security(deps): fix 13 known vulnerabilities

[zrosenbauer]

Summary

• Upgrade liquidjs from ^10.25.5 to ^10.25.7 (fixes DoS via circular block reference — GHSA-4rc3-7j7w-m548)
• Upgrade vitest / @vitest/coverage-v8 from ^4.1.4 to ^4.1.5
• Add explicit vite@^7.3.2 dev dependency (fixes fs.deny bypass, arbitrary file read, path traversal — GHSA-v2wj-q39q-566r, GHSA-p9ff-h696-f583, GHSA-4w7w-66w2-5vf9)
• Add pnpm overrides for transitive vulnerabilities:
  • tar>=7.5.11 — 6 high-severity path traversal CVEs via c12 > giget > tar
  • postcss>=8.5.10 — XSS via unescaped </style> (GHSA-qx2v-qp2m-jg93)
  • liquidjs>=10.25.7 — override for published @kidd-cli/core consumed by @zpress
  • fast-xml-parser>=5.7.0 — XML injection via @zpress/ui > openapi-sampler (GHSA-gh4j-gqv2-49f6)
  • uuid>=14.0.0 — buffer bounds check via @zpress/ui > mermaid (GHSA-w5hq-g745-h8pq)

Before: 13 vulnerabilities (9 high, 4 moderate)
After: 0 vulnerabilities

Test plan

• pnpm audit reports 0 vulnerabilities
• pnpm check passes (typecheck + lint + format)
• pnpm test passes (1074 tests, 82 test files)

[changeset-bot]

🦋 Changeset detected

Latest commit: f4ff5ad

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@kidd-cli/cli	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
oss-kidd	Ignored	Preview	Apr 24, 2026 8:55pm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b554ace2-f836-4834-a2f9-a98a5264dbd2

📥 Commits

Reviewing files that changed from the base of the PR and between ba4ad89 and 2e17b99.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml, !pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json

---

📝 Walkthrough

Walkthrough

This pull request adds vite as a direct devDependency ("vite": "^8.0.10") in package.json and extends pnpm.overrides to pin versions for tar, vite, postcss, liquidjs, fast-xml-parser, and uuid. The workspace catalog entries in pnpm-workspace.yaml are bumped for @vitest/coverage-v8 (to ^4.1.5), liquidjs (to ^10.25.7), and vitest (to ^4.1.5).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• chore(deps): update all dependencies to latest versions #61: Updates or bumps liquidjs versions in workspace manifests (overlaps with liquidjs override here).
• chore(deps): upgrade all packages to latest #167: Contains overlapping version bumps for vitest and @vitest/coverage-v8 in workspace configuration.
• chore(deps): upgrade all dependencies #53: Broad dependency/version upgrades across package manifests similar to this change adding/pinning dev dependencies and overrides.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main objective: fixing 13 known vulnerabilities through security-focused dependency updates.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, detailing specific vulnerabilities fixed, version upgrades, and verification results.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/security-vulnerabilities

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Around line 66-71: The overrides currently use open-ended ranges like "vite":
">=7.3.2", "tar": ">=7.5.11", "postcss": ">=8.5.10", "liquidjs": ">=10.25.7",
"fast-xml-parser": ">=5.7.0", "uuid": ">=14.0.0" which allows untested major
drifts; tighten each override to the specific vetted semver range matching the
lockfile (e.g., change "vite" to a bounded caret range matching the resolved
major like ^8.0.10 after you verify vite 8.0.10 is compatible with our configs,
and similarly replace the others with ^7.5.13, ^8.5.10, ^10.25.7, ^5.7.1,
^14.0.0 respectively) so future installs stay on known-good majors while
retaining minor/patch updates.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 62b86278-e6d9-47db-8143-b67ca185702d

📥 Commits

Reviewing files that changed from the base of the PR and between 5fc08d1 and ba4ad89.

⛔ Files ignored due to path filters (2)

• .changeset/fix-security-vulnerabilities.md is excluded by !.changeset/**
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml, !pnpm-lock.yaml

📒 Files selected for processing (2)

• package.json
• pnpm-workspace.yaml