Summary
Charter's own workspace needs a dependency hygiene pass. This came up while consuming @stackbilt/[email protected] from img-forge: the published CLI is current, but Charter's repo audit still reports vulnerable transitive packages in the MCP SDK and Vitest/Vite tooling paths.
Evidence from live repo check
From /mnt/c/users/kover/documents/charter on main:
npm view @stackbilt/cli version -> 1.0.0pnpm outdated --format json only reported breaking-major candidates:
typescript current/wanted 5.8.3, latest 6.0.3zod current/wanted 3.25.76, latest 4.4.3
pnpm audit --audit-level moderate initially reported 27 vulnerabilities:
Candidate remediation tested locally
A focused root pnpm.overrides block plus explicit root [email protected] reduced the audit to zero known vulnerabilities:
"devDependencies": {
"vite": "7.3.2"
},
"pnpm": {
"overrides": {
"@hono/node-server": "1.19.14",
"esbuild": "0.28.1",
"fast-uri": "4.0.0",
"hono": "4.12.25",
"ip-address": "10.1.1",
"qs": "6.15.2",
"vite": "7.3.2"
}
}After this, pnpm audit --audit-level moderate returned:
No known vulnerabilities found
And dependency paths resolved to patched versions:
Additional test gap surfaced
The full test suite has an unrelated stale assertion:
packages/scaffold-core/src/__tests__/package.test.ts
expected '1.2.0' to be '1.1.0'
packages/scaffold-core/package.json reports 1.2.0, so the test should be updated or made less brittle as part of this cleanup.
Acceptance criteria
Notes
Avoid broad major upgrades for this pass. typescript@6 and zod@4 showed as latest, but they are breaking-major candidates and are not needed for the audit cleanup.
Summary
Charter's own workspace needs a dependency hygiene pass. This came up while consuming
@stackbilt/[email protected]fromimg-forge: the published CLI is current, but Charter's repo audit still reports vulnerable transitive packages in the MCP SDK and Vitest/Vite tooling paths.Evidence from live repo check
From
/mnt/c/users/kover/documents/charteronmain:npm view @stackbilt/cli version->1.0.0pnpm outdated --format jsononly reported breaking-major candidates:typescriptcurrent/wanted5.8.3, latest6.0.3zodcurrent/wanted3.25.76, latest4.4.3pnpm audit --audit-level moderateinitially reported 27 vulnerabilities:[email protected],[email protected]@stackbilt/cli -> @modelcontextprotocol/[email protected]:@hono/[email protected][email protected][email protected][email protected][email protected]Candidate remediation tested locally
A focused root
pnpm.overridesblock plus explicit root[email protected]reduced the audit to zero known vulnerabilities:After this,
pnpm audit --audit-level moderatereturned:And dependency paths resolved to patched versions:
@hono/[email protected][email protected][email protected][email protected][email protected][email protected][email protected]Additional test gap surfaced
The full test suite has an unrelated stale assertion:
packages/scaffold-core/package.jsonreports1.2.0, so the test should be updated or made less brittle as part of this cleanup.Acceptance criteria
package.json/pnpm-lock.yaml.pnpm audit --audit-level moderatereports no known vulnerabilities.pnpm run buildpnpm run typecheckpnpm run testpnpm run publish:checkpnpm run verify:adfNotes
Avoid broad major upgrades for this pass.
typescript@6andzod@4showed as latest, but they are breaking-major candidates and are not needed for the audit cleanup.