Matt
1a2d2dd1e1
Brings pnpm audit to zero (was 47 going in this session). These three couldn't be cleanly bumped at the top level because they're transitive deps of dev tools we can't touch yet: - vite@8.0.0 came in via vitest@4.1.5 (which is the latest vitest); fixes Vite ".../fs.deny" bypass + arbitrary file read via dev-server WebSocket (both high). - Older esbuild dupes came via tsx, drizzle-kit, vite, etc.; fixes esbuild dev-server CORS-bypass advisory. - Older postcss dupes came via postcss-import / postcss-js / postcss-nested / postcss-load-config (all transitive of tailwindcss 3); fixes the unescaped </style> XSS in stringify output. `pnpm.overrides` syntax in package.json forces the version everywhere. Used an exact pin for vite (it's strict-pinned by vitest) and >= ranges for the other two. Also rolled esbuild dev dep back to 0.27.7 to satisfy vitest's peer dep (vitest expects ^0.27.0; we'd briefly bumped to 0.28.0). Tests: 1185/1185. pnpm audit: 0 vulnerabilities. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>