Skip to content

chore(deps): fix npm audit vulnerabilities and loosen three peer range (v1.6.2)#19

Merged
joaner merged 1 commit into
ioai-tech:mainfrom
joaner:chore/npm-audit-peer-hardening
Jul 3, 2026
Merged

chore(deps): fix npm audit vulnerabilities and loosen three peer range (v1.6.2)#19
joaner merged 1 commit into
ioai-tech:mainfrom
joaner:chore/npm-audit-peer-hardening

Conversation

@joaner

@joaner joaner commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Run npm audit fix: bump protobufjs 8.5.0 -> 8.6.5 (moderate) and esbuild 0.28.0 -> 0.28.1 (low); npm audit now reports 0 vulnerabilities. Lockfile-only, within existing semver ranges.
  • Loosen the three peerDependency from ^0.173.0 to >=0.173.0. Since three is a 0.x package, caret only allows >=0.173.0 <0.174.0, causing peer-conflict warnings for consumers on newer three (0.174+, now 0.18x). @react-three/fiber/drei/react keep caret.
  • Bump version to 1.6.2.

Verified: libExternal() in vite.lib.config.ts externalizes only the react/three ecosystem, which stays consistent with the declared peerDependencies (no silent required installs).

Test plan

  • npm audit -> 0 vulnerabilities
  • npm run typecheck
  • npm run build:lib

- npm audit fix: protobufjs 8.5.0->8.6.5, esbuild 0.28.0->0.28.1 (0 vulns)
- widen `three` peerDependency to `>=0.173.0` so consumers on newer
  three (0.174+) no longer hit peer conflicts (caret locks 0.x minors)
- bump version to 1.6.2
@joaner joaner merged commit ec3cc8e into ioai-tech:main Jul 3, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant