Skip to content

🧹 Resolve Security Vulnerabilities and Migrate Paraglide to v2#25

Merged
MFA-X-AI merged 6 commits intomainfrom
fahreza/package-updates
Mar 5, 2026
Merged

🧹 Resolve Security Vulnerabilities and Migrate Paraglide to v2#25
MFA-X-AI merged 6 commits intomainfrom
fahreza/package-updates

Conversation

@MFA-X-AI
Copy link
Member

@MFA-X-AI MFA-X-AI commented Feb 18, 2026
edited
Loading

Noticed some security warnings in our package audit and realized they were tied to a few libraries that hadn't been updated in a while. Since one of the main culprits was actually deprecated, I attempted to clean up the stack. I also took the opportunity to fix a breaking issue in our CI pipeline related to pyAV dependency builds.

The stuff this PR did:

  • Cleaned up the audit: I cleared out the current warnings. Most were fixed with standard updates (Vite, Vitest), but I added two small overrides for ajv and cookie since those nested versions are currently stuck upstream.
  • Migrated Paraglide: The high-severity risks were coming from the old @inlang/paraglide-sveltekit. I updated it with the now recommended paraglide-js (v2).
  • Simplified the architecture: I was able to delete the old <ParaglideJS> layout wrapper and the i18n.ts file. It's now using the newer middleware and native SvelteKit reroute hooks.
  • Fixed CI Pipeline Dependency Builds: The GitHub Actions workflow was failing because the av package was attempting to compile from source against an incompatible version of FFmpeg in the ubuntu-latest runner. I added an apt-get install -y ffmpeg step to provide the base system media libraries, and added an av!=14.4.0 constraint to pyproject.toml. This forces uv to download a pre-compiled wheel instead, which bypasses the C-compiler entirely, turns the pipeline green.

The project is now passing pnpm audit and the test suite is running successfully.

@MFA-X-AI MFA-X-AI marked this pull request as ready for review February 19, 2026 05:44
treo
treo approved these changes Mar 5, 2026
View reviewed changes
ui/src/hooks.server.ts Outdated
const handleParaglide: Handle = i18n.handle();
export const handle: Handle = handleParaglide;

export const handle: Handle = async ({ event, resolve }) => {
Copy link
Contributor

@treo treo Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we even need to have this hooks file now?

ui/src/hooks.ts
@@ -1,2 +1 @@
import { i18n } from '$lib/i18n';
export const reroute = i18n.reroute();
Copy link
Contributor

@treo treo Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file can probably be removed as well.

@MFA-X-AI MFA-X-AI merged commit f459081 into main Mar 5, 2026
2 checks passed
@MFA-X-AI MFA-X-AI deleted the fahreza/package-updates branch March 5, 2026 08:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@treo treo treo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MFA-X-AI @treo