fix(deps): patch vite and unhead security advisories

[muneebs]

Summary

• Bump vite override ^6.4.1 → ^6.4.2 (resolves #70 high, #72 medium)
• Bump unhead override >=2.1.11 → >=2.1.13 (resolves #71 medium; lockfile resolves to 3.0.4)

Advisories addressed

• #70 (high) Vite arbitrary file read via dev server WebSocket (<=6.4.1)
• #72 (medium) Vite path traversal in optimized deps .map handling (<=6.4.1)
• #71 (medium) Unhead hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe() (<2.1.13)

Test plan

• pnpm build passes
• pnpm test — 110 tests pass across core/express/nextjs/nuxt
• Confirm Dependabot alerts auto-close on merge

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated build and development dependencies to address security advisories.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4729b462-e489-4f2e-ab7c-bd5de3b612ad

📥 Commits

Reviewing files that changed from the base of the PR and between 7d4adeb and 9b0f3ee.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• .changeset/security-vite-unhead.md
• package.json

---

Walkthrough

This PR updates security-related dependency versions for the csrf-armor packages. A new Changeset entry documents version bumps for vite and unhead, with corresponding updates to pnpm.overrides in package.json. Four packages are marked for patch releases.

Changes

Cohort / File(s)	Summary
Security Dependency Updates .changeset/security-vite-unhead.md, package.json	Added changeset documenting security advisories for vite (^6.4.1 → ^6.4.2) and unhead (>=2.1.11 → >=2.1.13). Updated pnpm.overrides with matching version constraints. Patch release applied to @csrf-armor/core, @csrf-armor/express, @csrf-armor/nextjs, and @csrf-armor/nuxt.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• chore(deps): update dev dependencies and fix vulnerable packages #31: Previously introduced vite ^6.4.1 to pnpm.overrides; this PR bumps it to ^6.4.2 for security.

Poem

🐰 A hop-skip-jump through the version tree,
Security patches, safe and spree!
Vite and unhead, now locked tight,
Our armor gleams in digital light! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately and concisely summarizes the main change: patching security vulnerabilities in vite and unhead dependencies through version overrides.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/security-advisories-vite-unhead

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	typescript@​5.8.3

View full report

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring alerts on:

• unrouting@0.1.7
• typescript@5.8.3

View full report

[muneebs]

@SocketSecurity ignore npm/typescript@5.8.3
@SocketSecurity ignore npm/unrouting@0.1.7

[muneebs]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.