Skip to content

chore: refresh dependency security fixes#1170

Closed
ahliweb wants to merge 2 commits into
emdash-cms:mainfrom
ahliweb:chore/security-dependency-refresh
Closed

chore: refresh dependency security fixes#1170
ahliweb wants to merge 2 commits into
emdash-cms:mainfrom
ahliweb:chore/security-dependency-refresh

Conversation

@ahliweb
Copy link
Copy Markdown
Contributor

@ahliweb ahliweb commented May 25, 2026
edited
Loading

What does this PR do?

Refresh the upstream dependency catalog and lockfile to clear the current Dependabot alerts at the source repository.

Scope

  • Bump the shared Astro/Vite catalog line to the patched releases used by the mirror.
  • Update the direct package owners that were still resolving vulnerable families:
    • @emdash-cms/admin
    • @emdash-cms/auth-atproto
    • @emdash-cms/cloudflare
    • @emdash-cms/blocks-playground
    • @emdash-cms/plugin-embeds
    • @emdash-cms/plugin-forms
    • @emdash-cms/marketplace
    • docs
    • infra/cache-demo
    • infra/perf-monitor
    • root tooling (@changesets/cli, simple-git, js-yaml, qs, hono, @hono/node-server)
  • Keep emdash-latest/ exact in the mirror; this PR is the source-of-truth fix upstream.

Verification

  • pnpm install --lockfile-only
  • pnpm install
  • pnpm why astro
  • pnpm why vite
  • pnpm why hono
  • pnpm why @hono/node-server
  • pnpm why simple-git
  • pnpm why js-yaml
  • pnpm lint:json still reports pre-existing TypeScript lint issues unrelated to this dependency refresh.

Closes #1169

Type of change

  • Bug fix
  • Feature (requires maintainer-approved Discussion)
  • Refactor (no behavior change)
  • Translation
  • Documentation
  • Performance improvement
  • Tests
  • Chore (dependencies, CI, tooling)

Checklist

  • I have read CONTRIBUTING.md
  • pnpm typecheck passes
  • pnpm lint passes
  • pnpm test passes (or targeted tests for my change)
  • pnpm format has been run
  • I have added/updated tests for my changes (if applicable)
  • User-visible strings in the admin UI are wrapped for translation (if applicable). Do not include messages.po changes except in translation PRs — a workflow extracts catalogs on merge to main.
  • I have added a changeset (if this PR changes a published package)
  • New features link to an approved Discussion: https://github.com/emdash-cms/emdash/discussions/...

AI-generated code disclosure

  • This PR includes AI-generated code — model/tool: GPT-5.4-mini via OpenCode API

@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 25, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 21a76fe

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 25, 2026

Scope check

This PR changes 2,465 lines across 14 files. Large PRs are harder to review and more likely to be closed without review.
This PR spans 5 different areas (area/core, area/admin, area/plugins, area/docs, area/cloudflare). Consider breaking it into smaller, focused PRs.

If this scope is intentional, no action needed. A maintainer will review it. If not, please consider splitting this into smaller PRs.

See CONTRIBUTING.md for contribution guidelines.

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented May 25, 2026
edited
Loading

Open in StackBlitz

@emdash-cms/admin

npm i https://pkg.pr.new/@emdash-cms/admin@1170

@emdash-cms/auth

npm i https://pkg.pr.new/@emdash-cms/auth@1170

@emdash-cms/blocks

npm i https://pkg.pr.new/@emdash-cms/blocks@1170

@emdash-cms/cloudflare

npm i https://pkg.pr.new/@emdash-cms/cloudflare@1170

emdash

npm i https://pkg.pr.new/emdash@1170

create-emdash

npm i https://pkg.pr.new/create-emdash@1170

@emdash-cms/gutenberg-to-portable-text

npm i https://pkg.pr.new/@emdash-cms/gutenberg-to-portable-text@1170

@emdash-cms/x402

npm i https://pkg.pr.new/@emdash-cms/x402@1170

@emdash-cms/plugin-ai-moderation

npm i https://pkg.pr.new/@emdash-cms/plugin-ai-moderation@1170

@emdash-cms/plugin-atproto

npm i https://pkg.pr.new/@emdash-cms/plugin-atproto@1170

@emdash-cms/plugin-audit-log

npm i https://pkg.pr.new/@emdash-cms/plugin-audit-log@1170

@emdash-cms/plugin-color

npm i https://pkg.pr.new/@emdash-cms/plugin-color@1170

@emdash-cms/plugin-embeds

npm i https://pkg.pr.new/@emdash-cms/plugin-embeds@1170

@emdash-cms/plugin-forms

npm i https://pkg.pr.new/@emdash-cms/plugin-forms@1170

@emdash-cms/plugin-webhook-notifier

npm i https://pkg.pr.new/@emdash-cms/plugin-webhook-notifier@1170

commit: 21a76fe

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 25, 2026

Overlapping PRs

This PR modifies files that are also changed by other open PRs:

This may cause merge conflicts or duplicated work. A maintainer will coordinate.

@github-actions github-actions Bot mentioned this pull request May 25, 2026
Open
@ahliweb ahliweb marked this pull request as draft May 26, 2026 16:18
@ahliweb
Copy link
Copy Markdown
Contributor Author

ahliweb commented May 27, 2026
edited
Loading

Closed because the fix has been implemented externally.

@ahliweb ahliweb closed this May 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/admin area/cloudflare area/core area/docs area/plugins cla: signed needs-rebase overlap size/XL

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

chore: refresh dependency versions to close Dependabot alerts

1 participant

@ahliweb