fix(deps): patch vite and defu security vulnerabilities

[shrugs]

Summary

• bump catalog vite ^7.1.12 → ^7.3.2 (fixes high+moderate CVEs in vitest>vite path)
• bump catalog @astrojs/react ^4.4.1 → ^4.4.2 (pulls in vite ^6.4.1 which resolves to 6.4.2+)
• add pnpm.overrides for defu@<=6.1.4 → ^6.1.5 (prototype pollution via __proto__ key)
• add pnpm.overrides for vite@>=5.0.0 <=6.4.1 → ^6.4.2 (fixes ponder>vite-node>vite path traversal)

resolves 10 vulnerabilities (6 high, 4 moderate) down to 0.

Test plan

• pnpm audit --audit-level=moderate returns no vulnerabilities
• pnpm install succeeds without errors
• pnpm test passes
• pnpm typecheck passes

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
admin.ensnode.io	Ready	Preview, Comment	Apr 6, 2026 8:22pm
ensnode.io	Ready	Preview, Comment	Apr 6, 2026 8:22pm
ensrainbow.io	Ready	Preview, Comment	Apr 6, 2026 8:22pm

[changeset-bot]

⚠️ No Changeset found

Latest commit: 4a07119

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 805b5cff-693d-4a79-8571-c1537f325aa3

📥 Commits

Reviewing files that changed from the base of the PR and between 4cc026a and 4a07119.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• package.json
• pnpm-workspace.yaml

---

📝 Walkthrough

Walkthrough

Extended pnpm configuration with dependency version overrides for defu and vite in package.json, and updated catalog versions for @astrojs/react and vite in pnpm-workspace.yaml.

Changes

Cohort / File(s)	Summary
pnpm Overrides package.json	Added version constraints for defu (^6.1.5 when @<=6.1.4) and vite (^6.4.2 for versions >=5.0.0 <=6.4.1) in the pnpm.overrides section.
pnpm Catalog pnpm-workspace.yaml	Updated catalog dependency versions: @astrojs/react from ^4.4.1 to ^4.4.2 and vite from ^7.1.12 to ^7.3.2.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• Address CI issues #1844: Both PRs modify pnpm.overrides in package.json and update dependency versions in pnpm-workspace.yaml.
• deps: address security issues #1656: Both PRs update pnpm-workspace.yaml catalog versions and modify pnpm.overrides in package.json.
• fix(deps): resolve undici and yauzl security vulnerabilities #1768: Both PRs add dependency version overrides to the pnpm.overrides section in package.json.

Poem

🐰 Hoppity-hop, the versions are bumped,
Vite and defu now properly lumped,
Overrides and catalogs all in their place,
Dependencies dance at a swifter pace! ✨

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR is a targeted security patch that resolves 10 vulnerabilities (6 high, 4 moderate) down to 0 by applying three complementary dependency updates:

• vite catalog bump ^7.1.12 → ^7.3.2: Fixes high/moderate CVEs in the vitest → vite dependency path.
• @astrojs/react catalog bump ^4.4.1 → ^4.4.2: Transitively pulls in patched vite 6.4.2, covering the Astro toolchain path.
• pnpm.overrides for defu@<=6.1.4 → ^6.1.5: Addresses a prototype pollution vulnerability via the __proto__ key.
• pnpm.overrides for vite@>=5.0.0 <=6.4.1 → ^6.4.2: Fixes the ponder → vite-node → vite path traversal CVE.

The approach is layered correctly — the catalog entry covers the direct vitest path, while the pnpm.overrides cover transitive vite 5/6.x and defu usages. No functional code changes are included. The lockfile is consistent with all declared version constraints. No issues were found.

Confidence Score: 5/5

Safe to merge — purely security-patching dependency updates with no functional code changes.

Score of 5 reflects that all changes are well-scoped dependency version bumps addressing known CVEs. The defu override is a patch-level fix; the vite override stays within major version 6 (^6.4.2 from a >=5.0.0 <=6.4.1 range); the catalog bumps are minor version increments. The lockfile is consistent, and the test plan covers audit verification, install, test, and typecheck.

No files require special attention — all three changed files contain expected, correct dependency version updates.

Important Files Changed

Filename	Overview
package.json	Adds two well-scoped pnpm overrides: defu@<=6.1.4→^6.1.5 (prototype pollution) and vite@>=5.0.0 <=6.4.1→^6.4.2 (path traversal); both are correctly targeted
pnpm-workspace.yaml	Bumps @astrojs/react catalog ^4.4.1→^4.4.2 and vite catalog ^7.1.12→^7.3.2, covering the vitest and Astro toolchain CVE paths
pnpm-lock.yaml	Auto-generated lockfile correctly reflects all version bumps; changes are consistent with workspace and package.json modifications

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[10 Security Vulnerabilities\n6 high + 4 moderate] --> B[defu prototype\npollution CVE]
    A --> C[vite path\ntraversal CVE]
    B --> D[pnpm.overrides\ndefu<=6.1.4 → ^6.1.5]
    C --> E[via vitest → vite]
    C --> F[via ponder → vite-node → vite]
    C --> G[via @astrojs/react → vite]
    E --> H[catalog vite\n^7.1.12 → ^7.3.2]
    F --> I[pnpm.overrides\nvite>=5.0.0 <=6.4.1 → ^6.4.2]
    G --> J[catalog @astrojs/react\n^4.4.1 → ^4.4.2]
    D --> K[✅ 0 vulnerabilities]
    H --> K
    I --> K
    J --> K

Loading

_{Reviews (1): Last reviewed commit: "fix(deps): patch vite and defu security ..." | Re-trigger Greptile}

[Copilot]

Pull request overview

This PR updates the monorepo’s dependency catalog and pnpm overrides to eliminate reported security vulnerabilities in the Vite/Vitest and defu dependency chains.

Changes:

• Bump catalog versions for vite (^7.1.12 → ^7.3.2) and @astrojs/react (^4.4.1 → ^4.4.2).
• Add pnpm.overrides to force patched versions of defu and vite in vulnerable ranges.
• Update pnpm-lock.yaml accordingly.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 4 comments.

File	Description
pnpm-workspace.yaml	Updates catalog versions for vite and @astrojs/react.
package.json	Adds new pnpm.overrides entries for defu and vite.
pnpm-lock.yaml	Applies the catalog/override changes and updates resolved dependency graph.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

In the lockfile, @tailwindcss/vite@4.1.16 now lists peerDependencies.vite: ^6.4.2, which would exclude the repo’s Vite 7.x catalog version and doesn’t match the package’s previously recorded peer range. This suggests the lockfile may have been manually edited or generated incorrectly; please regenerate pnpm-lock.yaml via pnpm install (with the intended overrides) and ensure peer dependency ranges are preserved so Vite 7.x can satisfy the peer.

Suggested change

	vite: ^6.4.2
	vite: ^6.4.2 || ^7.0.0

[Copilot]

@vitejs/plugin-react@4.7.0 is recorded with peerDependencies.vite: ^6.4.2 in the lockfile, which is a substantial narrowing from the prior peer range and can force an incompatible peer resolution (or warnings) when the workspace uses Vite 7.x. Please regenerate the lockfile from a clean install and verify the plugin’s peer range isn’t being rewritten; if the ecosystem truly requires Vite 6.4.2+, consider bumping the plugin to a version that supports Vite 7 instead of narrowing peers in the lockfile.

Suggested change

	vite: ^6.4.2
	vite: ^6.4.2 || ^7.0.0

[Copilot]

@vitest/mocker@4.0.5 is now recorded with peerDependencies.vite: ^6.4.2 in the lockfile. This effectively drops Vite 7 peer compatibility and can cause peer resolution drift (e.g., pulling Vite 6 into the tree) despite the workspace catalog using Vite 7.x. Please regenerate the lockfile and ensure peer dependency ranges aren’t being collapsed to the overridden version.

[Copilot]

vite-tsconfig-paths@4.3.1 is recorded with peerDependencies.vite: ^6.4.2 in the lockfile. This is unusually restrictive (and differs from the prior vite: '*' entry) and may prevent/destabilize using Vite 7.x in the workspace. Please regenerate the lockfile to ensure the plugin’s peer dependency metadata isn’t being rewritten by the update process.

Suggested change

	vite: ^6.4.2
	vite: '*'