[codex] fix dependency audit issues#2028
Conversation
WalkthroughDependency versions are bumped across all monorepo workspaces (api, shared packages, unraid-ui, web, plugin), promoting ChangesDependency management and pnpm audit tooling
Frontend refactoring: Nuxt UI 4.8.2, DOMPurify, types, and components
Miscellaneous
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
|
🚀 Storybook has been deployed to staging: https://unraid-ui-storybook-staging.unraid-workers.workers.dev |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In
`@api/src/unraid-api/graph/resolvers/unraid-plugins/unraid-plugins.service.spec.ts`:
- Around line 170-175: Replace the mock ConfigService object creation that uses
the `as unknown as ConfigService` casting pattern with the `vi.spyOn()` approach
to maintain type safety and avoid unsafe casting. The current pattern at the
configService initialization violates type safety guidelines. Instead of
creating a mock object and casting it, use the spy approach demonstrated in the
existing test setup to properly mock the ConfigService without bypassing
TypeScript's type checking. Apply this fix consistently wherever this pattern
appears in the test file.
In `@scripts/pnpm-audit.mjs`:
- Around line 9-13: The spawnSync call for the pnpm audit command in the audit
function does not specify an explicit maxBuffer option, which defaults to 1 MB
and can be exceeded by large audit payloads, causing stdout truncation and
JSON.parse failures. Add a maxBuffer property to the options object passed to
spawnSync with a significantly larger value (such as 10 MB or higher) to
accommodate large audit output without truncation.
In `@unraid-ui/package.json`:
- Line 89: The devDependencies for ajv has been upgraded to 8.20.0, but the
peerDependencies.ajv is still pinned to 8.17.1, creating a version mismatch.
Update the peerDependencies.ajv version from 8.17.1 to 8.20.0 to align with the
upgraded devDependencies version and match what is being consumed in
web/package.json.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 869d8a80-ee9e-4352-9190-bb46f85b2e2b
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (11)
api/package.jsonapi/src/unraid-api/graph/resolvers/unraid-plugins/unraid-plugins.service.spec.tspackage.jsonpackages/unraid-api-plugin-connect/package.jsonpackages/unraid-api-plugin-generator/package.jsonpackages/unraid-api-plugin-health/package.jsonpackages/unraid-shared/package.jsonplugin/package.jsonscripts/pnpm-audit.mjsunraid-ui/package.jsonweb/package.json
| const configService = { | ||
| get: vi.fn().mockReturnValue({ | ||
| 'dynamix-base': join(tempDir, 'missing', 'dynamix-base'), | ||
| }), | ||
| } as unknown as ConfigService; | ||
| const configuredService = new UnraidPluginsService(configService); |
There was a problem hiding this comment.
🛠️ Refactor suggestion | 🟠 Major
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
rg -nP "as\\s+unknown\\s+as\\s+ConfigService|\\bas\\s+any\\b" api/src/unraid-api/graph/resolvers/unraid-plugins/unraid-plugins.service.spec.tsRepository: unraid/api
Length of output: 286
🏁 Script executed:
# Get the full context around lines 170-175 and examine surrounding test structure
sed -n '150,180p' api/src/unraid-api/graph/resolvers/unraid-plugins/unraid-plugins.service.spec.ts | cat -nRepository: unraid/api
Length of output: 1650
🏁 Script executed:
# Check the imports and ConfigService definition in this test file
head -40 api/src/unraid-api/graph/resolvers/unraid-plugins/unraid-plugins.service.spec.ts | cat -nRepository: unraid/api
Length of output: 1690
🏁 Script executed:
# Verify all instances of casting pattern and understand test structure
grep -n -B2 -A2 "as unknown as" api/src/unraid-api/graph/resolvers/unraid-plugins/unraid-plugins.service.spec.tsRepository: unraid/api
Length of output: 1024
🏁 Script executed:
# Check ConfigService definition and whether it can be instantiated directly
fd -t f ConfigService.ts$ | head -5 | xargs cat -n 2>/dev/null | head -80Repository: unraid/api
Length of output: 36
Remove unnecessary casting of mock ConfigService
The as unknown as ConfigService pattern bypasses type safety and violates the coding guideline to avoid casting. Use direct instantiation with vi.spyOn() instead, as demonstrated by the existing test setup at line 34.
This casting pattern appears at multiple locations in the test file (lines 157, 174, 193) and should be addressed consistently.
Example fix
- const configService = {
- get: vi.fn().mockReturnValue({
- 'dynamix-base': join(tempDir, 'missing', 'dynamix-base'),
- }),
- } as unknown as ConfigService;
+ const configService = new ConfigService();
+ vi.spyOn(configService, 'get').mockReturnValue({
+ 'dynamix-base': join(tempDir, 'missing', 'dynamix-base'),
+ });
const configuredService = new UnraidPluginsService(configService);📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| const configService = { | |
| get: vi.fn().mockReturnValue({ | |
| 'dynamix-base': join(tempDir, 'missing', 'dynamix-base'), | |
| }), | |
| } as unknown as ConfigService; | |
| const configuredService = new UnraidPluginsService(configService); | |
| const configService: Partial<ConfigService> = { | |
| get: vi.fn().mockReturnValue({ | |
| 'dynamix-base': join(tempDir, 'missing', 'dynamix-base'), | |
| }), | |
| }; | |
| const configuredService = new UnraidPluginsService(configService as ConfigService); |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In
`@api/src/unraid-api/graph/resolvers/unraid-plugins/unraid-plugins.service.spec.ts`
around lines 170 - 175, Replace the mock ConfigService object creation that uses
the `as unknown as ConfigService` casting pattern with the `vi.spyOn()` approach
to maintain type safety and avoid unsafe casting. The current pattern at the
configService initialization violates type safety guidelines. Instead of
creating a mock object and casting it, use the spy approach demonstrated in the
existing test setup to properly mock the ConfigService without bypassing
TypeScript's type checking. Apply this fix consistently wherever this pattern
appears in the test file.
Source: Coding guidelines
| const audit = spawnSync('pnpm', ['audit', '--json', ...args], { | ||
| cwd, | ||
| encoding: 'utf8', | ||
| stdio: ['ignore', 'pipe', 'pipe'], | ||
| }); |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
What is the default maxBuffer for Node.js child_process.spawnSync, and what happens when stdout/stderr exceed that limit?
💡 Result:
The default maxBuffer for child_process.spawnSync in Node.js is 1024 * 1024 bytes (1 MB) [1][2]. When the amount of data written to stdout or stderr exceeds this limit, the child process is terminated, and any accumulated output is truncated [1][3]. The method will return an object containing the process's exit information, and the error property will typically reflect that the buffer limit was exceeded (often resulting in an ENOBUFS error) [4].
Citations:
- 1: https://nodejs.org/docs/latest-v26.x/api/child_process.html
- 2: https://github.com/nodejs/node/blob/main/doc/api/child_process.md
- 3: https://beta.docs.nodejs.org/child_process.html
- 4:
spawnSync()'smaxBufferoption is not ignored withstdio[3]: 'ignore'nodejs/node#52338
🏁 Script executed:
cat -n scripts/pnpm-audit.mjs | head -40Repository: unraid/api
Length of output: 1379
🏁 Script executed:
cat -n scripts/pnpm-audit.mjs | tail -n +40Repository: unraid/api
Length of output: 6133
Set an explicit maxBuffer for spawnSync audit output.
The default maxBuffer limit of 1 MB can be exceeded by large audit payloads, causing stdout to be truncated and JSON.parse to fail silently on line 22.
Suggested fix
const audit = spawnSync('pnpm', ['audit', '--json', ...args], {
cwd,
encoding: 'utf8',
+ maxBuffer: 10 * 1024 * 1024,
stdio: ['ignore', 'pipe', 'pipe'],
});📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| const audit = spawnSync('pnpm', ['audit', '--json', ...args], { | |
| cwd, | |
| encoding: 'utf8', | |
| stdio: ['ignore', 'pipe', 'pipe'], | |
| }); | |
| const audit = spawnSync('pnpm', ['audit', '--json', ...args], { | |
| cwd, | |
| encoding: 'utf8', | |
| maxBuffer: 10 * 1024 * 1024, | |
| stdio: ['ignore', 'pipe', 'pipe'], | |
| }); |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@scripts/pnpm-audit.mjs` around lines 9 - 13, The spawnSync call for the pnpm
audit command in the audit function does not specify an explicit maxBuffer
option, which defaults to 1 MB and can be exceeded by large audit payloads,
causing stdout truncation and JSON.parse failures. Add a maxBuffer property to
the options object passed to spawnSync with a significantly larger value (such
as 10 MB or higher) to accommodate large audit output without truncation.
| "@vue/test-utils": "2.4.6", | ||
| "@vue/tsconfig": "0.8.1", | ||
| "ajv": "8.17.1", | ||
| "ajv": "8.20.0", |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo -e "package\tpeerAjv\tdepAjv\tdevAjv"
jq -r '
.name as $name
| [
$name,
(.peerDependencies.ajv // "none"),
(.dependencies.ajv // "none"),
(.devDependencies.ajv // "none")
]
| `@tsv`
' unraid-ui/package.json web/package.jsonRepository: unraid/api
Length of output: 143
Align ajv peer dependency with the upgraded dev/consumer version.
Line 89 upgrades devDependencies.ajv to 8.20.0, but peerDependencies.ajv remains pinned to 8.17.1. The web/package.json package consumes ajv@8.20.0, creating a peer contract mismatch across workspaces.
Proposed fix
"peerDependencies": {
- "ajv": "8.17.1",
+ "ajv": "8.20.0",
"tailwindcss": "4.1.12",
"vue": "3.5.20"
},🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@unraid-ui/package.json` at line 89, The devDependencies for ajv has been
upgraded to 8.20.0, but the peerDependencies.ajv is still pinned to 8.17.1,
creating a version mismatch. Update the peerDependencies.ajv version from 8.17.1
to 8.20.0 to align with the upgraded devDependencies version and match what is
being consumed in web/package.json.
elibosley
force-pushed
the
codex/fix-dependency-audit-issues
branch
from
58b6f3b to
a421619
Compare
|
🚀 Storybook has been deployed to staging: https://unraid-ui-storybook-staging.unraid-workers.workers.dev |
elibosley
force-pushed
the
codex/fix-dependency-audit-issues
branch
from
a421619 to
0baec05
Compare
|
🚀 Storybook has been deployed to staging: https://unraid-ui-storybook-staging.unraid-workers.workers.dev |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #2028 +/- ##
==========================================
+ Coverage 52.63% 52.64% +0.01%
==========================================
Files 1035 1035
Lines 72034 72038 +4
Branches 8248 8253 +5
==========================================
+ Hits 37917 37927 +10
+ Misses 33991 33985 -6
Partials 126 126 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
This plugin has been deployed to Cloudflare R2 and is available for testing. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0baec05c03
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| updateVulnerabilityMetadata(report); | ||
|
|
||
| process.stdout.write(`${JSON.stringify(report, null, 2)}\n`); | ||
| process.exitCode = Object.keys(report.advisories ?? {}).length === 0 ? 0 : (audit.status ?? 1); |
There was a problem hiding this comment.
When pnpm audit --json returns a JSON error object instead of an advisory list, this line treats the missing advisories object as empty and exits 0. I reproduced this with the current registry 403 response: node scripts/pnpm-audit.mjs printed ERR_PNPM_AUDIT_BAD_RESPONSE but returned success; pnpm audit --help documents --ignore-registry-errors as the option that should make registry errors exit 0, so without that flag CI will now pass even though the audit did not complete.
Useful? React with 👍 / 👎.
|
🚀 Storybook has been deployed to staging: https://unraid-ui-storybook-staging.unraid-workers.workers.dev |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@unraid-ui/src/components/common/accordion/Accordion.vue`:
- Around line 33-35: The watcher that handles `modelValue` changes currently
blocks `undefined` values with an `if (val !== undefined)` guard check,
preventing the parent from clearing or resetting the internal `openValue` state
in controlled mode. Remove or adjust the guard condition that skips `undefined`
values so that when `modelValue` is set to `undefined`, it properly propagates
to `openValue` to maintain controlled sync semantics. Apply the same fix to any
other watchers or handlers in the Accordion component that have similar guard
conditions blocking `undefined` (mentioned as also applying to the 52-55 range).
In `@unraid-ui/vite.config.ts`:
- Around line 33-36: Fix the vite-plugin-dts configuration in vite.config.ts to
match the v5.0.2 API. Change the property outDirs (which is an array) to the
singular property outDir with a string value of 'dist'. Additionally, replace
the bundleTypes object structure (containing the non-existent bundledPackages
property) with a boolean value of false, or remove the bundleTypes configuration
entirely since false is the default in this API version.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: bcb965b8-33c9-4b8a-98ba-201fdefdc943
⛔ Files ignored due to path filters (2)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yamlweb/__test__/helpers/__snapshots__/markdown.test.ts.snapis excluded by!**/*.snap
📒 Files selected for processing (32)
AGENTS.mdapi/package.jsonapi/src/unraid-api/graph/resolvers/unraid-plugins/unraid-plugins.service.spec.tspackage.jsonpackages/unraid-api-plugin-connect/package.jsonpackages/unraid-api-plugin-generator/package.jsonpackages/unraid-api-plugin-health/package.jsonpackages/unraid-shared/package.jsonplugin/package.jsonscripts/pnpm-audit.mjsunraid-ui/package.jsonunraid-ui/src/components/common/accordion/Accordion.vueunraid-ui/vite.config.tsweb/__test__/components/Logs/SingleLogViewer.test.tsweb/__test__/components/SsoButton.test.tsweb/__test__/helpers/markdown.test.tsweb/__test__/setup.tsweb/__test__/store/callbackActions.test.tsweb/auto-imports.d.tsweb/components.d.tsweb/package.jsonweb/src/components/Common/ResizableSlideover.vueweb/src/components/Docker/DockerContainerManagement.vueweb/src/components/Onboarding/components/InternalBootConfirmDialog.vueweb/src/composables/gql/graphql.tsweb/src/composables/useContentHighlighting.tsweb/src/composables/useContextMenu.tsweb/src/composables/useDockerRowActions.tsweb/src/helpers/markdown.tsweb/src/store/callbackActions.tsweb/vitest.config.tsweb/vitest.setup.ts
💤 Files with no reviewable changes (1)
- AGENTS.md
✅ Files skipped from review due to trivial changes (8)
- web/src/helpers/markdown.ts
- web/src/components/Docker/DockerContainerManagement.vue
- web/src/composables/useContentHighlighting.ts
- web/test/store/callbackActions.test.ts
- packages/unraid-api-plugin-generator/package.json
- web/components.d.ts
- web/src/composables/gql/graphql.ts
- web/auto-imports.d.ts
🚧 Files skipped from review as they are similar to previous changes (10)
- plugin/package.json
- api/src/unraid-api/graph/resolvers/unraid-plugins/unraid-plugins.service.spec.ts
- packages/unraid-api-plugin-health/package.json
- packages/unraid-api-plugin-connect/package.json
- package.json
- packages/unraid-shared/package.json
- unraid-ui/package.json
- api/package.json
- scripts/pnpm-audit.mjs
- web/package.json
| const emit = defineEmits<{ | ||
| 'update:modelValue': [value: string | string[]]; | ||
| 'update:modelValue': [value: string | string[] | undefined]; | ||
| }>(); |
There was a problem hiding this comment.
modelValue = undefined can no longer clear internal state in controlled mode
After widening update:modelValue to include undefined, the watcher still ignores undefined (if (val !== undefined) on Line 42), so a parent-driven clear/reset won’t propagate to openValue. This breaks controlled sync semantics.
Suggested fix
watch(
() => props.modelValue,
(val) => {
- if (val !== undefined) openValue.value = val;
+ openValue.value = val;
}
);Also applies to: 52-55
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@unraid-ui/src/components/common/accordion/Accordion.vue` around lines 33 -
35, The watcher that handles `modelValue` changes currently blocks `undefined`
values with an `if (val !== undefined)` guard check, preventing the parent from
clearing or resetting the internal `openValue` state in controlled mode. Remove
or adjust the guard condition that skips `undefined` values so that when
`modelValue` is set to `undefined`, it properly propagates to `openValue` to
maintain controlled sync semantics. Apply the same fix to any other watchers or
handlers in the Accordion component that have similar guard conditions blocking
`undefined` (mentioned as also applying to the 52-55 range).
| outDirs: ['dist'], | ||
| bundleTypes: { | ||
| bundledPackages: [], | ||
| }, |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check vite-plugin-dts version and verify API compatibility
cat unraid-ui/package.json | jq -r '.devDependencies["vite-plugin-dts"]'
# Search for other vite-plugin-dts usage patterns
rg -nC3 'vite-plugin-dts|from.*dts' unraid-ui/Repository: unraid/api
Length of output: 863
🏁 Script executed:
cat -n unraid-ui/vite.config.ts | head -50Repository: unraid/api
Length of output: 1921
🌐 Web query:
vite-plugin-dts 5.0.2 API configuration outDirs bundleTypes
💡 Result:
In vite-plugin-dts, there are no specific configuration options named outDirs or bundleTypes [1][2]. It appears these may be confused with other settings or older plugin versions: Regarding bundling types: The functionality to bundle all type declaration files into a single file is controlled by the rollupTypes option, not bundleTypes [1][2]. When set to true, the plugin uses @microsoft/api-extractor to perform the bundling [1][2]. Example usage: import dts from 'vite-plugin-dts'; export default defineConfig({ plugins: [dts({ rollupTypes: true })], }); Regarding output directories: The plugin does not provide an outDirs option. The output directory for declaration files is generally determined by your Vite build configuration (typically build.outDir) and the plugin's default behavior of following your source file structure [3][1]. If you need to restrict output, the plugin provides a strictOutput option (default: true), which ensures that generated declaration files remain within the configured outDir [2].
Citations:
- 1: https://app.unpkg.com/vite-plugin-dts@4.5.3/files/README.md
- 2: https://unpkg.com/vite-plugin-dts@4.2.1/README.md
- 3: https://www.npmjs.com/package/vite-plugin-dts
🌐 Web query:
vite-plugin-dts 5.0.2 changelog release notes
💡 Result:
vite-plugin-dts version 5.0.2 was released on June 1, 2026 [1][2][3]. As of the 5.x major release, the project has evolved into unplugin-dts [4]. While vite-plugin-dts remains available as a package, it is now maintained within the unplugin-dts repository [1][4]. The 5.0.2 update includes the following key changes: Bug Fixes: - Re-emits declarations when non-type files change during watch mode [5][6]. - Fixes a getResolvedModule error that occurred when bundling dts files outside of the src directory [5][6]. - Adds a.js extension to synthetic entry imports to support nodenext module resolution [5][6]. Additional Changes: - Version 5.0.2 also includes an internal update to bump the minimum Node.js requirement to version 20 or higher [3]. For users migrating or seeking the most versatile version of the plugin, the author recommends transitioning to the unplugin-dts package, which supports Vite, Rollup, Rolldown, Webpack, Rspack, and Esbuild [4].
Citations:
- 1: https://github.com/qmhc/unplugin-dts/blob/main/packages/vite-plugin-dts/CHANGELOG.md
- 2: https://www.npmjs.com/package/vite-plugin-dts
- 3: chore(deps): Bump vite-plugin-dts from 5.0.1 to 5.0.2 herokwon/framix#252
- 4: https://github.com/qmhc/unplugin-dts
- 5: https://npmx.dev/package-changelog/vite-plugin-dts/v/5.0.2
- 6: https://github.com/qmhc/unplugin-dts/releases/tag/unplugin-dts%401.0.2
🌐 Web query:
site:github.com vite-plugin-dts v5.0.2 API options
💡 Result:
In vite-plugin-dts version 5.x, the plugin core was migrated to unplugin-dts [1][2]. A primary breaking change in this version is the renaming of the rollupTypes option to bundleTypes [1]. Key API options for vite-plugin-dts v5.0.2 include: bundleTypes: A boolean (default: false) that enables type bundling. When set to true, it utilizes @microsoft/api-extractor to merge all declaration files into a single file [3]. tsconfigPath: A string used to specify the path to your tsconfig.json file. The plugin uses this to resolve include and exclude patterns [3][4]. outDir: Specifies the output directory for generated declaration files. This can be a string, an array of strings, or an object/array of objects to control module formats (e.g., { dir: 'dist', moduleFormat: 'esm' }) [4][5]. entryRoot: Overrides the root path of entry files, which is particularly useful in monorepo structures [4][5]. strictOutput: A boolean (default: true) that, when enabled, ignores generated declaration files that fall outside the specified outDir [4][5]. processor: Specifies the processing mode, accepting either 'ts' or 'vue' [4][5]. compilerOptions: Allows overriding TypeScript compilerOptions [4][5]. resolvers: An array for specifying custom resolvers [4][5]. For migration from version 4.x, note that the rollupTypes option has been removed in favor of bundleTypes [1]. Additionally, ensure that your project dependencies align with the updated requirements, as v5+ often requires peer dependencies like @microsoft/api-extractor and rollup [1].
Citations:
- 1: complexdatacollective/network-canvas-monorepo@73441ea
- 2: qmhc/unplugin-dts@2996858
- 3: https://github.com/qmhc/unplugin-dts/blob/main/docs/en/usage.md
- 4: https://github.com/qmhc/vite-plugin-dts
- 5: https://github.com/qmhc/unplugin-dts/tree/vite-plugin-dts%405.0.0
Fix vite-plugin-dts configuration for v5.0.2 API.
In vite-plugin-dts v5.0.2, bundleTypes is a boolean (not an object), and the option is outDir (singular, not outDirs). The current configuration is invalid:
outDirs: ['dist']should beoutDir: 'dist'bundleTypes: { bundledPackages: [] }should bebundleTypes: false(or omitted, since false is the default)
The bundledPackages property does not exist in this API version.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@unraid-ui/vite.config.ts` around lines 33 - 36, Fix the vite-plugin-dts
configuration in vite.config.ts to match the v5.0.2 API. Change the property
outDirs (which is an array) to the singular property outDir with a string value
of 'dist'. Additionally, replace the bundleTypes object structure (containing
the non-existent bundledPackages property) with a boolean value of false, or
remove the bundleTypes configuration entirely since false is the default in this
API version.
1 participant
Summary
pnpm-lock.yaml.ipandlodash-es.Validation
pnpm run --silent audit --prodpnpm --filter ./api type-checkpnpm --filter ./api testNotes
ipadvisory is ignored through repo audit policy because npm reports no patched version.pnpm audit --prodstill leaves a stale action for that ignored advisory; use the repo audit script for CI/user checks.Summary by CodeRabbit
Chores
auditscript that rewrites/filters vulnerability output, including configurable ignores.Tests
New Features