⬆️ 升级依赖并修复 pnpm audit 安全警告#1576
Open
cyfung1031 wants to merge 4 commits into
Open
Conversation
# Conflicts: # pnpm-lock.yaml
- sockjs 由 `github:` 简写改为 codeload tarball URL。pnpm 会把简写解析成 git+ssh (git@github.com:) 地址,在无 SSH key 的 CI runner 上克隆失败导致 安装步骤挂掉、后续 Lint/测试/E2E 全部连带失败。tarball 走 HTTPS,无需鉴权。 - 移除 `fast-xml-parser@5.7.0>fast-xml-builder` 覆盖:实际解析父版本为 5.9.3, 该键从不匹配(且目标 1.1.7 比自然解析的 1.2.1 更旧),属失效且反效果的空规则。
Member
|
已把 1. 合并 main / 解决冲突
2. 修复 CI 安装失败(原先 Lint/测试/E2E 全红)
3. 移除失效的 override
本地验证: 仍需关注 —— FOSSA License Compliance(1 issue)这条是本 PR 新引入的( |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Checklist / 检查清单
Description / 描述
背景
pnpm audit报告多个直接依赖和传递依赖安全警告。部分问题已有补丁版本,部分修复尚未由上游依赖正式发布,因此本 PR 在避免大版本工具链迁移的前提下,精确更新或覆盖受影响依赖。变更内容
dompurify、fast-xml-parser、uuid、postcss、vitest和@vitest/coverage-v8。pnpm-workspace.yaml中使用带父依赖版本的精确overrides,更新受影响的构建、开发服务器、测试及配置解析依赖。webpack-dev-server@5.2.5使用的sockjs固定到上游提交c239289d8cd85647aff064337d81073f0e4e080a。该提交改用crypto.randomUUID(),避免继续引入受影响的uuid@8。minimumReleaseAge: 10080和现有的happy-dompatch。风险控制
验证建议
同时可通过以下命令确认关键传递依赖已按预期解析:
Screenshots / 截图
无界面变更。