Vite 8, ESLint 10, jsdom 29: Critical Security Overhaul in v0.4.0 Targets 6 HIGH-Severity Vulnerabilities

A major dependency overhaul for version 0.4.0 is underway, driven by the urgent need to patch at least six HIGH-severity security vulnerabilities. The update targets over 25 packages, with the most critical fixes addressing an arbitrary file write flaw in `rollup`, multiple ReDoS (Regular Expression Denial of Service) vectors in `minimatch` and `picomatch`, and three WebSocket vulnerabilities in `undici`. The audit reveals a concentrated attack surface across the toolchain, from the build system to the linter and testing environment.

The remediation plan is tightly scoped and parallelized. The foundational Phase 1, estimated at 45 minutes, will upgrade core frameworks like Vite to version 8. The subsequent two-hour Phase 2 directly tackles the security patches, including moving to ESLint 10 to fix the `flatted` prototype pollution and `minimatch` ReDoS, and updating to jsdom 29 to resolve the `undici` WebSocket issues. Each fix is linked to a specific package version bump, creating a clear but pressured migration path.

This is not routine maintenance; it's a coordinated security response. The presence of multiple HIGH-severity vulnerabilities in dependencies like `minimatch`—a common utility for pattern matching—and `rollup`—a core bundler—signals significant risk if left unpatched. The effort estimate suggests a contained but critical update window, where parallel execution is essential to swiftly harden the development stack against path traversal, denial-of-service, and prototype pollution attacks before they can be exploited.