Skip to content

chore(deps): consolidate JS dependency upgrades (security + maintenance)#12559

Merged
mekarpeles merged 10 commits into
masterfrom
deps/js-security-consolidation
May 4, 2026
Merged

chore(deps): consolidate JS dependency upgrades (security + maintenance)#12559
mekarpeles merged 10 commits into
masterfrom
deps/js-security-consolidation

Conversation

@mekarpeles

@mekarpeles mekarpeles commented May 3, 2026
edited
Loading

Copy link
Copy Markdown
Member

Summary

Consolidates 11 open Renovate PRs into a single tested and verified upgrade. All packages were installed and tested in Docker (full OL stack on port 8080 with OL_MOUNT_DIR mount) before opening this PR.

🔴 Security upgrades

Package Before After CVE / Notes Closes
lodash 4.17.21 4.18.1 Security release #11795
qs (override) 6.5.3 6.14.1 Security release #11641
svgo 2.3.1 4 CVE-2026-29074 (DoS via entity expansion / billion laughs) #12010
vite 8.0.3 8.0.5 (lock) Security release #12305

lodash — Named method imports only; all stable 4.x APIs. Risk: low.

qs — Transitive dep via overrides["@ericblade/quagga2"], not imported directly. Risk: low.

svgo 2.3.1 → 4 — Fixes CVE-2026-29074. Required config migration: extendDefaultPlugins() removed in v3, replaced with preset-default + overrides in conf/svgo.config.js. Re-ran npm run svg-min; re-optimized SVG output included. Build-time only. Risk: medium.

vite — Lock-only patch, build-time only. Risk: very low.

🔧 Maintenance upgrades

Package Before After Notes Closes
tesseract.js 4.1.1 4.1.4 Patch; used in BarcodeScanner #10975
@vitejs/plugin-vue 6.0.5 6.0.6 Lock-only patch; build tool #12447
@babel/eslint-parser 7.24.7 7.28.6 Lock-only minor; lint tool #12200
mini-css-extract-plugin 2.9.2 2.10.2 Lock-only minor; webpack plugin #11126
@babel/preset-env 7.24.7 7.29.3 Lock-only minor; transpiler #12560
css-loader 7.1.2 7.1.4 Lock-only patch; webpack plugin #12561
diff 4.0.2 4.0.4 Patch; utility lib #12563

All maintenance packages are dev/build tools not shipped to browsers. Risk: very low.

Testing

All packages installed in Docker and verified:

npm install  # clean resolution, all versions confirmed in lockfile
make js      # webpack compiled successfully
npm run svg-min  # all SVGs processed without error
npm run test:js

Jest results: 20 test suites, 388 tests passed, 0 failures.

HTTP check: App serves 200 on / and /search?q=test after JS rebuild.

Checklist

  • All packages install cleanly
  • JS bundle builds (make js)
  • SVG optimization runs (npm run svg-min)
  • App serves HTTP 200 after rebuild
  • 388 Jest tests passing, 0 failures
  • CI passing

References

Closes #11795, #11641, #12010, #12305, #10975, #12447, #12200, #11126, #12560, #12561, #12563

mekarpeles added 4 commits May 3, 2026 13:39
@mekarpeles
chore(deps): upgrade lodash 4.17.21 → 4.18.1 [SECURITY] (closes #11795)
8bb2d84 
Used via named method imports (debounce, chunk, orderBy, groupBy, uniq,
uniqBy, fromPairs) — all stable 4.x APIs unchanged in this release.
@mekarpeles
chore(deps): upgrade qs override 6.5.3 → 6.14.1 [SECURITY] (closes #1…
c58fe21 
…1641)

Transitive dep via @ericblade/quagga2 override — not imported directly.
@mekarpeles
chore(deps): upgrade svgo 2.3.1 → 4 [SECURITY] (closes #12010)
45f081b 
Fixes CVE-2026-29074 (DoS via entity expansion in DOCTYPE, billion laughs).

API migration: extendDefaultPlugins() removed in v3. Replaced with
preset-default plugin + overrides map in conf/svgo.config.js.

Re-ran npm run svg-min with the new version; SVG output included.
Verified: `make js` builds cleanly, svg-min processes all static SVGs.
@mekarpeles
chore(deps): update package-lock.json (lodash, qs, svgo, vite 8.0.5) …
ef08b68 
…[SECURITY]

Lockfile update covering all four security dep upgrades in this batch.
Vite resolved to 8.0.5 (was 8.0.3) — lock-only bump, closes #12305.
Copilot AI review requested due to automatic review settings May 3, 2026 19:40
This was referenced May 3, 2026
Closed
Closed
Closed
Closed
Copilot AI reviewed May 3, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR consolidates multiple JS security dependency upgrades (lodash, qs override, svgo, vite lock) and re-optimizes the repo’s SVG assets using the updated SVGO configuration.

Changes:

  • Bump lodash to 4.18.1, svgo to v4, and qs (override) to 6.14.1 in package.json.
  • Migrate SVGO config to SVGO v4’s preset-default + overrides structure.
  • Re-run SVG optimization across static/images/** (many SVG diffs).

Reviewed changes

Copilot reviewed 2 out of 56 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
static/images/twitter.svg Re-optimized SVG output via SVGO v4
static/images/tweet.svg Re-optimized SVG output via SVGO v4
static/images/search-icon.svg Re-optimized SVG output via SVGO v4
static/images/pinterest.svg Re-optimized SVG output via SVGO v4
static/images/openlibrary-icon.svg Re-optimized SVG output via SVGO v4
static/images/onboarding/reading_goal.svg Re-optimized SVG output via SVGO v4 (also removed attribution comment)
static/images/nav-arrow.svg Re-optimized SVG output via SVGO v4
static/images/language-icon.svg Re-optimized SVG output via SVGO v4
static/images/identifier_icons/wikidata.svg Re-optimized SVG output via SVGO v4
static/images/identifier_icons/google_scholar.svg Re-optimized SVG output via SVGO v4
static/images/icons/share.svg Re-optimized SVG output via SVGO v4
static/images/icons/right-chevron.svg Re-optimized SVG output via SVGO v4
static/images/icons/reviews.svg Re-optimized SVG output via SVGO v4
static/images/icons/read aloud.svg Re-optimized SVG output via SVGO v4
static/images/icons/open-book.svg Re-optimized SVG output via SVGO v4
static/images/icons/octicon-link-external-24.svg Re-optimized SVG output via SVGO v4
static/images/icons/notes.svg Re-optimized SVG output via SVGO v4
static/images/icons/icon_slick-arrow-right.svg Re-optimized SVG output via SVGO v4
static/images/icons/icon_search-inside.svg Re-optimized SVG output via SVGO v4
static/images/icons/icon_eye-open.svg Re-optimized SVG output via SVGO v4
static/images/icons/icon_eye-closed.svg Re-optimized SVG output via SVGO v4
static/images/icons/icon_check-circle.svg Re-optimized SVG output via SVGO v4
static/images/icons/down-chevron.svg Re-optimized SVG output via SVGO v4
static/images/icons/barcode_scanner.svg Re-optimized SVG output via SVGO v4
static/images/hamburger-icon.svg Re-optimized SVG output via SVGO v4
static/images/github.svg Re-optimized SVG output via SVGO v4
static/images/facebook.svg Re-optimized SVG output via SVGO v4
static/images/categories/science_fiction.svg Re-optimized SVG output via SVGO v4
static/images/categories/science.svg Re-optimized SVG output via SVGO v4
static/images/categories/romance.svg Re-optimized SVG output via SVGO v4
static/images/categories/religion.svg Re-optimized SVG output via SVGO v4
static/images/categories/recipes.svg Re-optimized SVG output via SVGO v4
static/images/categories/plays.svg Re-optimized SVG output via SVGO v4
static/images/categories/painting-palette.svg Re-optimized SVG output via SVGO v4
static/images/categories/mystery_and_detective_stories.svg Re-optimized SVG output via SVGO v4
static/images/categories/mysteries.svg Re-optimized SVG output via SVGO v4
static/images/categories/music.svg Re-optimized SVG output via SVGO v4
static/images/categories/medicine.svg Re-optimized SVG output via SVGO v4
static/images/categories/interview.svg Re-optimized SVG output via SVGO v4
static/images/categories/history.svg Re-optimized SVG output via SVGO v4
static/images/categories/fantasy.svg Re-optimized SVG output via SVGO v4
static/images/categories/church.svg Re-optimized SVG output via SVGO v4
static/images/categories/biographies.svg Re-optimized SVG output via SVGO v4
static/images/categories/art.svg Re-optimized SVG output via SVGO v4
static/images/bubble-loader.svg Re-optimized SVG output via SVGO v4 (currently stripped to empty SVG)
static/images/bsky.svg Re-optimized SVG output via SVGO v4
package.json Dependency upgrades for lodash/svgo and qs override
conf/svgo.config.js SVGO v4 config migration (preset-default + overrides)

Comment thread conf/svgo.config.js
convertPathData: false,
removeDesc: false,
removeTitle: false,
removeViewBox: false,
mekarpeles added 3 commits May 3, 2026 13:58
@mekarpeles
chore(deps): upgrade tesseract.js 4.1.1 → 4.1.4 (closes #10975)
c992893 
Patch bump. Used in BarcodeScanner via createWorker/createScheduler —
stable 4.x APIs unchanged.
@mekarpeles
chore(deps): refresh package.json ranges for maintenance deps (closes #…
baa1cae 
…12447, #12200, #11126)

Lock-only patches already within existing caret ranges; bump the floor:
- @vitejs/plugin-vue ^6.0.5 → ^6.0.6 (build tool)
- @babel/eslint-parser ^7.24.7 → ^7.28.6 (dev/lint tool)
- mini-css-extract-plugin ^2.9.2 → ^2.10.2 (webpack plugin)
@mekarpeles
chore(deps): update package-lock.json (tesseract 4.1.4, @vitejs/plugi…
eae8d3a 
…n-vue 6.0.6, @babel/eslint-parser 7.28.6, mini-css-extract 2.10.2)
@mekarpeles mekarpeles changed the title chore(deps): consolidate JS security dependency upgrades chore(deps): consolidate JS dependency upgrades (security + maintenance) May 3, 2026
This was referenced May 3, 2026
Closed
Closed
Closed
Closed
@github-project-automation github-project-automation Bot moved this to Waiting Review/Merge from Staff in Ray's Project May 3, 2026
@mekarpeles mekarpeles added the Priority: 1 Do this week, receiving emails, time sensitive, . [managed] label May 3, 2026
mekarpeles added 2 commits May 3, 2026 14:46
@mekarpeles
chore(deps): refresh package.json ranges for maintenance deps (closes #…
2e6510a 
…12560, #12561, #12563)

Lock-only or patch bumps, all dev/build tools:
- @babel/preset-env ^7.24.7 → ^7.29.3 (transpiler)
- css-loader ^7.1.2 → ^7.1.4 (webpack plugin)
- diff 4.0.2 → ^4.0.4 (utility, patch)
@mekarpeles
chore(deps): update package-lock.json (@babel/preset-env 7.29.3, css-…
53c31d9 
…loader 7.1.4, diff 4.0.4)
This was referenced May 3, 2026
Closed
Closed
Closed
Closed
@mekarpeles
chore(deps): bump form-data 4.0.4 → 4.0.5 (closes #12566)
1aa818a 
Absorbs renovate PR #12566 into the JS security consolidation rollup.
Updated package.json override and ran npm install to update lock file.
make js compiled successfully; HTTP 200 verified on Docker.
@mekarpeles

mekarpeles commented May 3, 2026

Copy link
Copy Markdown
Member Author

Added form-data 4.0.4 → 4.0.5 (from #12566) to this rollup. npm install updated package-lock.json; make js compiled successfully; HTTP 200 confirmed on Docker. Closes #12566.

@mekarpeles mekarpeles mentioned this pull request May 3, 2026
Closed
1 task
@mekarpeles mekarpeles assigned mekarpeles and unassigned RayBB May 3, 2026
@mekarpeles

mekarpeles commented May 3, 2026

Copy link
Copy Markdown
Member Author

Assigning myself as the reviewer for this PR (as it is a collection of PRs originally opened by renovatebot)

@mekarpeles mekarpeles merged commit c475ae8 into master May 4, 2026
8 checks passed
@github-project-automation github-project-automation Bot moved this from Waiting Review/Merge from Staff to Done in Ray's Project May 4, 2026
@mekarpeles mekarpeles deleted the deps/js-security-consolidation branch May 4, 2026 00:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@mekarpeles mekarpeles

Labels

Priority: 1 Do this week, receiving emails, time sensitive, . [managed]

Projects

Ray's Project
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mekarpeles @RayBB