Skip to content

chore(deps): remove stray npm lockfile pinning vulnerable vitest 3.2.4#1945

Open
kparkinson-ld wants to merge 2 commits into
mainfrom
devin/1783988098-remove-stray-npm-lockfile
Open

chore(deps): remove stray npm lockfile pinning vulnerable vitest 3.2.4#1945
kparkinson-ld wants to merge 2 commits into
mainfrom
devin/1783988098-remove-stray-npm-lockfile

Conversation

@kparkinson-ld

@kparkinson-ld kparkinson-ld commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Summary

Resolves the critical Dependabot alert for vitest (< 3.2.6) in this repo.

The repo is pnpm-managed (packageManager: pnpm@11.0.1; pnpm-lock.yaml already resolves vitest@4.1.8, and root package.json declares vitest: ^4.1.8). The tracked package-lock.json was a stale npm lockfile that was out of sync with the pnpm workspace and still pinned vitest@3.2.4 (< patched 3.2.6), which is what triggered the alert. Nothing (CI, scripts, packageManager) uses it.

This file was already removed once in #1678 (chore: remove npm lockfile) but later reappeared. This PR removes it again and adds package-lock.json to .gitignore to prevent recurrence.

 .gitignore        |     1 +
 package-lock.json | 18267 ----------------------------------------------------

Screenshots (if appropriate):

N/A — tooling/dependency change, no runtime or UI impact.

Testing approaches

No functional change. The active toolchain (pnpm + pnpm-lock.yaml) already uses vitest@4.1.8, so tests/build are unaffected by removing the unused npm lockfile. CI (pnpm-based verify.yml) validates.

Link to Devin session: https://app.devin.ai/sessions/91d8c10355aa49d1811295b1c02b703b
Requested by: @kparkinson-ld


Note

Low Risk
Tooling-only lockfile and ignore-list change; no application code, auth, or runtime behavior is affected.

Overview
Clears a Dependabot alert on vulnerable vitest (< 3.2.6) by dropping a stale, tracked package-lock.json that pinned vitest@3.2.4 while the repo actually runs on pnpm (packageManager: pnpm@11.0.1, pnpm-lock.yaml with vitest@4.1.8).

Adds package-lock.json to .gitignore so an npm lockfile is less likely to be committed again after a prior removal in #1678.

Reviewed by Cursor Bugbot for commit aa3dfaf. Bugbot is set up for automated code reviews on this repo. Configure here.

The repo is pnpm-managed (packageManager pnpm@11.0.1, pnpm-lock.yaml has vitest 4.1.8). The tracked package-lock.json was a stale npm lockfile (removed in #1678, reappeared) pinning vitest 3.2.4, which triggered a critical Dependabot alert (patched in 3.2.6). Remove it and gitignore it to prevent recurrence.
@kparkinson-ld kparkinson-ld self-assigned this Jul 14, 2026
@devin-ai-integration

Copy link
Copy Markdown
Contributor

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

@changeset-bot

changeset-bot Bot commented Jul 14, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: aa3dfaf

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@devin-ai-integration devin-ai-integration Bot requested review from a team July 14, 2026 01:27
@kparkinson-ld kparkinson-ld marked this pull request as ready for review July 16, 2026 03:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant