This project is a static Astro blog deployed to GitHub Pages.
Last checked: 2026-07-06
Command:
npm auditCurrent known audit result:
- 8 vulnerabilities (1 low, 5 moderate, 2 high).
astro(high): XSS via unescaped spread props, Host header SSRF in prerendered error page fetch.esbuild0.27.3–0.28.0 (moderate): arbitrary file read on Windows dev server.js-yaml4.0.0–4.1.1 (moderate): quadratic-complexity DoS via merge key aliases.vite7.0.0–7.3.3 (high): NTLMv2 hash disclosure via UNC path,server.fs.denybypass on Windows.yamlchain (moderate): stack overflow via deeply nested YAML —@astrojs/language-server→volar-service-yaml→yaml-language-server→yaml.npm audit fixclaims to resolve all items without--force.
Decision:
astro,esbuild,js-yaml,viteissues are in the dev/build toolchain, not in generated static site runtime.- Re-run
npm audit fixafter verifying Astro version compatibility to check if safe to apply. - The
yamlchain continues to affect@astrojs/checkdev tooling only.
Run dependency audit after package updates:
npm audit
npm view @astrojs/check version dependencies --jsonIf npm audit fix can resolve the remaining items without --force, prefer applying it and then run:
npm run check
npm run build