Fix vite security vulnerabilities (Dependabot #75, #76, #77)

[JSv4]

Summary

• Adds yarn resolution "vite": "^6.4.2" to force all transitive vite installations to 6.x
• Eliminates vulnerable vite 7.2.2 (pulled in by vitest 3.2.4 / vite-node 3.2.4)
• Resolves 3 Dependabot alerts: path traversal in .map handling (Corpus Import Needs More Guardrails  #77), arbitrary file read via WebSocket (Bump traefik from 2.9.6 to 2.9.8 in /compose/production/traefik #76), server.fs.deny bypass (Add GUI Elements to Filter on Metadata and Thumbnails for Docs #75)

Details

The direct vite dependency (^6.4.2 → 6.4.2) was never vulnerable — only the transitive copy resolved to 7.2.2 by vitest/vite-node's ^5 || ^6 || ^7 range. Since all consumers accept vite 6.x, the resolution deduplicates to a single safe 6.4.2 install.

Test plan

• TypeScript compiles clean (npx tsc --noEmit)
• Pre-commit hooks pass
• CI passes

[claude]

PR Review: Fix vite security vulnerabilities

Overall: Clean, correct security fix. Minimal diff, targeted approach. Using yarn resolutions to deduplicate the transitive vite install is the right call.

What's correct

• The resolutions entry forces all transitive consumers (vitest, vite-node, vite-tsconfig-paths) that accept ^5 || ^6 || ^7 to resolve to the safe 6.x tree.
• Lock file changes are consistent: the separate vite 7.2.2 stanza is removed and the alias "vite@^5.0.0 || ^6.0.0 || ^7.0.0-0" now points at 6.4.2. Exactly what you'd expect.
• The postcss and rollup alias consolidation is clean collateral deduplication — no functional change, just fewer redundant entries.

Minor concerns / things to verify

1. CI not yet green — The test plan marks CI as unchecked. This is a dependency version change with no source code edits, so the main failure mode would be a vitest/vite-node API incompatibility with vite 6.x. tsc --noEmit and pre-commit hooks passing is encouraging, but confirm the full yarn test:ct --reporter=list and yarn test:unit runs pass before merging.

2. Forward compatibility — The ^6.4.2 resolution holds as long as vitest/vite-node's peer dep stays ^5 || ^6 || ^7. If a future vitest update requires a vite 7-specific API (currently none), this resolution would need revisiting. Low risk now, worth watching.

3. Caret vs exact pin — ^6.4.2 in resolutions means yarn can upgrade to 6.5.x, 6.6.x, etc. on future installs. If you want a hard pin, use "6.4.2" (no caret). Not a blocker — just a style choice.

No issues with

• Security rationale: all three CVEs (path traversal in source map handling, arbitrary file read via WebSocket, server.fs.deny bypass) are eliminated correctly.
• CLAUDE.md compliance: no production code changed, no migrations, no new files.
• The diff is minimal and doesn't touch anything beyond what's necessary.

Verdict: Approve once CI is green. No blocking issues.

[claude]

PR Review: Fix vite security vulnerabilities

Thanks for addressing these Dependabot alerts. Security patches are important, and the lockfile changes confirm the vulnerable 7.2.2 is eliminated. A few concerns worth discussing before merging:

---

PR Description vs. Implementation Mismatch

The PR description and implementation don't match. The description states:

"Adds yarn resolution "vite": "^6.4.2" to force all transitive vite installations to 6.x"

But the actual package.json change bumps the direct vite dep from ^6.4.2 to ^7.3.2. There is no resolutions field added. The commit message is more accurate but the PR body should be corrected — reviewers will read the description to understand the change.

---

The Actual Fix Mechanism (and Why It's Fragile)

After the change, the lockfile shows two vite installs:

• Direct dep (vite@^7.3.2): resolves to 7.3.2 ✅ patched
• Transitive dep from vitest/vite-node ("vite@^5.0.0 || ^6.0.0 || ^7.0.0-0"): now resolves to 6.4.2 instead of 7.2.2

The transitive fix works because yarn v1 deduplicates the vitest range with vite@^6.3.6 (from vite-tsconfig-paths), landing on 6.4.2 since it satisfies both. This is implicit behavior — it's not enforced by a resolutions field. If vite-tsconfig-paths ever bumps its peer dep to ^7.x, yarn could re-resolve the vitest transitive dep back to a vulnerable version in a future yarn install.

A more explicit and durable fix would be to add a resolutions block in package.json:

"resolutions": {
  "vite": "^7.3.2"
}

This pins all vite installs regardless of transitive dep changes.

---

Major Version Bump (vite 6 → 7) — Testing Gap

The direct app dep going from 6.x to 7.x is a major version change. Vite 7 dropped some APIs and changed defaults. The PR checklist confirms TypeScript compiles and pre-commit passes, but doesn't confirm:

• yarn start (dev server) works without errors
• yarn build (production build) produces a valid artifact
• yarn test:unit passes (vitest now uses vite 6.4.2 internally vs. vite 7.3.2 for the app — any mismatch?)
• yarn test:ct --reporter=list passes (Playwright component tests)

What does the vite 7 migration guide say about breaking changes that might affect vite.config.ts, plugins (vite-plugin-svgr, vite-tsconfig-paths), or the current proxy setup for /graphql, /ws, /api?

---

Inconsistent vite Versions at Runtime

After this PR, vitest runs against vite 6.4.2 while the dev/prod build uses vite 7.3.2. This split is uncommon and could lead to subtle differences between test behavior and production behavior, particularly around module resolution, HMR, and plugin behavior.

---

Summary

	Status
Vulnerable 7.2.2 eliminated	✅
Direct dep patched to 7.3.2	✅
PR description accurate	❌ Misleading
Transitive fix is durable	⚠️ Implicit (no resolutions field)
App-level build/test validation	⚠️ Not confirmed
CI passing	⏳ Pending

Recommend either: (a) add a resolutions field and keep direct dep at ^6.4.2 for stability, or (b) keep the upgrade to 7.x but document vite 7 migration compatibility explicitly and confirm build + test suite passes on CI.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!