Skip to content

fix: upgrade vulnerable direct dependencies#2820

Open
sonukapoor wants to merge 1 commit into
solidjs:mainfrom
sonukapoor:fix/upgrade-vulnerable-direct-deps
Open

fix: upgrade vulnerable direct dependencies#2820
sonukapoor wants to merge 1 commit into
solidjs:mainfrom
sonukapoor:fix/upgrade-vulnerable-direct-deps

Conversation

@sonukapoor

Copy link
Copy Markdown

This upgrades four direct dependencies to their first safe versions, based on findings from the CVE Lite dependency audit introduced in PR #2819.

A scan of the current pnpm lockfile found 34 vulnerabilities - 3 critical, 16 high, 14 medium, 1 low. Four of those are direct dependencies with confirmed safe versions and copy-run fix commands.

vitest upgraded from 2.1.9 to 4.0.0 - critical severity, CVE in the 2.x series.

rollup in packages/solid-ssr upgraded from 4.56.0 to 4.59.0 - high severity finding in the 4.56.x range.

turbo upgraded from 1.13.4 to 2.9.14 - medium severity, addressing a known issue in the 1.x line.

@babel/core in packages/babel-preset-solid and packages/solid-ssr upgraded from 7.28.6 to 7.29.6 - low severity advisory.

All changes were applied via pnpm and the lockfile is updated accordingly. The remaining 30 findings are transitive - they cannot be fixed by upgrading solid's own direct deps and would require upstream changes in the affected dependency chains.

@changeset-bot

changeset-bot Bot commented Jul 3, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: e7806ca

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant