deps(node): upgrade ws transitive dependency to fix CVE-2026-45736#7634
deps(node): upgrade ws transitive dependency to fix CVE-2026-45736#7634matthewelwell wants to merge 6 commits into
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
1 Skipped Deployment
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates several frontend dependencies, upgrading Rspack-related packages (@rspack/cli, @rspack/core, @rspack/dev-server, and @rspack/plugin-react-refresh) to version ^2.0.0 and webpack-bundle-analyzer to version ^5.0.0. It also updates the local Rspack configuration to import ReactRefreshRspackPlugin as ReactRefreshPlugin to align with the upgraded plugin version. There are no review comments to address.
github-actions
Bot
added
front-end
Docker builds report
|
sass-loader@16 declared @rspack/core peer as "0.x || 1.x"; v17 adds "^2.0.0-0", allowing npm ci to resolve cleanly without --legacy-peer-deps. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
github-actions
Bot
added
dependencies
The previous lock file was generated with npm 11 and --legacy-peer-deps, which caused npm ci (used in CI) to fail because peer-dependent packages such as @testing-library/dom were missing from the lock file. Regenerated with npm@10.9.3 (matching CI) and without --legacy-peer-deps. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
github-actions
Bot
added
dependencies
sass-loader@17 uses await import('sass') instead of require('sass'),
so it needs a sass version with proper ESM named exports. sass@1.54.8
is CJS-only and exposes info on module.default rather than the module
namespace, causing sass-loader@17 to throw Unknown Sass implementation.
Upgraded sass from 1.54.8 to ^1.80.0 (which has ESM exports) to fix
this. sass-loader@17 is required because @16 declares rspack/core peer
as "0.x || 1.x" which causes ERESOLVE against rspack@2.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
github-actions
Bot
added
dependencies
…atform bindings The previous lock file was generated on macOS and only included darwin-arm64 bindings for @rspack/binding. This caused Docker and Vercel builds to fail with "Cannot find module '@rspack/binding-linux-arm64-gnu'". Regenerated using a linux node:22 Docker container so all 10 platform bindings are included (darwin-arm64, darwin-x64, linux-arm64-gnu, linux-arm64-musl, linux-x64-gnu, linux-x64-musl, wasm32-wasi, win32-arm64-msvc, win32-ia32-msvc, win32-x64-msvc). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
github-actions
Bot
added
dependencies
Previous lock file was generated on macOS with the existing node_modules present, so npm 10 only wrote resolved/integrity for the ~22 packages that changed — the rest had no checksums, causing a spuriously large deletion diff vs main (+1,150 -6,987). Regenerated in a clean linux node:22 Docker container using npm 11 (no pre-existing node_modules or lock file) so all 1,741 packages have resolved/integrity hashes and all 10 platform bindings are included. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
github-actions
Bot
added
dependencies
Playwright Test Results (oss - depot-ubuntu-latest-16)
Details
Playwright Test Results (oss - depot-ubuntu-latest-arm-16)
Details
Playwright Test Results (private-cloud - depot-ubuntu-latest-16)
Details
Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)
Details
|
Visual Regression19 screenshots compared. See report for details. |
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request updates several frontend dependencies in package.json, including upgrading @rspack packages to version ^2.0.0, sass to ^1.80.0, sass-loader to ^17.0.0, and webpack-bundle-analyzer to ^5.0.0. It also updates frontend/rspack/rspack.config.local.js to import ReactRefreshRspackPlugin as ReactRefreshPlugin from @rspack/plugin-react-refresh to accommodate the major version upgrade. There are no review comments, and I have no additional feedback to provide.
There was a problem hiding this comment.
One thing still broke for me: npm run dev crashes on startup with
TypeError: app.get is not a function
at setupRoutes (api/dev-routes.js:6:7)
at setupMiddlewares (rspack/rspack.config.local.js:17:35)
@rspack/dev-server v2 hands setupMiddlewares a connect app by default rather than an Express one, so app.get(...) in api/dev-routes.js (shared with the prod api/index.js) blows up. Giving the dev server an explicit Express app fixes it:
devServer: {
app: async () => express(),
setupMiddlewares: (middlewares, devServer) => {
require('../api/dev-routes')(devServer.app)
return middlewares
},
...
}With that change: npm ci clean, npm run dev starts with 0 errors (/health and /config/project-overrides both 200, bundle compiles), and ENV=prod npm run bundle compiles + emits CSS fine. Happy to push the one-line fix to your branch if that's easier — just let me know.
2 participants
docs/if required so people know about the feature.Changes
Fixes the Dependabot alert for CVE-2026-45736 — uninitialized memory disclosure in
wswhen aTypedArrayis passed as the close reason. The fix requiresws >= 8.20.1.wsis a transitive dependency, so the upgrade required unblocking the packages that constrained it:webpack-bundle-analyzer^4.5.0→^5.0.0— v4 depended onws@^7.x; v5 usesws@^8.19.0, consistent with the rest of the build toolchain.@rspack/cli,@rspack/core,@rspack/dev-server,@rspack/plugin-react-refresh^1.x→^2.0.0— rspack v1's CLI pinned@rspack/dev-server@~1.1.5, which depended onws@^8.18.0and was locked at8.20.0(vulnerable). rspack v2 dropped the bundled dev-server dependency entirely, removing thatwsconsumer. No override was required.sass-loader16.0.1→^17.0.0—sass-loader@16declares@rspack/coreas an optional peer for"0.x || 1.x"only; npm 10 in strict mode raises ERESOLVE against rspack v2. v17 adds"^2.0.0-0"to the peer range, resolving the conflict.sass1.54.8→^1.80.0—sass-loader@17switched fromrequire("sass")toawait import("sass").sass@1.54.8is pure CJS, so dynamic import returnsinfoonmodule.defaultrather than as a named export, causingsass-loader@17to throwUnknown Sass implementation.sass@1.80.0+ships proper ESM named exports, includinginfoat the top level.rspack/rspack.config.local.js—@rspack/plugin-react-refreshv2 changed from a default export to a named export (ReactRefreshRspackPlugin); updated the import accordingly.After the upgrade, the only
wsinstances in the tree arews@8.21.0(fromstorybookandwebpack-bundle-analyzer@5), andnpm auditreports nowsvulnerabilities.How did you test this code?
npm ls wsto confirm allwsinstances are at8.21.0.npm auditto confirm nowsvulnerabilities remain.npm install(npm 10.9.3, matching CI, without--legacy-peer-deps) to confirm clean peer dep resolution.npm run bundleto confirm the production build compiles successfully.node -e "require('./rspack/rspack.config.*.js')".@rspack/coreAPIs (CssExtractRspackPlugin,DefinePlugin,HtmlRspackPlugin,IgnorePlugin) are present in v2.