chore(deps): clear all 27 advisories via fastify 5, vite 6, transitive overrides
Direct bumps: ws 8.21.0, vitest 3.2.6 (critical UI-server RCE), js-yaml 4.2.0. Root pnpm.overrides: hono, undici, qs, fast-uri, react-router(-dom), @babel/core, range-scoped esbuild, and a global vite pin (forces vitest onto Vite 6). Major migrations with no code changes (API-audited): fastify 4 to 5 across server/coder/control/booterm (+@fastify/websocket 11, @fastify/static 9.1.1), vite 5 to 6 +@vitejs/plugin-react 4.7 in web. pnpm audit: no known vulnerabilities. Suites green: contracts 29, server 599, coder 589, control 175, ion 104.
This commit is contained in:
@@ -2,6 +2,10 @@
|
||||
|
||||
All notable changes per release tag. Most recent on top, ordered by tag creation date (which matches the git history). Tag names follow `vMAJOR.MINOR.PATCH-slug` - the slug describes what shipped, so the tag name alone is enough to recall the batch.
|
||||
|
||||
## v2.8.31-dep-security - 2026-06-21
|
||||
|
||||
Clears all 27 dependency advisories flagged against the tree, taking `pnpm audit` to zero known vulnerabilities. Direct in-range bumps cover `ws` to 8.21.0, `vitest` to 3.2.6 (the critical UI-server advisory), and `js-yaml` to 4.2.0; root `pnpm.overrides` patch the transitive offenders no direct bump reaches (`hono`, `undici`, `qs`, `fast-uri`, `react-router`/`react-router-dom`, `@babel/core`, and a range-scoped `esbuild`). Two major migrations land with no code changes after an API audit: Fastify 4 to 5 across all four backend apps (`apps/server`, `apps/coder`, `apps/control`, `apps/booterm`) with `@fastify/websocket` 10 to 11 and `@fastify/static` 7 to 9.1.1 (v9 dodges two path-traversal advisories that v8 reintroduced), and Vite 5 to 6 with `@vitejs/plugin-react` 4.7 in `apps/web`. A global `vite` override pulls vitest onto Vite 6 as well, eliminating the last vulnerable `vite@5.4.21` and `esbuild@0.21.5` copies; vitest stays on 3.x so the documented Vite/vitest pin is unaffected. The WS handlers already used the flat `(socket, req)` signature v11 expects and no removed Fastify-5 APIs were in use, so only `package.json` files and the lockfile changed. All suites green: contracts 29, server 599, coder 589, control 175, ion 104, with web and every backend typecheck/build clean.
|
||||
|
||||
## v2.8.30-main-sync - 2026-06-17
|
||||
|
||||
Snapshot tag for the current `main` line after the recent cross-app integration work. Carries the BooControl fleet cockpit (`apps/control` plus the `/control` web surface), provider/inference reshaping across BooCoder and BooChat, boocontext-oriented guidance and skill updates, web workspace/API cleanup, and the `docs/how-to-build-a-coding-agent/` example project. Also removes the stale `.codesight/` cache from version control. This tag is a synchronization checkpoint rather than a single feature slice; see the commit history around `1f32bb0` for the exact file-level batch.
|
||||
|
||||
@@ -11,8 +11,8 @@
|
||||
"start": "node dist/index.js"
|
||||
},
|
||||
"dependencies": {
|
||||
"@fastify/websocket": "^10.0.1",
|
||||
"fastify": "^4.28.1",
|
||||
"@fastify/websocket": "^11.0.0",
|
||||
"fastify": "^5.8.3",
|
||||
"node-pty": "^1.0.0",
|
||||
"pg": "^8.13.0",
|
||||
"zod": "^3.23.8"
|
||||
|
||||
@@ -17,12 +17,12 @@
|
||||
"@agentclientprotocol/sdk": "^0.22.1",
|
||||
"@anthropic-ai/claude-agent-sdk": "^0.3.159",
|
||||
"@boocode/server": "workspace:*",
|
||||
"@fastify/websocket": "^10.0.1",
|
||||
"@fastify/websocket": "^11.0.0",
|
||||
"@modelcontextprotocol/sdk": "^1.29.0",
|
||||
"@opencode-ai/sdk": "~1.15.0",
|
||||
"fastify": "^4.28.1",
|
||||
"fastify": "^5.8.3",
|
||||
"postgres": "^3.4.4",
|
||||
"ws": "^8.18.0",
|
||||
"ws": "^8.21.0",
|
||||
"zod": "^3.23.8"
|
||||
},
|
||||
"devDependencies": {
|
||||
@@ -30,7 +30,7 @@
|
||||
"@types/ws": "^8.5.10",
|
||||
"tsx": "^4.16.2",
|
||||
"typescript": "^5.5.0",
|
||||
"vitest": "^3.0.0"
|
||||
"vitest": "^3.2.6"
|
||||
},
|
||||
"license": "MIT"
|
||||
}
|
||||
|
||||
@@ -13,13 +13,13 @@
|
||||
},
|
||||
"dependencies": {
|
||||
"@boocode/contracts": "workspace:*",
|
||||
"@fastify/websocket": "^10.0.1",
|
||||
"@fastify/websocket": "^11.0.0",
|
||||
"ajv": "^8.20.0",
|
||||
"ajv-formats": "^3.0.1",
|
||||
"fastify": "^4.28.1",
|
||||
"js-yaml": "^4.1.1",
|
||||
"fastify": "^5.8.3",
|
||||
"js-yaml": "^4.2.0",
|
||||
"postgres": "^3.4.4",
|
||||
"ws": "^8.18.0",
|
||||
"ws": "^8.21.0",
|
||||
"zod": "^3.23.8"
|
||||
},
|
||||
"devDependencies": {
|
||||
@@ -28,7 +28,7 @@
|
||||
"@types/ws": "^8.5.10",
|
||||
"tsx": "^4.16.2",
|
||||
"typescript": "^5.5.0",
|
||||
"vitest": "^3.0.0"
|
||||
"vitest": "^3.2.6"
|
||||
},
|
||||
"license": "MIT"
|
||||
}
|
||||
|
||||
@@ -89,14 +89,14 @@
|
||||
"@ai-sdk/deepseek": "^2.0.35",
|
||||
"@ai-sdk/openai-compatible": "^2.0.47",
|
||||
"@boocode/contracts": "workspace:*",
|
||||
"@fastify/static": "^7.0.4",
|
||||
"@fastify/websocket": "^10.0.1",
|
||||
"@fastify/static": "^9.1.1",
|
||||
"@fastify/websocket": "^11.0.0",
|
||||
"@modelcontextprotocol/sdk": "^1.29.0",
|
||||
"ai": "^6.0.190",
|
||||
"fastify": "^4.28.1",
|
||||
"fastify": "^5.8.3",
|
||||
"node-html-markdown": "^1.3.0",
|
||||
"postgres": "^3.4.4",
|
||||
"ws": "^8.18.0",
|
||||
"ws": "^8.21.0",
|
||||
"zod": "^3.23.8"
|
||||
},
|
||||
"devDependencies": {
|
||||
@@ -104,7 +104,7 @@
|
||||
"@types/ws": "^8.5.10",
|
||||
"tsx": "^4.16.2",
|
||||
"typescript": "^5.5.0",
|
||||
"vitest": "^3.2.4"
|
||||
"vitest": "^3.2.6"
|
||||
},
|
||||
"license": "MIT"
|
||||
}
|
||||
|
||||
@@ -43,13 +43,13 @@
|
||||
"@types/node": "^20.14.10",
|
||||
"@types/react": "^18.3.3",
|
||||
"@types/react-dom": "^18.3.0",
|
||||
"@vitejs/plugin-react": "^4.3.1",
|
||||
"@vitejs/plugin-react": "^4.7.0",
|
||||
"jsdom": "^29.1.1",
|
||||
"shadcn": "^4.7.0",
|
||||
"tailwindcss": "^4.3.0",
|
||||
"typescript": "^5.5.0",
|
||||
"vite": "^5.3.4",
|
||||
"vitest": "^3.2.4"
|
||||
"vite": "^6.4.3",
|
||||
"vitest": "^3.2.6"
|
||||
},
|
||||
"license": "MIT"
|
||||
}
|
||||
|
||||
14
package.json
14
package.json
@@ -14,5 +14,19 @@
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"better-sqlite3": "^11.10.0"
|
||||
},
|
||||
"pnpm": {
|
||||
"overrides": {
|
||||
"hono@<4.12.25": "^4.12.25",
|
||||
"undici@<7.28.0": "^7.28.0",
|
||||
"qs@<6.15.2": "^6.15.2",
|
||||
"fast-uri@<3.1.2": "^3.1.2",
|
||||
"js-yaml@<4.2.0": "^4.2.0",
|
||||
"react-router@<6.30.4": "^6.30.4",
|
||||
"react-router-dom@<6.30.4": "^6.30.4",
|
||||
"@babel/core@<7.29.6": "^7.29.6",
|
||||
"esbuild@>=0.27.0 <0.28.1": "^0.28.1",
|
||||
"vite@<6.4.3": "^6.4.3"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -52,7 +52,7 @@
|
||||
},
|
||||
"devDependencies": {
|
||||
"typescript": "^5.5.0",
|
||||
"vitest": "^3.2.4"
|
||||
"vitest": "^3.2.6"
|
||||
},
|
||||
"license": "MIT"
|
||||
}
|
||||
|
||||
@@ -52,7 +52,7 @@
|
||||
"@types/better-sqlite3": "^7.6.12",
|
||||
"@types/js-yaml": "^4.0.9",
|
||||
"typescript": "^5.5.0",
|
||||
"vitest": "^3.2.4"
|
||||
"vitest": "^3.2.6"
|
||||
},
|
||||
"license": "MIT"
|
||||
}
|
||||
|
||||
1540
pnpm-lock.yaml
generated
1540
pnpm-lock.yaml
generated
File diff suppressed because it is too large
Load Diff
Reference in New Issue
Block a user