fix(cli,deps): clear esbuild audit loop

Upgrade the Vite/esbuild surfaces that kept web, ui-tui, and the bootstrap installer on vulnerable esbuild versions, regenerate the root lockfile, and preserve intentional package+lock dependency edits during update lockfile cleanup.
2026-06-17 09:41:58 +00:00 · 2026-06-15 05:55:58 -07:00 · 2026-06-15 05:55:58 -07:00 · 92a456f711
commit 92a456f711
parent 975b9f0a54
8 changed files with 3048 additions and 6628 deletions
--- a/apps/bootstrap-installer/package.json
+++ b/apps/bootstrap-installer/package.json
@ -16,7 +16,7 @@
  },
  "dependencies": {
    "@nous-research/ui": "0.16.0",
-    "@tailwindcss/vite": "^4.2.1",
+    "@tailwindcss/vite": "^4.2.4",
    "@tailwindcss/typography": "^0.5.19",
    "@tauri-apps/api": "^2.0.0",
    "@tauri-apps/plugin-dialog": "^2.0.0",
@ -40,8 +40,8 @@
    "@tauri-apps/cli": "^2.0.0",
    "@types/react": "^19.2.14",
    "@types/react-dom": "^19.2.3",
-    "@vitejs/plugin-react": "^5.2.0",
+    "@vitejs/plugin-react": "^6.0.2",
    "typescript": "^6.0.3",
-    "vite": "^7.3.1"
+    "vite": "^8.0.16"
  }
 }
--- a/hermes_cli/main.py
+++ b/hermes_cli/main.py
@ -8270,10 +8270,16 @@ def _discard_lockfile_churn(git_cmd, repo_root):
        )
        if diff.returncode != 0:
            return
+        dirty_package_dirs = {
+            Path(line.strip()).parent
+            for line in diff.stdout.splitlines()
+            if line.strip().endswith("package.json")
+        }
        dirty = [
            line.strip()
            for line in diff.stdout.splitlines()
            if line.strip().endswith("package-lock.json")
+            and Path(line.strip()).parent not in dirty_package_dirs
        ]
        if not dirty:
            return
--- a/package-lock.json
+++ b/package-lock.json
--- a/scripts/release.py
+++ b/scripts/release.py
@ -85,6 +85,7 @@ AUTHOR_MAP = {
    "290859878+synapsesx@users.noreply.github.com": "synapsesx",
    "157689911+itsflownium@users.noreply.github.com": "itsflownium",
    "dirtyren@users.noreply.github.com": "dirtyren",
+    "237263164+ft-ioxcs@users.noreply.github.com": "ft-ioxcs",
    "tharushkadinujaya05@gmail.com": "0xneobyte",
    "138671361+Veritas-7@users.noreply.github.com": "Veritas-7",
    "keiron@onehanded.com": "kmccammon",
--- a/tests/hermes_cli/test_update_autostash.py
+++ b/tests/hermes_cli/test_update_autostash.py
@ -322,6 +322,63 @@ def test_stash_local_changes_if_needed_raises_when_stash_ref_missing(monkeypatch
        hermes_main._stash_local_changes_if_needed(["git"], Path(tmp_path))


+def test_discard_lockfile_churn_skips_lock_when_package_json_dirty(tmp_path):
+    """Intentional dependency edits update package.json and lockfile together."""
+    import shutil
+    import subprocess
+
+    if shutil.which("git") is None:
+        pytest.skip("git not available")
+
+    def git(*args):
+        return subprocess.run(
+            ["git", *args], cwd=tmp_path, capture_output=True, text=True, check=True
+        )
+
+    git("init", "-q")
+    git("config", "user.email", "t@example.com")
+    git("config", "user.name", "t")
+    (tmp_path / "package.json").write_text('{"dependencies":{"a":"1"}}\n')
+    (tmp_path / "package-lock.json").write_text('{"lock":"old"}\n')
+    git("add", "package.json", "package-lock.json")
+    git("commit", "-qm", "init")
+
+    (tmp_path / "package.json").write_text('{"dependencies":{"a":"2"}}\n')
+    (tmp_path / "package-lock.json").write_text('{"lock":"new"}\n')
+
+    hermes_main._discard_lockfile_churn(["git"], tmp_path)
+
+    assert (tmp_path / "package-lock.json").read_text() == '{"lock":"new"}\n'
+
+
+def test_discard_lockfile_churn_restores_lock_when_package_json_clean(tmp_path):
+    """Runtime npm lockfile rewrites are still discarded on managed updates."""
+    import shutil
+    import subprocess
+
+    if shutil.which("git") is None:
+        pytest.skip("git not available")
+
+    def git(*args):
+        return subprocess.run(
+            ["git", *args], cwd=tmp_path, capture_output=True, text=True, check=True
+        )
+
+    git("init", "-q")
+    git("config", "user.email", "t@example.com")
+    git("config", "user.name", "t")
+    (tmp_path / "package.json").write_text('{"dependencies":{"a":"1"}}\n')
+    (tmp_path / "package-lock.json").write_text('{"lock":"old"}\n')
+    git("add", "package.json", "package-lock.json")
+    git("commit", "-qm", "init")
+
+    (tmp_path / "package-lock.json").write_text('{"lock":"runtime-churn"}\n')
+
+    hermes_main._discard_lockfile_churn(["git"], tmp_path)
+
+    assert (tmp_path / "package-lock.json").read_text() == '{"lock":"old"}\n'
+
+
 # ---------------------------------------------------------------------------
 # Update uses .[all] with fallback to .
 # ---------------------------------------------------------------------------
--- a/ui-tui/package.json
+++ b/ui-tui/package.json
@ -31,7 +31,7 @@
    "@types/react": "^19.2.14",
    "@typescript-eslint/eslint-plugin": "^8",
    "@typescript-eslint/parser": "^8",
-    "esbuild": "~0.27.0",
+    "esbuild": "^0.28.1",
    "eslint": "^9",
    "eslint-plugin-perfectionist": "^5",
    "eslint-plugin-react": "^7",
@ -39,7 +39,7 @@
    "eslint-plugin-unused-imports": "^4",
    "globals": "^16",
    "prettier": "^3",
-    "tsx": "^4.19.0",
+    "tsx": "^4.22.4",
    "typescript": "^6.0.3",
    "vitest": "^4.1.3"
  }
--- a/ui-tui/packages/hermes-ink/package.json
+++ b/ui-tui/packages/hermes-ink/package.json
@ -49,6 +49,6 @@
    "wrap-ansi": "^9.0.0"
  },
  "devDependencies": {
-    "esbuild": "^0.25.0"
+    "esbuild": "^0.28.1"
  }
 }
--- a/web/package.json
+++ b/web/package.json
@ -40,7 +40,7 @@
    "@types/qrcode": "^1.5.6",
    "@types/react": "^19.2.14",
    "@types/react-dom": "^19.2.3",
-    "@vitejs/plugin-react": "^5.2.0",
+    "@vitejs/plugin-react": "^6.0.2",
    "eslint": "^9.39.4",
    "eslint-plugin-react-hooks": "^7.0.1",
    "eslint-plugin-react-refresh": "^0.5.2",
@ -48,6 +48,6 @@
    "three": "^0.180.0",
    "typescript": "^6.0.3",
    "typescript-eslint": "^8.56.1",
-    "vite": "^7.3.1"
+    "vite": "^8.0.16"
  }
 }