chore(deps): clear all 27 advisories via fastify 5, vite 6, transitive overrides

Direct bumps: ws 8.21.0, vitest 3.2.6 (critical UI-server RCE), js-yaml 4.2.0.
Root pnpm.overrides: hono, undici, qs, fast-uri, react-router(-dom), @babel/core,
range-scoped esbuild, and a global vite pin (forces vitest onto Vite 6).
Major migrations with no code changes (API-audited): fastify 4 to 5 across
server/coder/control/booterm (+@fastify/websocket 11, @fastify/static 9.1.1),
vite 5 to 6 +@vitejs/plugin-react 4.7 in web. pnpm audit: no known vulnerabilities.
Suites green: contracts 29, server 599, coder 589, control 175, ion 104.

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 All notable changes per release tag. Most recent on top, ordered by tag creation date (which matches the git history). Tag names follow `vMAJOR.MINOR.PATCH-slug` - the slug describes what shipped, so the tag name alone is enough to recall the batch.
 
+## v2.8.31-dep-security - 2026-06-21
+
+Clears all 27 dependency advisories flagged against the tree, taking `pnpm audit` to zero known vulnerabilities. Direct in-range bumps cover `ws` to 8.21.0, `vitest` to 3.2.6 (the critical UI-server advisory), and `js-yaml` to 4.2.0; root `pnpm.overrides` patch the transitive offenders no direct bump reaches (`hono`, `undici`, `qs`, `fast-uri`, `react-router`/`react-router-dom`, `@babel/core`, and a range-scoped `esbuild`). Two major migrations land with no code changes after an API audit: Fastify 4 to 5 across all four backend apps (`apps/server`, `apps/coder`, `apps/control`, `apps/booterm`) with `@fastify/websocket` 10 to 11 and `@fastify/static` 7 to 9.1.1 (v9 dodges two path-traversal advisories that v8 reintroduced), and Vite 5 to 6 with `@vitejs/plugin-react` 4.7 in `apps/web`. A global `vite` override pulls vitest onto Vite 6 as well, eliminating the last vulnerable `vite@5.4.21` and `esbuild@0.21.5` copies; vitest stays on 3.x so the documented Vite/vitest pin is unaffected. The WS handlers already used the flat `(socket, req)` signature v11 expects and no removed Fastify-5 APIs were in use, so only `package.json` files and the lockfile changed. All suites green: contracts 29, server 599, coder 589, control 175, ion 104, with web and every backend typecheck/build clean.
+
 ## v2.8.30-main-sync - 2026-06-17
 
 Snapshot tag for the current `main` line after the recent cross-app integration work. Carries the BooControl fleet cockpit (`apps/control` plus the `/control` web surface), provider/inference reshaping across BooCoder and BooChat, boocontext-oriented guidance and skill updates, web workspace/API cleanup, and the `docs/how-to-build-a-coding-agent/` example project. Also removes the stale `.codesight/` cache from version control. This tag is a synchronization checkpoint rather than a single feature slice; see the commit history around `1f32bb0` for the exact file-level batch.

apps/booterm/package.json

@@ -11,8 +11,8 @@
     "start": "node dist/index.js"
   },
   "dependencies": {
-    "@fastify/websocket": "^10.0.1",
+    "@fastify/websocket": "^11.0.0",
-    "fastify": "^4.28.1",
+    "fastify": "^5.8.3",
     "node-pty": "^1.0.0",
     "pg": "^8.13.0",
     "zod": "^3.23.8"

apps/coder/package.json

@@ -17,12 +17,12 @@
     "@agentclientprotocol/sdk": "^0.22.1",
     "@anthropic-ai/claude-agent-sdk": "^0.3.159",
     "@boocode/server": "workspace:*",
-    "@fastify/websocket": "^10.0.1",
+    "@fastify/websocket": "^11.0.0",
     "@modelcontextprotocol/sdk": "^1.29.0",
     "@opencode-ai/sdk": "~1.15.0",
-    "fastify": "^4.28.1",
+    "fastify": "^5.8.3",
     "postgres": "^3.4.4",
-    "ws": "^8.18.0",
+    "ws": "^8.21.0",
     "zod": "^3.23.8"
   },
   "devDependencies": {
@@ -30,7 +30,7 @@
     "@types/ws": "^8.5.10",
     "tsx": "^4.16.2",
     "typescript": "^5.5.0",
-    "vitest": "^3.0.0"
+    "vitest": "^3.2.6"
   },
   "license": "MIT"
 }

apps/control/package.json

@@ -13,13 +13,13 @@
   },
   "dependencies": {
     "@boocode/contracts": "workspace:*",
-    "@fastify/websocket": "^10.0.1",
+    "@fastify/websocket": "^11.0.0",
     "ajv": "^8.20.0",
     "ajv-formats": "^3.0.1",
-    "fastify": "^4.28.1",
+    "fastify": "^5.8.3",
-    "js-yaml": "^4.1.1",
+    "js-yaml": "^4.2.0",
     "postgres": "^3.4.4",
-    "ws": "^8.18.0",
+    "ws": "^8.21.0",
     "zod": "^3.23.8"
   },
   "devDependencies": {
@@ -28,7 +28,7 @@
     "@types/ws": "^8.5.10",
     "tsx": "^4.16.2",
     "typescript": "^5.5.0",
-    "vitest": "^3.0.0"
+    "vitest": "^3.2.6"
   },
   "license": "MIT"
 }

apps/server/package.json

@@ -89,14 +89,14 @@
     "@ai-sdk/deepseek": "^2.0.35",
     "@ai-sdk/openai-compatible": "^2.0.47",
     "@boocode/contracts": "workspace:*",
-    "@fastify/static": "^7.0.4",
+    "@fastify/static": "^9.1.1",
-    "@fastify/websocket": "^10.0.1",
+    "@fastify/websocket": "^11.0.0",
     "@modelcontextprotocol/sdk": "^1.29.0",
     "ai": "^6.0.190",
-    "fastify": "^4.28.1",
+    "fastify": "^5.8.3",
     "node-html-markdown": "^1.3.0",
     "postgres": "^3.4.4",
-    "ws": "^8.18.0",
+    "ws": "^8.21.0",
     "zod": "^3.23.8"
   },
   "devDependencies": {
@@ -104,7 +104,7 @@
     "@types/ws": "^8.5.10",
     "tsx": "^4.16.2",
     "typescript": "^5.5.0",
-    "vitest": "^3.2.4"
+    "vitest": "^3.2.6"
   },
   "license": "MIT"
 }

apps/web/package.json

@@ -43,13 +43,13 @@
     "@types/node": "^20.14.10",
     "@types/react": "^18.3.3",
     "@types/react-dom": "^18.3.0",
-    "@vitejs/plugin-react": "^4.3.1",
+    "@vitejs/plugin-react": "^4.7.0",
     "jsdom": "^29.1.1",
     "shadcn": "^4.7.0",
     "tailwindcss": "^4.3.0",
     "typescript": "^5.5.0",
-    "vite": "^5.3.4",
+    "vite": "^6.4.3",
-    "vitest": "^3.2.4"
+    "vitest": "^3.2.6"
   },
   "license": "MIT"
 }

package.json

@@ -14,5 +14,19 @@
   "license": "MIT",
   "dependencies": {
     "better-sqlite3": "^11.10.0"
+  },
+  "pnpm": {
+    "overrides": {
+      "hono@<4.12.25": "^4.12.25",
+      "undici@<7.28.0": "^7.28.0",
+      "qs@<6.15.2": "^6.15.2",
+      "fast-uri@<3.1.2": "^3.1.2",
+      "js-yaml@<4.2.0": "^4.2.0",
+      "react-router@<6.30.4": "^6.30.4",
+      "react-router-dom@<6.30.4": "^6.30.4",
+      "@babel/core@<7.29.6": "^7.29.6",
+      "esbuild@>=0.27.0 <0.28.1": "^0.28.1",
+      "vite@<6.4.3": "^6.4.3"
+    }
   }
 }

packages/contracts/package.json

@@ -52,7 +52,7 @@
   },
   "devDependencies": {
     "typescript": "^5.5.0",
-    "vitest": "^3.2.4"
+    "vitest": "^3.2.6"
   },
   "license": "MIT"
 }

packages/ion/package.json

@@ -52,7 +52,7 @@
     "@types/better-sqlite3": "^7.6.12",
     "@types/js-yaml": "^4.0.9",
     "typescript": "^5.5.0",
-    "vitest": "^3.2.4"
+    "vitest": "^3.2.6"
   },
   "license": "MIT"
 }