security(deps): resolve 7 open dependabot alerts#1326
Merged
Conversation
Bumps transitive/direct dependencies to patched versions: - tar override >=7.5.11 -> >=7.5.16 (GHSA-vmf3-w455-68vh, #287) - form-data override >=4.0.4 -> >=4.0.6 (GHSA-hmw2-7cc7-3qxx, #286) - vite 7 override -> >=7.3.5 <8 (GHSA-fx2h-pf6j-xcff #282, GHSA-v6wh-96g9-6wx3 #285) - @opentelemetry/core override added >=2.8.0 (GHSA-8988-4f7v-96qf, #281) - astro direct dep ^6.1.10 -> ^6.4.6, resolves 6.4.8 (GHSA-2pvr-wf23-7pc7 #283, GHSA-jrpj-wcv7-9fh9 #284) esbuild #279 is already resolved by the existing >=0.28.1 override and will auto-close on the next scan. The vite override is bounded to <8 so astro's vite ^7.3.2 requirement is honored (an unbounded >=7.3.5 pulled vite 8.x). Verified website build (astro 6.4.8 / vite 7.3.5), full build, build:sea, and test suite (188/188) all pass.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
Codecov Results 📊✅ Patch coverage is 100.00%. Project has 678 uncovered lines. Coverage diff@@ Coverage Diff @@
## main #PR +/-##
==========================================
+ Coverage 57.62% 57.62% —%
==========================================
Files 49 49 —
Lines 1602 1602 —
Branches 1153 1153 —
==========================================
+ Hits 924 924 —
- Misses 678 678 —
- Partials 123 123 —Generated by Codecov Action |
BYK
added a commit
that referenced
this pull request
Jun 23, 2026
## Summary Fixes the flaky **E2E UI Tests** failure on `attachments.e2e.test.ts` (the "should display attachments from fixture directory" test timed out with an empty body in PR #1326's CI run, passing only on re-run). ## Root cause Every test in the file asserted `body.textContent() !== ""` by reading `textContent()` **once**, right after the `<body>` element attached. In an SPA the body shell exists before React's first paint, so this races the initial render with **no auto-retry**. The passing tests incidentally got settle time (the `sendTestEnvelope` fixture sleeps 500ms, or `waitForTimeout(1000)`); the failing test sends no envelope, so it had no slack and flaked under CI load. ## Fix - Add a web-first `waitForAppReady(page)` helper in `fixtures.ts` that asserts the navigation sidebar (`nav[aria-label="Navigation"]`) is visible. The sidebar (`TelemetrySidebar`) renders **unconditionally** once the app mounts, independent of telemetry data, so Playwright's auto-retrying `toBeVisible()` eliminates the render race. - Replace the fragile one-shot `body.textContent()` checks throughout `attachments.e2e.test.ts` with `waitForAppReady(page)`. This is also a **stronger** assertion: if the UI crashed into the `ErrorBoundary` fallback (which renders no nav), these tests now correctly fail instead of passing on non-empty body text. ## Verification - Lint (biome) + TypeScript check pass on the changed files. -⚠️ I could not run the Playwright UI suite locally — this environment couldn't download the chromium browser (CDN download stalled/retried repeatedly). CI has browsers preinstalled and is the exact environment where the flake occurred; I'll confirm stability by running the E2E UI job here (including re-runs).
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves the 7 actionable open Dependabot alerts by upgrading transitive and direct dependencies to their patched versions. All are dev/build-time or server-runtime deps.
esbuild#279 is already resolved by the existing>=0.28.1override (merged in #1323) and will auto-close on the next scan.Changes
taroverride>=7.5.11→>=7.5.16form-dataoverride>=4.0.4→>=4.0.6vite7 override>=7.0.0 <7.3.2:>=7.3.2→>=7.0.0 <7.3.5:>=7.3.5 <8@opentelemetry/coreoverride>=2.8.0astrodirect dep^6.1.10→^6.4.6(resolves 6.4.8)Notes
vite@^7.3.2requirement is honored — an unbounded>=7.3.5incorrectly pulled vite 8.x (a major jump).launch-editor(the real root cause behind the vite-flagged meta(changelog): Update package versions #285) is already at the patched 2.14.1 onmain; the vite bump covers the alert.@opentelemetry/core@2.8.0is forced while @sentry/node's other otel packages stay at 2.2.0 — compatible within OTel's 2.x semver line; verified via build + bundle + tests.Verification
pnpm --filter @spotlightjs/website build✓ (astro 6.4.8 / vite 7.3.5)pnpm build(full turbo build) ✓pnpm --filter @spotlightjs/spotlight build:sea✓ (bundles @sentry/node / otel core 2.8.0)