpm auditshows no transitive vite/esbuild advisories