indifferentketchup/boocode
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(deps): clear all 27 advisories via fastify 5, vite 6, transitive overrides

Browse Source 
Direct bumps: ws 8.21.0, vitest 3.2.6 (critical UI-server RCE), js-yaml 4.2.0.
Root pnpm.overrides: hono, undici, qs, fast-uri, react-router(-dom), @babel/core,
range-scoped esbuild, and a global vite pin (forces vitest onto Vite 6).
Major migrations with no code changes (API-audited): fastify 4 to 5 across
server/coder/control/booterm (+@fastify/websocket 11, @fastify/static 9.1.1),
vite 5 to 6 +@vitejs/plugin-react 4.7 in web. pnpm audit: no known vulnerabilities.
Suites green: contracts 29, server 599, coder 589, control 175, ion 104.
This commit is contained in:
indifferentketchup
2026-06-21 14:06:35 +00:00
parent 8bd32537cf
commit 046ed38734
10 changed files with 834 additions and 766 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG.md
View File

@@ -2,6 +2,10 @@
All notable changes per release tag. Most recent on top, ordered by tag creation date (which matches the git history). Tag names follow `vMAJOR.MINOR.PATCH-slug` - the slug describes what shipped, so the tag name alone is enough to recall the batch.
## v2.8.31-dep-security - 2026-06-21
Clears all 27 dependency advisories flagged against the tree, taking `pnpm audit` to zero known vulnerabilities. Direct in-range bumps cover `ws` to 8.21.0, `vitest` to 3.2.6 (the critical UI-server advisory), and `js-yaml` to 4.2.0; root `pnpm.overrides` patch the transitive offenders no direct bump reaches (`hono`, `undici`, `qs`, `fast-uri`, `react-router`/`react-router-dom`, `@babel/core`, and a range-scoped `esbuild`). Two major migrations land with no code changes after an API audit: Fastify 4 to 5 across all four backend apps (`apps/server`, `apps/coder`, `apps/control`, `apps/booterm`) with `@fastify/websocket` 10 to 11 and `@fastify/static` 7 to 9.1.1 (v9 dodges two path-traversal advisories that v8 reintroduced), and Vite 5 to 6 with `@vitejs/plugin-react` 4.7 in `apps/web`. A global `vite` override pulls vitest onto Vite 6 as well, eliminating the last vulnerable `vite@5.4.21` and `esbuild@0.21.5` copies; vitest stays on 3.x so the documented Vite/vitest pin is unaffected. The WS handlers already used the flat `(socket, req)` signature v11 expects and no removed Fastify-5 APIs were in use, so only `package.json` files and the lockfile changed. All suites green: contracts 29, server 599, coder 589, control 175, ion 104, with web and every backend typecheck/build clean.
## v2.8.30-main-sync - 2026-06-17
Snapshot tag for the current `main` line after the recent cross-app integration work. Carries the BooControl fleet cockpit (`apps/control` plus the `/control` web surface), provider/inference reshaping across BooCoder and BooChat, boocontext-oriented guidance and skill updates, web workspace/API cleanup, and the `docs/how-to-build-a-coding-agent/` example project. Also removes the stale `.codesight/` cache from version control. This tag is a synchronization checkpoint rather than a single feature slice; see the commit history around `1f32bb0` for the exact file-level batch.