fix(deps): update npm to v5 - - package.json (major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@vitejs/plugin-react (source)	^4.7.0 -> ^5.1.0
chai (source)	^4.5.0 -> ^5.3.3
chai-http	^4.4.0 -> ^5.1.2
express (source)	^4.21.2 -> ^5.1.0
vite (source)	^4.5.14 -> ^5.4.21

---

Release Notes

vitejs/vite-plugin-react (@​vitejs/plugin-react)

v5.1.0

Compare Source

Add @vitejs/plugin-react/preamble virtual module for SSR HMR (#​890)

SSR applications can now initialize HMR runtime by importing @vitejs/plugin-react/preamble at the top of their client entry instead of manually calling transformIndexHtml. This simplifies SSR setup for applications that don't use the transformIndexHtml API.

Fix raw Rolldown support for Rolldown 1.0.0-beta.44+ (#​930)

Rolldown 1.0.0-beta.44+ removed the top-level jsx option in favor of transform.jsx. This plugin now uses the transform.jsx option to support Rolldown 1.0.0-beta.44+.

v5.0.4

Compare Source

Perf: use native refresh wrapper plugin in rolldown-vite (#​881)

v5.0.3

Compare Source

HMR did not work for components imported with queries with rolldown-vite (#​872)

Perf: simplify refresh wrapper generation (#​835)

v5.0.2

Compare Source

Skip transform hook completely in rolldown-vite in dev if possible (#​783)

v5.0.1

Compare Source

Set optimizeDeps.rollupOptions.transform.jsx instead of optimizeDeps.rollupOptions.jsx for rolldown-vite (#​735)

optimizeDeps.rollupOptions.jsx is going to be deprecated in favor of optimizeDeps.rollupOptions.transform.jsx.

Perf: skip babel-plugin-react-compiler if code has no "use memo" when { compilationMode: "annotation" } (#​734)

Respect tsconfig jsxImportSource (#​726)

Fix reactRefreshHost option on rolldown-vite (#​716)

Fix RefreshRuntime being injected twice for class components on rolldown-vite (#​708)

Skip babel-plugin-react-compiler on non client environment (689)

v5.0.0

Compare Source

chaijs/chai (chai)

v5.3.3

Compare Source

What's Changed

• fix: keep names in bundle by @​43081j in #​1702
• chore: support publishing v5 by @​43081j in #​1703
• chore: update npm tag name by @​43081j in #​1704

Full Changelog: chaijs/chai@v5.3.2...v5.3.3

v5.3.2

Compare Source

Reverts the removal of the bundled version of chai in 5.3.1

What's Changed

• Update core contributors by @​keithamus in #​1697
• feat: reintroduce bundle by @​43081j in #​1699

Full Changelog: chaijs/chai@v5.3.1...v5.3.2

v5.3.1

Compare Source

What's Changed

• chore: remove bundled chai by @​43081j in #​1694

Full Changelog: chaijs/chai@v5.3.0...v5.3.1

v5.3.0

Compare Source

What's Changed

• chore: change main to point at chai directly by @​43081j in #​1696

Full Changelog: chaijs/chai@v5.2.2...v5.3.0

v5.2.2

Compare Source

What's Changed

• chore: use files for publishing by @​43081j in #​1695

Full Changelog: chaijs/chai@v5.2.1...v5.2.2

v5.2.1

Compare Source

What's Changed

Mostly internal changes but @​SuperchupuDev realised the package.json engines field was out of date, so it has been updated to reflect that v5.0.0 onwards only supports Node >=18.

• build(deps): bump serialize-javascript and mocha by @​dependabot in #​1673
• build(deps-dev): bump esbuild from 0.19.10 to 0.25.0 by @​dependabot in #​1671
• Enable no-var rule and fix violations by @​koddsson in #​1675
• Convert Assertion function to a class by @​koddsson in #​1677
• More typing by @​koddsson in #​1679
• build(deps-dev): bump tar-fs from 3.0.6 to 3.0.8 by @​dependabot in #​1682
• build(deps-dev): bump tar-fs from 3.0.8 to 3.0.9 by @​dependabot in #​1688
• chore: fix lint errors and add lint to CI by @​43081j in #​1689
• docs: update minimum node version in readme by @​SuperchupuDev in #​1691
• chore: update minimum node version by @​SuperchupuDev in #​1692

New Contributors

• @​SuperchupuDev made their first contribution in #​1691

Full Changelog: chaijs/chai@v5.2.0...v5.2.1

v5.2.0

Compare Source

What's Changed

• fix: ability to register more plugins inside a plugin by @​tpluscode in #​1639
• chore: bump playwright to fix CI by @​43081j in #​1663
• chore: introduce prettier and run it by @​43081j in #​1660
• chore: drop old CJS entrypoints by @​43081j in #​1662
• chore: enable eslint recommended config by @​43081j in #​1659
• Integrated chai-subset and added assert-based negation to containSubset by @​BreadInvasion in #​1664
• Add coverage check to tests by @​koddsson in #​1669
• fix floating point precision in closeTo assertion by @​koddsson in #​1667

New Contributors

• @​tpluscode made their first contribution in #​1639
• @​BreadInvasion made their first contribution in #​1664

Full Changelog: chaijs/chai@v5.1.2...v5.2.0

v5.1.2

Compare Source

What's Changed

• Fix secret name in publish action by @​koddsson in #​1614
• Publish npm packages with provenance by @​koddsson in #​1615
• build(deps-dev): bump braces from 3.0.2 to 3.0.3 by @​dependabot in #​1625
• chore: bump loupe and deep-eql by @​43081j in #​1635
• build(deps-dev): bump @​75lb/deep-merge from 1.1.1 to 1.1.2 by @​dependabot in #​1636
• build(deps): bump rollup from 4.9.1 to 4.22.4 by @​dependabot in #​1637
• chore: update deep dependencies by @​43081j in #​1641
• chore: upgrade loupe by @​43081j in #​1646
• Support big int in approximently by @​koddsson in #​1606

Full Changelog: chaijs/chai@v5.1.1...v5.1.2

v5.1.1

Compare Source

What's Changed

• Set up ESLint for JSDoc comments by @​koddsson in #​1605
• build(deps-dev): bump ip from 1.1.8 to 1.1.9 by @​dependabot in #​1608
• Correct Mocha import instructions by @​MattiSG in #​1611
• fix: support some virtual contexts in toThrow by @​43081j in #​1609

New Contributors

• @​MattiSG made their first contribution in #​1611

Full Changelog: chaijs/chai@v5.1.0...v5.1.1

v5.1.0

Compare Source

What's Changed

• Remove useless guards and add parentheses to constuctors by @​koddsson in #​1593
• Cleanup jsdoc comments by @​koddsson in #​1596
• Convert comments in "legal comments" format to jsdoc or normal comments by @​koddsson in #​1598
• Implement iterable assertion by @​koddsson in #​1592
• Assert interface fix by @​developer-bandi in #​1601
• Set support in same members by @​koddsson in #​1583
• Fix publish script by @​koddsson in #​1602

New Contributors

• @​developer-bandi made their first contribution in #​1601

Full Changelog: chaijs/chai@v5.0.3...v5.1.0

v5.0.3

Compare Source

Fix bad v5.0.2 publish.

Full Changelog: chaijs/chai@v5.0.2...v5.0.3

v5.0.2

Compare Source

What's Changed

• build(deps): bump nanoid and mocha by @​dependabot in #​1558
• remove bump-cli by @​koddsson in #​1559
• Update developer dependencies by @​koddsson in #​1560
• fix: removes ?? for node compat (5.x) by @​43081j in #​1576
• Update loupe to latest version by @​koddsson in #​1579
• Re-enable some webkit tests by @​koddsson in #​1580
• Remove a bunch of if statements in test/should.js by @​koddsson in #​1581
• Remove a bunch of unused files by @​koddsson in #​1582
• Fix 1564 by @​koddsson in #​1566

Full Changelog: chaijs/chai@v5.0.1...v5.0.2

v5.0.0

Compare Source

BREAKING CHANGES

• Chai now only supports EcmaScript Modules (ESM). This means your tests will need to either have import {...} from 'chai' or import('chai'). require('chai') will cause failures in nodejs. If you're using ESM and seeing failures, it may be due to a bundler or transpiler which is incorrectly converting import statements into require calls.
• Dropped support for Internet Explorer.
• Dropped support for NodeJS < 18.
• Minimum supported browsers are now Firefox 100, Safari 14.1, Chrome 100, Edge 100. Support for browsers prior to these versions is "best effort" (bug reports on older browsers will be assessed individually and may be marked as wontfix).

What's Changed

• feat: use chaijs/loupe for inspection by @​pcorpet in #​1401
• docs: fix URL in README by @​Izzur in #​1413
• Remove get-func-name dependency by @​koddsson in #​1416
• Convert Makefile script to npm scripts by @​koddsson in #​1424
• Clean up README badges by @​koddsson in #​1422
• fix: package.json - deprecation warning on exports field by @​stevenjoezhang in #​1400
• fix: deep-eql bump package to support symbols by @​snewcomer in #​1458
• ES module conversion PoC by @​43081j in #​1498
• chore: drop commonjs support by @​43081j in #​1503
• Update pathval by @​koddsson in #​1527
• Update check-error by @​koddsson in #​1528
• update deep-eql to latest version by @​koddsson in #​1542
• Inline type-detect as a simple function by @​koddsson in #​1544
• Update loupe by @​koddsson in #​1545
• Typo 'Test an object' not 'Test and object' by @​mavaddat in #​1460
• Update assertion-error to it's latest major version! by @​koddsson in #​1543
• Replacing Karma with Web Test Runner by @​koddsson in #​1546

New Contributors

• @​Izzur made their first contribution in #​1413
• @​stevenjoezhang made their first contribution in #​1400
• @​43081j made their first contribution in #​1498

Full Changelog: chaijs/chai@4.3.1...v5.0.0

chaijs/chai-http (chai-http)

v5.1.2

Compare Source

What's Changed

• fix some readme typos by @​torra in #​343
• fix: add superagent types as prod dependency by @​43081j in #​347
• chore: add renovate by @​43081j in #​349
• test: rework tests to node-only by @​43081j in #​350
• chore(deps): update dependency mocha to v11 by @​renovate in #​352
• chore(deps): update dependency @​types/chai to v5 by @​renovate in #​351
• chore(deps): update dependency npm-run-all2 to v7 by @​renovate in #​354
• fix(deps): update dependencies by @​renovate in #​356
• chore(deps): update dependencies by @​renovate in #​357
• chore(deps): update dependencies by @​renovate in #​358
• chore(deps): update dependencies by @​renovate in #​359
• chore(deps): update dependencies by @​renovate in #​360
• chore(deps): update dependencies by @​renovate in #​361
• chore(deps): update dependencies by @​renovate in #​362
• chore(deps): update dependencies to v9.25.0 by @​renovate in #​363
• chore(deps): update dependency eslint-plugin-mocha to v11 by @​renovate in #​364
• chore(deps): update dependencies to v9.25.1 by @​renovate in #​365
• fix(deps): update dependency superagent to v10 by @​renovate in #​355
• chore: run audit fix by @​43081j in #​367
• fix: use default export by @​43081j in #​368

New Contributors

• @​torra made their first contribution in #​343
• @​renovate made their first contribution in #​352

Full Changelog: chaijs/chai-http@5.1.1...5.1.2

v5.1.1

Compare Source

What's Changed

• fix: update docs and types to expose request by @​43081j in #​341

Full Changelog: chaijs/chai-http@5.1.0...5.1.1

v5.1.0

Compare Source

What's Changed

• fix(esm): main resolution extension required by @​TobiTenno in #​333
• docs: update wording on usage by @​43081j in #​339
• chore: use same import style as readme by @​43081j in #​340

New Contributors

• @​TobiTenno made their first contribution in #​333

Full Changelog: chaijs/chai-http@5.0.0...5.1.0

v5.0.0

Compare Source

What's Changed

• Readme Link Updates by @​Trickfilm400 in #​307
• Dependency Updates by @​Trickfilm400 in #​308
• Breaking: Set Node-Version to >=v16.20 by @​Trickfilm400 in #​309
• [TASK] Update to superagent^9 by @​thomashohn in #​317
• [TASK] Update low-hanging dependencies by @​thomashohn in #​321
• Fix: Pipeline push not working by @​Olrar in #​319
• [TASK] Updated npm-packages for releasing at raised node version to l… by @​thomashohn in #​323
• [TASK] Update build pipeline to use v4 of actions by @​thomashohn in #​325
• Fix #​326 - readme: add how to import chai 5 and use chaiHttp 4 by @​boly38 in #​327
• move to ESM (Chai 5) by @​Trickfilm400 in #​310
• feat: add prettier and eslint by @​Trickfilm400 in #​328
• feat: add publish workflows by @​43081j in #​329

New Contributors

• @​thomashohn made their first contribution in #​317
• @​Olrar made their first contribution in #​319
• @​boly38 made their first contribution in #​327
• @​43081j made their first contribution in #​329

Full Changelog: chaijs/chai-http@4.4.0...5.0.0

expressjs/express (express)

v5.1.0

Compare Source

========================

• Add support for Uint8Array in res.send()
• Add support for ETag option in res.sendFile()
• Add support for multiple links with the same rel in res.links()
• Add funding field to package.json
• perf: use loop for acceptParams
• refactor: prefix built-in node module imports
• deps: remove setprototypeof
• deps: remove safe-buffer
• deps: remove utils-merge
• deps: remove methods
• deps: remove depd
• deps: debug@^4.4.0
• deps: body-parser@^2.2.0
• deps: router@^2.2.0
• deps: content-type@^1.0.5
• deps: finalhandler@^2.1.0
• deps: qs@^6.14.0
• deps: [email protected]
• deps: [email protected]

v5.0.1

Compare Source

==========

• Update cookie semver lock to address CVE-2024-47764

v5.0.0

Compare Source

=========================

• remove:
  • path-is-absolute dependency - use path.isAbsolute instead
• breaking:
  • res.status() accepts only integers, and input must be greater than 99 and less than 1000
    • will throw a RangeError: Invalid status code: ${code}. Status code must be greater than 99 and less than 1000. for inputs outside this range
    • will throw a TypeError: Invalid status code: ${code}. Status code must be an integer. for non integer inputs
  • deps: send@​1.0.0
  • res.redirect('back') and res.location('back') is no longer a supported magic string, explicitly use req.get('Referrer') || '/'.
• change:
  • res.clearCookie will ignore user provided maxAge and expires options
• deps: cookie-signature@^1.2.1
• deps: debug@​4.3.6
• deps: merge-descriptors@^2.0.0
• deps: serve-static@^2.1.0
• deps: qs@​6.13.0
• deps: accepts@^2.0.0
• deps: mime-types@^3.0.0
  • application/javascript => text/javascript
• deps: type-is@^2.0.0
• deps: content-disposition@^1.0.0
• deps: finalhandler@^2.0.0
• deps: fresh@^2.0.0
• deps: body-parser@^2.0.1
• deps: send@^1.1.0

vitejs/vite (vite)

v5.4.21

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.20

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.19

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.18

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.17

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.16

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.15

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.14

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.13

Compare Source

Please refer to CHANGELOG.md for details.

v5.4.12

Compare Source

This version contains a breaking change due to security fixes. See GHSA-vg6x-rcgg-rjx6 for more details.

Please refer to CHANGELOG.md for details.

v5.4.11

Compare Source

Today, we're taking another big step in Vite's story. The Vite team, contributors, and ecosystem partners are excited to announce the release of the next Vite major:

• Vite 6.0 announcement blog post
• Docs
• Translations: 简体中文, 日本語, Español, Português, 한국어, Deutsch
• Migration Guide

We want to thank the more than 1K contributors to Vite Core and the maintainers and contributors of Vite plugins, integrations, tools, and translations that have helped us craft this new major. We invite you to get involved and help us improve Vite for the whole ecosystem. Learn more at our Contributing Guide.

⚠ BREAKING CHANGES

• drop node 21 support in version ranges (#​18729)
• deps: update dependency dotenv-expand to v12 (#​18697)
• resolve: allow removing conditions (#​18395)
• html: support more asset sources (#​11138)
• remove fs.cachedChecks option (#​18493)
• proxy bypass with WebSocket (#​18070)
• css: remove default import in ssr dev (#​17922)
• lib: use package name for css output file name (#​18488)
• update to chokidar v4 (#​18453)
• support file:// resolution (#​18422)
• deps: update postcss-load-config to v6 (#​15235)
• css: change default sass api to modern/modern-compiler (#​17937)
• css: load postcss config within workspace root only (#​18440)
• default build.cssMinify to 'esbuild' for SSR (#​15637)
• json: add json.stringify: 'auto' and make that the default (#​18303)
• bump minimal terser version to 5.16.0 (#​18209)
• deps: migrate fast-glob to tinyglobby (#​18243)

Features

• add support for .cur type (#​18680) (5ec9eed)
• drop node 21 support in version ranges (#​18729) (a384d8f)
• enable HMR by default on ModuleRunner side (#​18749) (4d2abc7)
• support module-sync condition when loading config if enabled (#​18650) (cf5028d)
• add isSsrTargetWebWorker flag to configEnvironment hook (#​18620) (3f5fab0)
• add ssr.resolve.mainFields option (#​18646) (a6f5f5b)
• expose default mainFields/conditions (#​18648) (c12c653)
• extended applyToEnvironment and perEnvironmentPlugin (#​18544) (8fa70cd)
• optimizer: allow users to specify their esbuild platform option (#​18611) (0924879)
• show error when accessing variables not exposed in CJS build (#​18649) (87c5502)
• asset: add ?inline and ?no-inline queries to control inlining (#​15454) (9162172)
• asset: inline svg in dev if within limit (#​18581) (f08b146)
• use a single transport for fetchModule and HMR support (#​18362) (78dc490)
• html: support more asset sources (#​11138) (8a7af50)
• resolve: allow removing conditions (#​18395) (d002e7d)
• html: support vite-ignore attribute to opt-out of processing (#​18494) (d951310)
• lib: use package name for css output file name (#​18488) (61cbf6f)
• log complete config in debug mode (#​18289) (04f6736)
• proxy bypass with WebSocket (#​18070) (3c9836d)
• support file:// resolution (#​18422) (6a7e313)
• update to chokidar v4 (#​18453) (192d555)
• allow custom console in createLogger (#​18379) (0c497d9)
• css: add more stricter typing of lightningcss (#​18460) (b9b925e)
• css: change default sass api to modern/modern-compiler (#​17937) (d4e0442)
• read sec-fetch-dest header to detect JS in transform (#​9981) (e51dc40)
• css: load postcss config within workspace root only (#​18440) (d23a493)
• json: add json.stringify: 'auto' and make that the default (#​18303) (b80daa7)
• add .git to deny list by default (#​18382) (105ca12)
• add environment::listen (#​18263) (4d5f51d)
• enable dependencies discovery and pre-bundling in ssr environments (#​18358) (9b21f69)
• restrict characters useable for environment name (#​18255) (9ab6180)
• support arbitrary module namespace identifier imports from cjs deps (#​18236) (4389a91)
• introduce RunnableDevEnvironment (#​18190) (fb292f2)
• support this.environment in options and onLog hook (#​18142) (7722c06)
• css: support es2023 build target for lightningcss (#​17998) (1a76300)
• Environment API (#​16471) (242f550)
• expose EnvironmentOptions type (#​18080) (35cf59c)

Bug Fixes

• createRunnableDevEnvironment returns RunnableDevEnvironment, not DevEnvironment (#​18673) (74221c3)
• getModulesByFile should return a serverModule (#​18715) (b80d5ec)
• catch error in full reload handler (#​18713) (a10e741)
• client: overlay not appearing when multiple vite clients were loaded (#​18647) (27d70b5)
• deps: update all non-major dependencies (#​18691) (f005461)
• deps: update dependency dotenv-expand to v12 (#​18697) (0c658de)
• display pre-transform error details (#​18764) (554f45f)
• exit code on SIGTERM (#​18741) (cc55e36)
• expose missing InterceptorOptions type (#​18766) (6252c60)
• html: fix inline proxy modules invalidation (#​18696) (8ab04b7)
• log error when send in module runner failed (#​18753) (ba821bb)
• module-runner: make evaluator optional (#​18672) (fd1283f)
• optimizer: detect npm / yarn / pnpm dependency changes correctly (#​17336) (#​18560) (818cf3e)
• optimizer: trigger onCrawlEnd after manual included deps are registered (#​18733) (dc60410)
• optimizer: workaround firefox's false warning for no sources source map (#​18665) (473424e)
• ssr: replace __vite_ssr_identity__ with (0, ...) and inject ; between statements (#​18748) (94546be)
• cjs build for perEnvironmentState et al (#​18656) (95c4b3c)
• html: externalize rollup.external scripts correctly (#​18618) (55461b4)
• include more modules to prefix-only module list (#​18667) (5a2103f)
• ssr: format ssrTransform parse error (#​18644) (d9be921)
• ssr: preserve fetchModule error details (#​18626) (866a433)
• browser field should not be included by default for consumer: 'server' (#​18575) (87b2347)
• client: detect ws close correctly (#​18548) (637d31b)
• resolve: run ensureVersionQuery for SSR (#​18591) (63207e5)
• use server.perEnvironmentStartEndDuringDev (#​18549) (fe30349)
• allow nested dependency selector to be used for optimizeDeps.include for SSR (#​18506) (826c81a)
• asset new URL(,import.meta.url) match (#​18194) (5286a90)
• close watcher if it's disabled (#​18521) (85bd0e9)
• config: write temporary vite config to node_modules (#​18509) ([72eaef5]

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

✅ Deploy Preview for endearing-brigadeiros-63f9d0 canceled.

Name	Link
🔨 Latest commit	983d957
🔍 Latest deploy log	https://app.netlify.com/projects/endearing-brigadeiros-63f9d0/deploys/68fb7af6f1c9230008196d27

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

package.json

Package	Version	License	Issue Type
chai-http	^5.1.2	Null	Unknown License

Allowed Licenses:

MIT, MIT-0, Apache-2.0, BSD-3-Clause, BSD-3-Clause-Clear, ISC, BSD-2-Clause, Unlicense, CC0-1.0, 0BSD, X11, MPL-2.0, MPL-1.0, MPL-1.1, MPL-2.0, OFL-1.1, Zlib

Excluded from license check:

pkg:npm/caniuse-lite

OpenSSF Scorecard

Package	Version	Score	Details
npm/@vitejs/plugin-react	^5.1.0	🟢 7.3	Details Check Score Reason Code-Review ⚠️ 1 Found 4/22 approved changesets -- score normalized to 1 Maintained 🟢 10 30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 7 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 10 security policy file detected SAST 🟢 10 SAST tool is run on all commits Vulnerabilities 🟢 8 2 existing vulnerabilities detected
npm/chai	^5.3.3	🟢 5.5	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 22 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 7 Found 13/18 approved changesets -- score normalized to 7 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Packaging 🟢 10 packaging workflow detected Vulnerabilities 🟢 5 5 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/chai-http	^5.1.2	🟢 4.6	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 0 Found 0/2 approved changesets -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 12 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected License ⚠️ 0 license file not detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Vulnerabilities 🟢 6 4 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
npm/express	^5.1.0	🟢 8.8	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Code-Review 🟢 9 Found 18/19 approved changesets -- score normalized to 9 Security-Policy 🟢 10 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 15 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits License 🟢 10 license file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 117 contributing companies or organizations
npm/vite	^5.4.21	🟢 7.2	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 7 Found 18/23 approved changesets -- score normalized to 7 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 6 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 7 binaries present in source code License 🟢 10 license file detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 10 security policy file detected SAST 🟢 4 SAST tool is not run on all commits -- score normalized to 4 Vulnerabilities 🟢 10 0 existing vulnerabilities detected

Scanned Files

• package.json

[06kellyjac]

Draft

Touches vite and chai so likely to be replaced by #1202