Skip to content

deps: bump electron stack and resolve all 22 npm audit findings#145

Open
kairoxxai wants to merge 2 commits into
lightningpixel:devfrom
kairoxxai:laptop/electron-stack-vuln-fix
Open

deps: bump electron stack and resolve all 22 npm audit findings#145
kairoxxai wants to merge 2 commits into
lightningpixel:devfrom
kairoxxai:laptop/electron-stack-vuln-fix

Conversation

@kairoxxai

@kairoxxai kairoxxai commented May 13, 2026
edited by Lorchie
Loading

Copy link
Copy Markdown

Summary

Closes all 22 npm audit findings (12 high, 6 moderate, 4 low) by bumping the electron build stack:

Package Before After
electron 33.3.0 42.0.1
electron-builder 24.13.3 26.8.1
electron-vite 2.3.0 5.0.0
vite 5.4.0 8.0.12

Notable advisories closed: node-tar path traversal (multiple GHSAs), postcss XSS (GHSA-qx2v-qp2m-jg93), and a long tail of esbuild/vite transitive vulns.

Test plan

  • npm audit reports 0 vulnerabilities post-upgrade
  • npm run build completes cleanly across all three electron-vite environments (main, preload, renderer)
  • npm run dev launches the Electron app on Linux (Pop OS 24.04, Wayland); Python bridge boots, registry initializes, three.js renderer loads
  • Maintainers should validate on macOS builds before merging

Notes

  • Pure dep bump: no source changes, no API surface changes from electron 33→42 that affected modly's runtime in my testing
  • Vite 8 surfaces some deprecation warnings (esbuild plugin option, optimizeDeps.rollupOptions, plugin-reactplugin-react-oxc). All non-fatal — flagged for a future cleanup PR
  • ESLint 9 is now a transitive — pre-existing .eslintrc.* config will need migration to eslint.config.js (out of scope here; npm run lint was already broken before this PR)

@Lorchie

Lorchie commented May 22, 2026

Copy link
Copy Markdown
Collaborator

Can you merge it into the dev branch? Thanks

@lightningpixel lightningpixel changed the base branch from main to dev May 22, 2026 09:06
@kairoxxai @claude @Lorchie
fix(deps): bump electron stack and resolve all 22 npm audit findings
8b7e838 
- electron 33.3.0 → 42.0.1
- electron-builder 24.13.3 → 26.8.1
- electron-vite 2.3.0 → 5.0.0
- vite 5.4.0 → 8.0.12

Closes 22 npm audit findings (12 high, 6 moderate, 4 low) including
node-tar path traversal (multiple GHSAs), postcss XSS, and
esbuild/vite transitive vulns. Build verified clean across all three
electron-vite environments (main, preload, renderer). App launches
and exercises Python bridge + three.js renderer successfully.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@Lorchie

Lorchie commented Jun 20, 2026

Copy link
Copy Markdown
Collaborator

Hey @kairoxxai, thanks for the PR — really appreciated the groundwork here.

I'm going to push a few adjustments directly onto your branch (you had "Allow
edits from maintainers" enabled):

  • Rebased on current dev — your PR was based on an older commit, so a few
    things that were added since (mac build config, gaussian-splats-3d, extra
    build filters) were missing. The rebase brings them in automatically.
  • Vite 7 instead of 8 — Vite 8 surfaces deprecation warnings (esbuild plugin
    option, plugin-react → plugin-react-oxc) we'd rather not inherit. Vite 7 is
    stable and keeps the build clean.
  • Electron 42.4.1 / electron-builder 26.15.3 — slightly newer patch releases
    than what you had.
  • overrides: { esbuild: "^0.28.0" } — needed to close the one remaining
    low-severity esbuild vuln that Vite 7 pulls in transitively.

End result: npm audit reports 0 vulnerabilities, TypeScript passes, and all
three Electron-Vite environments build clean. Tested on Windows.

@Lorchie Lorchie force-pushed the laptop/electron-stack-vuln-fix branch from 65d9c42 to aa2f91c Compare June 20, 2026 22:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kairoxxai @Lorchie