chore(deps): clear all open Dependabot security alerts

[leaanthony]

Summary

Sweeps all 449 open Dependabot alerts (3 critical, 91 high, 288 moderate, 67 low) on master by bumping vulnerable packages across Go modules, runtime npm packages, template scaffolds, examples, and the docs/website. All audits clean locally (go mod tidy, npm audit, pnpm audit all report 0 findings).

Commits (6, organised by area for review)

1. 359824d Go deps — v2/go.mod, v3/go.mod, webview2/scripts/go.mod, plus every flagged go.mod in v2/examples/, v3/examples/, v3/tests/, v2/internal/staticanalysis/test/standard/. Bumps golang.org/x/{crypto,net,image}, github.com/go-git/go-git/v5, github.com/cloudflare/circl to patched versions. Also removes a stale replace github.com/wailsapp/wails/v2 => E:/releases/wails/v2 from v2/examples/dragdrop-test/go.mod that pointed at a Windows-only dev path.
2. 91c5ce3 v2 + v3 runtime npm — clears the 3 critical alerts:
   • happy-dom ^7.6.0 → ^20.0.0 in v2/internal/frontend/runtime/ (GHSA-37j7-fg3j-429f VM context escape RCE)
   • happy-dom ^17.1.1 → ^20.0.0 in v3/internal/runtime/desktop/@wailsio/runtime/
   • form-data fixed transitively (was GHSA-fjxv-7rqg-78g4)
   • vitest, vite, typedoc, rimraf bumped on the v3 runtime side
   • npm overrides added for serialize-javascript ^7.0.5 and diff ^8.0.2 to break the promises-aplus-tests → mocha/sinon vuln chain
   • v2/internal/frontend/runtime/dev/: esbuild bumped, but svelte/esbuild-svelte kept at v3-compat so the embedded reconnect-overlay build output stays single-file (svelte 5 emits CSS separately, which would break //go:embed of the runtime bundle). The remaining svelte SSR-XSS advisories there are non-applicable (client-only runtime, no SSR, no contenteditable bind:innerText) and I'll dismiss them as not_used once this lands.
3. 2c398da v2 templates — bumps vite ^3.0.7 → ^7.0.0 across all 12 v2/pkg/templates/templates/*/frontend/package.json. Framework bumps for scaffolds: react ^18 → ^19, vue ^3.2 → ^3.5 (+ plugin/tsc), svelte ^3 → ^5 (+ plugin-svelte ^1 → ^6, dropped now-unused svelte-preprocess), lit ^2 → ^3, preact-preset bumped, typescript ^4 → ^5.6 everywhere. These templates have no lockfile — wails init regenerates one in user projects on first build.
4. 4a450d8 v2 + v3 example frontends — vite → ^7.0.0 across all 12 example frontends. Lockfiles regenerated. TS-typed examples bumped to typescript ^5.6.3. v3/examples/dev also bumped to svelte 5 + plugin-svelte 6.
5. a8ed61e website — @crowdin/cli ^3 → ^4.14.2 (clears the tar chain), @crowdin/crowdin-api-client → ^1.55.1, prettier → ^3.4.0. Both npm and pnpm overrides for serialize-javascript ^7.0.5, tar ^7.5.11, axios ^1.15.2. Dropped package-lock.json and bun.lockb — the canonical package manager is pnpm per website/Taskfile.yml, and the parallel lockfiles were causing Dependabot to fire two alerts per advisory against one package.json.
6. b428a79 remaining frontends — docs/ (astro ^6 → ^6.1.10 + overrides for fast-uri / fast-xml-builder / yaml), scripts/sponsors/ (refresh sponsorkit transitive defu), v3/internal/setupwizard/frontend/ (vite ^5.4 → ^7), v3/test/dnd-npm-runtime/frontend/ (vite ^5 → ^7).

Notable judgement calls

• Templates were patched as scaffolds, not as locked deps. wails init copies the package.json into new user projects; bumping to current majors is appropriate. If you'd rather hold templates back at their current majors, those bumps are the 2c398da commit alone — easy to revert.
• Removed replace E:/releases/wails/v2 from dragdrop-test/go.mod (developer leftover from a Windows release branch). Flag if this was intentional.
• Website pnpm-only. Removing package-lock.json and bun.lockb matches what pnpm install in Taskfile.yml actually uses; if external tooling expects an npm lockfile, ping me and I'll restore it.
• Build artifacts regenerated in v2/internal/frontend/runtime/ (ipc_websocket.js, runtime_*_desktop.js) by the bumped esbuild — small minifier-output diffs.

After merge

A handful of svelte SSR-XSS advisories will linger in v2/internal/frontend/runtime/dev/package-lock.json (GHSA-phwv-c562-gvmh and friends). They're non-applicable here — I'll dismiss them as not_used with a written reason once master is updated.

Test plan

• go build ./... clean in v2/ and v3/
• npm run build succeeds in v2/internal/frontend/runtime/ (regenerates the bundles in this PR)
• npm run check (tsc --noEmit) in v3/internal/runtime/desktop/@wailsio/runtime/
• pnpm build (docusaurus) in website/
• npm run build (astro check + build) in docs/
• Smoke test of at least one v2 template via wails init -t react
• Confirm Dependabot alert count drops to 0 (or only non-applicable svelte SSR alerts) after merge

Summary by CodeRabbit

• Chores

  • Updated build tools and dev dependencies across projects (Vite, TypeScript, framework toolchains, Astro) and added top‑level overrides to pin select transitive packages for stability.
  • Upgraded Go toolchain to 1.25.0 across examples and modules.
  • Modernized frontend templates (React → React 19, Svelte → Svelte 5, Lit → Lit 3, Vue/Preact updates).

• Bug Fixes

  • Improved context‑menu and drag‑and‑drop behavior in the desktop runtime.

• Documentation

  • Fixed MDX/markup and minor text issues in multiple localized installation guides.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 74a0fd67-1558-47e9-8979-63c6c4111e1e

📥 Commits

Reviewing files that changed from the base of the PR and between a6382e7 and 687018a.

⛔ Files ignored due to path filters (1)

• v3/internal/runtime/desktop/@wailsio/runtime/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• v3/internal/runtime/desktop/@wailsio/runtime/package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• v3/internal/runtime/desktop/@wailsio/runtime/package.json

---

Walkthrough

Repo-wide modernization: Go toolchain pins and numerous indirect dependency bumps; frontend/tooling upgrades to Vite 7 and TS 5; template framework major upgrades; package override pins added; small runtime/context-menu refinements and localized MDX fixes.

Changes

Dependency and toolchain modernization

Layer / File(s)	Summary
Go module version and indirect dependencies v2/go.mod, v3/go.mod, v2/internal/staticanalysis/test/standard/go.mod, webview2/scripts/go.mod, v2/examples/*/go.mod, v3/examples/*/go.mod	Go directives updated to go 1.25.0 across many modules; numerous indirect golang.org/x/*, github.com/go-git/*, github.com/pjbgf/sha1cd, and other transitive dependencies bumped.
Frontend build tools and runtime upgrades across examples v2/examples/*/frontend/package.json, v2/internal/frontend/runtime/*.package.json, v3/examples/*/frontend/package.json, v3/internal/*	Vite upgraded across examples to ^7.0.0; esbuild, vitest, happy-dom, rimraf, typedoc and other dev tooling bumped; production runtime bundle regenerated with minor boolean-expression changes.
Template framework and library upgrades with toolchain v2/pkg/templates/templates/*/frontend/package.json, v3/internal/runtime/desktop/@wailsio/runtime/package.json	Templates updated to newer major framework versions (React 19.x, Svelte 5.x, Lit 3.x, Preact, Vue 3.5.x) and aligned toolchains (Vite ^7.0.0, TypeScript ^5.6.3, plugin updates).
Package override configuration for supply chain security docs/package.json, website/package.json, v3/internal/runtime/desktop/@wailsio/runtime/package.json	Added overrides and pnpm.overrides to pin transitive packages (fast-uri, fast-xml-builder, yaml, serialize-javascript, tar, axios, diff) for consistent resolution.
Runtime and context menu adjustments v2/internal/frontend/runtime/runtime_prod_desktop.js, v2/internal/frontend/runtime/desktop/contextmenu.js	Regenerated production runtime and scoped the context-menu default-case logic to contain selection/input checks and preventDefault().
Documentation MDX fixes and escape docs/src/content/docs/*/quick-start/installation.mdx, docs/src/content/docs/zh-tw/index.mdx	Fixed MDX closing tags/spacing across multiple localized installation pages and escaped a less-than sign in zh-tw index.
Documentation build dependency update docs/package.json, website/package.json	Bumped astro in docs to ^6.1.10 and updated website docs tooling; added package-level overrides for pinned transitive packages.

🎯 4 (Complex) | ⏱️ ~45 minutes

• Possibly related PRs:

  • wailsapp/wails#5285: adjacent Astro/docs dependency changes.
  • wailsapp/wails#5352: related Korean docs updates.

• Suggested labels: runtime, templates, size:XXL, lgtm

"🐰 I hopped through modules with delight,
Bumped Go and Vite into the night,
Pinned the packages, fixed docs' display,
Templates shine and runtimes play."

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 1.16% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main objective: clearing all open Dependabot security alerts through dependency updates across the project.
Description check	✅ Passed	The PR description is comprehensive and well-organized with sections for Summary, Commits (6 detailed areas), Notable judgement calls, After merge notes, and Test plan—exceeding the template's basic requirements despite not following its exact checkbox format.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch deps/dependabot-cleanup

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (5)

docs/package.json (1)

31-34: ⚡ Quick win

Use exact override versions instead of caret ranges.

Lines 32-34 use ^ ranges, which allow version drift after lockfile refreshes. Pin exact versions for deterministic vulnerability remediation.

Proposed change

   "overrides": {
-    "fast-uri": "^3.1.2",
-    "fast-xml-builder": "^1.1.7",
-    "yaml": "^2.8.3"
+    "fast-uri": "3.1.2",
+    "fast-xml-builder": "1.1.7",
+    "yaml": "2.8.3"
   }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/package.json` around lines 31 - 34, The overrides object currently pins
dependencies using caret ranges ("fast-uri": "^3.1.2", "fast-xml-builder":
"^1.1.7", "yaml": "^2.8.3"); change each override to an exact version (remove
the leading ^ so values become "3.1.2", "1.1.7", "2.8.3") to ensure determinism.
Update the overrides entries for the keys fast-uri, fast-xml-builder, and yaml
in package.json accordingly and run your install/lockfile regeneration to
capture the pinned versions.

website/package.json (1)

47-51: ⚡ Quick win

Use exact versions in override entries for deterministic security resolutions.

Both the root-level overrides block (lines 47-51) and the pnpm.overrides block (lines 53-57) use caret ranges (^) for serialize-javascript, tar, and axios. For supply-chain remediation consistency, use exact versions without the ^ prefix.

Proposed change

   "overrides": {
-    "serialize-javascript": "^7.0.5",
-    "tar": "^7.5.11",
-    "axios": "^1.15.2"
+    "serialize-javascript": "7.0.5",
+    "tar": "7.5.11",
+    "axios": "1.15.2"
   },
   "pnpm": {
     "overrides": {
-      "serialize-javascript": "^7.0.5",
-      "tar": "^7.5.11",
-      "axios": "^1.15.2"
+      "serialize-javascript": "7.0.5",
+      "tar": "7.5.11",
+      "axios": "1.15.2"
     }
   }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@website/package.json` around lines 47 - 51, The overrides entries use caret
ranges which prevents deterministic resolutions; update the override keys in the
package.json "overrides" block and the "pnpm.overrides" block to pin exact
versions by removing the caret prefix for "serialize-javascript", "tar", and
"axios" (e.g., change "^7.0.5" to "7.0.5") so the resolver uses the fixed
versions; modify the values for the same keys in both overrides sections to the
exact version strings to ensure consistent supply-chain remediation.

v2/examples/customlayout/myfrontend/package.json (1)

11-11: Vite 7.0.0 is confirmed stable and production-ready. However, Vite 8.0.12 was released on May 11, 2026 and is the latest stable version. The current dependency ^7.0.0 pins to the 7.x release line. Consider updating to ^8.0.0 to benefit from the latest features and patches.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@v2/examples/customlayout/myfrontend/package.json` at line 11, The
package.json currently pins the Vite dependency as "vite": "^7.0.0" which keeps
the project on the 7.x line; update that entry to use the current stable major
(e.g., "^8.0.0" or the exact latest "^8.0.12") to receive the newest features
and fixes, then run npm/yarn install and verify the app builds and dev server
(vite) still works; look for the "vite" dependency string in package.json to
change.

v2/pkg/templates/templates/lit-ts/frontend/package.json (1)

23-24: ⚡ Quick win

Add an engines.node floor for Vite 7 templates.

With vite upgraded to ^7.0.0, this and other scaffold manifests should declare a Node minimum to avoid opaque install/build failures. Vite 7 requires Node.js 20.19+ or 22.12+.

Suggested manifest change

 {
   "name": "frontend",
   "private": true,
   "version": "0.0.0",
   "type": "module",
+  "engines": {
+    "node": ">=20.19.0 || >=22.12.0"
+  },
   "main": "dist/my-element.es.js",
   ...
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@v2/pkg/templates/templates/lit-ts/frontend/package.json` around lines 23 -
24, Add an engines.node field to the template's package.json to declare a
minimum Node version required for Vite 7 (e.g., ">=20.19.0" or ">=22.12.0");
update the manifest near the existing dependencies (references: the package.json
file, the "vite" dependency) so installers see the Node floor and avoid opaque
install/build failures when using Vite 7. Ensure the new engines key is a
top-level field in package.json alongside name/version and uses a
standards-compliant semver range (engines.node).

v2/pkg/templates/templates/vanilla-ts/frontend/package.json (1)

11-12: Review the impact of Node.js 20+ requirement and browser target changes from Vite 7 and TypeScript 5 upgrades.

The major version jumps are valid concerns. Verification confirms breaking changes exist but the versions are compatible with vanilla TypeScript templates. Key impacts:

• Node.js version: Vite 7 requires Node.js 20.19+ or 22.12+ (drops Node 18 support). Ensure this requirement is documented and that CI/local development environments meet it.
• Browser target defaults: Vite 7 changes build.target default from 'modules' (Chrome 87+, Safari 14+) to 'baseline-widely-available' (Chrome 107+, Safari 16+). Verify this assumption aligns with project requirements; older browser support needs explicit build.target config.
• TypeScript 5 stricter checks: New defaults like --forceConsistentCasingInFileNames: true and stricter type validation (nullish checks, enum rules). Test that the template code and any generated code pass strict type checks without errors.

These are mostly environmental and default-behavior changes, not code incompatibilities. Vanilla TS templates avoid the deprecated features (Sass API, splitVendorChunk, SSR hooks). Recommend testing the template scaffolding with Node 20+ to ensure build and dev server work as expected, and review tsconfig.json defaults for TypeScript 5 compatibility.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@v2/pkg/templates/templates/vanilla-ts/frontend/package.json` around lines 11
- 12, Update documentation and configs to reflect Vite 7 and TypeScript 5
impacts: note Node.js 20.19+/22.12+ requirement (add to README and CI engines),
ensure package.json entries "vite" and "typescript" are deliberate, and add an
explicit Vite build.target override (e.g., set build.target in vite.config.ts)
if older browser support is required; run the template scaffold build/dev server
under Node 20+ and fix any TypeScript 5 issues by adjusting tsconfig.json (e.g.,
check forceConsistentCasingInFileNames, strict/nullish checks) and the template
source until tsc passes in CI.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@v2/internal/frontend/runtime/runtime_prod_desktop.js`:
- Line 1: The switch in function j uses a default: branch that declares
block-scoped variables (e.g., let o and let s) which violates
noSwitchDeclarations; wrap the entire default: body in braces (default: { ... })
in the source runtime module where function j is defined, then
rebuild/regenerate the bundled file (runtime_prod_desktop) so the emitted bundle
no longer has let/const declarations directly under default.

In `@v2/pkg/templates/templates/vanilla/frontend/package.json`:
- Line 11: The template currently pins Vite to "^7.0.0" (package.json) but
doesn't reflect Vite 7 breaking changes: update the project docs and CI
configuration to require Node.js 20.19+ (or 22.12+), adjust the Vite config
(vite.config.*) to explicitly set build.target to the desired older browser
baseline if you must support pre-Vite7 browsers (e.g., set build.target instead
of relying on defaults), and review any Sass usage to ensure it uses the modern
compiler API (replace legacy Sass options if present); update example setup and
README to call out these requirements so new projects and CI enforce the correct
Node and build target.

In `@v2/pkg/templates/templates/vue-ts/frontend/package.json`:
- Around line 12-19: The template's devDependencies allow an incompatible
combination (vue-tsc "^2.1.0" vs typescript "^5.6.3"); update the dependency
version for "vue-tsc" to at least ^2.2.0 to pick up the fix for the tsc
entrypoint change, or alternatively constrain "typescript" to a safe range
(e.g., ^5.0.0 <5.7) so the resolver cannot install TS >=5.7; modify the
package.json devDependencies entries for "vue-tsc" and/or "typescript"
accordingly to ensure compatible ranges.

In `@v3/examples/dev/frontend/package.json`:
- Around line 12-14: The Counter.svelte component still declares reactive state
with the old pattern; update the component by replacing the plain JS variable
declaration `let count = 0` with Svelte 5 reactive state using `let count =
$state(0)` and keep the existing increment handler (e.g., `increment`) as-is so
`count += 1` updates correctly; ensure any other uses of `count` in the template
remain unchanged and import or enable the $state runtime if required by your
project setup.

In `@webview2/scripts/go.mod`:
- Line 3: The go.mod currently declares an invalid Go version ("go 1.25.0");
update the module's go directive to a valid stable release (e.g., change the
"go" directive to "go 1.26.3" or another project-compatible stable version) so
the build toolchain recognizes the version; modify the go directive in go.mod
(the line starting with "go") and run a quick `go env`/`go version` locally to
confirm compatibility.

---

Nitpick comments:
In `@docs/package.json`:
- Around line 31-34: The overrides object currently pins dependencies using
caret ranges ("fast-uri": "^3.1.2", "fast-xml-builder": "^1.1.7", "yaml":
"^2.8.3"); change each override to an exact version (remove the leading ^ so
values become "3.1.2", "1.1.7", "2.8.3") to ensure determinism. Update the
overrides entries for the keys fast-uri, fast-xml-builder, and yaml in
package.json accordingly and run your install/lockfile regeneration to capture
the pinned versions.

In `@v2/examples/customlayout/myfrontend/package.json`:
- Line 11: The package.json currently pins the Vite dependency as "vite":
"^7.0.0" which keeps the project on the 7.x line; update that entry to use the
current stable major (e.g., "^8.0.0" or the exact latest "^8.0.12") to receive
the newest features and fixes, then run npm/yarn install and verify the app
builds and dev server (vite) still works; look for the "vite" dependency string
in package.json to change.

In `@v2/pkg/templates/templates/lit-ts/frontend/package.json`:
- Around line 23-24: Add an engines.node field to the template's package.json to
declare a minimum Node version required for Vite 7 (e.g., ">=20.19.0" or
">=22.12.0"); update the manifest near the existing dependencies (references:
the package.json file, the "vite" dependency) so installers see the Node floor
and avoid opaque install/build failures when using Vite 7. Ensure the new
engines key is a top-level field in package.json alongside name/version and uses
a standards-compliant semver range (engines.node).

In `@v2/pkg/templates/templates/vanilla-ts/frontend/package.json`:
- Around line 11-12: Update documentation and configs to reflect Vite 7 and
TypeScript 5 impacts: note Node.js 20.19+/22.12+ requirement (add to README and
CI engines), ensure package.json entries "vite" and "typescript" are deliberate,
and add an explicit Vite build.target override (e.g., set build.target in
vite.config.ts) if older browser support is required; run the template scaffold
build/dev server under Node 20+ and fix any TypeScript 5 issues by adjusting
tsconfig.json (e.g., check forceConsistentCasingInFileNames, strict/nullish
checks) and the template source until tsc passes in CI.

In `@website/package.json`:
- Around line 47-51: The overrides entries use caret ranges which prevents
deterministic resolutions; update the override keys in the package.json
"overrides" block and the "pnpm.overrides" block to pin exact versions by
removing the caret prefix for "serialize-javascript", "tar", and "axios" (e.g.,
change "^7.0.5" to "7.0.5") so the resolver uses the fixed versions; modify the
values for the same keys in both overrides sections to the exact version strings
to ensure consistent supply-chain remediation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b37a9de6-1004-46e0-be36-7c2a7fde2446

📥 Commits

Reviewing files that changed from the base of the PR and between 278bb28 and b428a79.

⛔ Files ignored due to path filters (34)

• docs/package-lock.json is excluded by !**/package-lock.json
• scripts/sponsors/package-lock.json is excluded by !**/package-lock.json
• v2/examples/customlayout/go.sum is excluded by !**/*.sum
• v2/examples/dragdrop-test/frontend/package-lock.json is excluded by !**/package-lock.json
• v2/examples/dragdrop-test/go.sum is excluded by !**/*.sum
• v2/go.sum is excluded by !**/*.sum
• v2/internal/frontend/runtime/dev/package-lock.json is excluded by !**/package-lock.json
• v2/internal/frontend/runtime/package-lock.json is excluded by !**/package-lock.json
• v2/internal/staticanalysis/test/standard/go.sum is excluded by !**/*.sum
• v3/examples/android/frontend/package-lock.json is excluded by !**/package-lock.json
• v3/examples/android/go.sum is excluded by !**/*.sum
• v3/examples/custom-protocol-example/frontend/package-lock.json is excluded by !**/package-lock.json
• v3/examples/dev/frontend/package-lock.json is excluded by !**/package-lock.json
• v3/examples/dev/go.sum is excluded by !**/*.sum
• v3/examples/dock/frontend/package-lock.json is excluded by !**/package-lock.json
• v3/examples/file-association/frontend/package-lock.json is excluded by !**/package-lock.json
• v3/examples/file-association/go.sum is excluded by !**/*.sum
• v3/examples/gin-example/go.sum is excluded by !**/*.sum
• v3/examples/gin-routing/go.sum is excluded by !**/*.sum
• v3/examples/gin-service/go.sum is excluded by !**/*.sum
• v3/examples/ios/frontend/package-lock.json is excluded by !**/package-lock.json
• v3/examples/ios/go.sum is excluded by !**/*.sum
• v3/examples/notifications/go.sum is excluded by !**/*.sum
• v3/examples/print/go.sum is excluded by !**/*.sum
• v3/examples/server/go.sum is excluded by !**/*.sum
• v3/go.sum is excluded by !**/*.sum
• v3/internal/runtime/desktop/@wailsio/runtime/package-lock.json is excluded by !**/package-lock.json
• v3/internal/setupwizard/frontend/package-lock.json is excluded by !**/package-lock.json
• v3/test/dnd-npm-runtime/frontend/package-lock.json is excluded by !**/package-lock.json
• v3/tests/window-visibility-test/go.sum is excluded by !**/*.sum
• website/bun.lockb is excluded by !**/bun.lockb
• website/package-lock.json is excluded by !**/package-lock.json
• website/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
• webview2/scripts/go.sum is excluded by !**/*.sum

📒 Files selected for processing (51)

• docs/package.json
• v2/examples/customlayout/go.mod
• v2/examples/customlayout/myfrontend/package.json
• v2/examples/dragdrop-test/frontend/package.json
• v2/examples/dragdrop-test/go.mod
• v2/examples/panic-recovery-test/frontend/package.json
• v2/go.mod
• v2/internal/frontend/runtime/dev/package.json
• v2/internal/frontend/runtime/ipc_websocket.js
• v2/internal/frontend/runtime/package.json
• v2/internal/frontend/runtime/runtime_debug_desktop.js
• v2/internal/frontend/runtime/runtime_prod_desktop.js
• v2/internal/staticanalysis/test/standard/go.mod
• v2/pkg/templates/templates/lit-ts/frontend/package.json
• v2/pkg/templates/templates/lit/frontend/package.json
• v2/pkg/templates/templates/preact-ts/frontend/package.json
• v2/pkg/templates/templates/preact/frontend/package.json
• v2/pkg/templates/templates/react-ts/frontend/package.json
• v2/pkg/templates/templates/react/frontend/package.json
• v2/pkg/templates/templates/svelte-ts/frontend/package.json
• v2/pkg/templates/templates/svelte/frontend/package.json
• v2/pkg/templates/templates/vanilla-ts/frontend/package.json
• v2/pkg/templates/templates/vanilla/frontend/package.json
• v2/pkg/templates/templates/vue-ts/frontend/package.json
• v2/pkg/templates/templates/vue/frontend/package.json
• v3/examples/android/frontend/package.json
• v3/examples/android/go.mod
• v3/examples/badge-custom/frontend/package.json
• v3/examples/badge/frontend/package.json
• v3/examples/custom-protocol-example/frontend/package.json
• v3/examples/dev/frontend/package.json
• v3/examples/dev/go.mod
• v3/examples/dock/frontend/package.json
• v3/examples/file-association/frontend/package.json
• v3/examples/file-association/go.mod
• v3/examples/gin-example/go.mod
• v3/examples/gin-routing/go.mod
• v3/examples/gin-service/go.mod
• v3/examples/ios/frontend/package.json
• v3/examples/ios/go.mod
• v3/examples/notifications/frontend/package.json
• v3/examples/notifications/go.mod
• v3/examples/print/go.mod
• v3/examples/server/go.mod
• v3/go.mod
• v3/internal/runtime/desktop/@wailsio/runtime/package.json
• v3/internal/setupwizard/frontend/package.json
• v3/test/dnd-npm-runtime/frontend/package.json
• v3/tests/window-visibility-test/go.mod
• website/package.json
• webview2/scripts/go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

Is @vitejs/plugin-vue version 6.0.0 compatible with Vue 3.5.0 and Vite 7.0.0?

💡 Result:

Yes—@vitejs/plugin-vue v6.0.0 is compatible with Vue 3.5.0 and Vite 7.0.0, based on the plugin’s published peer-dependency ranges. 1) Compatibility with Vite 7.0.0 The npm page for @vitejs/plugin-vue states its peer dependency for vite includes ^7.0.0 (along with ^5.0.0 and ^6.0.0 and ^8.0.0), which covers Vite 7.0.0. [1] 2) Compatibility with Vue 3.5.0 The same npm page lists the plugin’s peer dependency for vue as ^3.2.25, which includes Vue 3.5.0 (any 3.x version >= 3.2.25 satisfies ^3.2.25). [1] Caveat: peer dependency ranges do not guarantee zero-runtime issues for every combination, but from an install/declared compatibility standpoint, v6.0.0 covers both Vue 3.5.0 and Vite 7.0.0. [1]

Citations:

• 1: https://www.npmjs.com/package/@vitejs/plugin-vue

---

🌐 Web query:

Is vue-tsc 2.1.0 compatible with TypeScript 5.6.3 and Vue 3.5.0?

💡 Result:

No, vue-tsc 2.1.0 is not compatible with TypeScript 5.6.3. Users reported crashes and errors when using vue-tsc 2.1.x (including 2.1.10) with TypeScript 5.7.x, due to changes in TypeScript's tsc entry point (from tsc.js to _tsc.js), which vue-tsc tried to patch but failed, causing "Search string not found" errors [1]. A fix was merged later in v2.2.0 for TS 5.7 support [2][3]. Since TS 5.6.3 is a prior minor version in the same major (5.x), and no sources confirm explicit support for 5.6 in 2.1.0, while issues arose with nearby 5.7, compatibility is unlikely without issues. Users had to downgrade to vue-tsc 2.0.29 + TS 5.6.2 [1].

Citations:

• 1: vue-tsc doesn't work with typescript 5.7.2 vuejs/language-tools#5018
• 2: https://github.com/vuejs/language-tools/releases/tag/v2.2.0
• 3: https://github.com/vuejs/language-tools/blob/master/changelogs/CHANGELOG-v2.md

---

Update vue-tsc to v2.2.0 or later; incompatible with TypeScript 5.6.3+.

@vitejs/plugin-vue v6.0.0 is compatible with Vue 3.5.0 and Vite 7.0.0 (✓), but vue-tsc 2.1.0 has a documented incompatibility with TypeScript 5.6.3 and higher. TypeScript 5.7+ changed the internal tsc entry point from tsc.js to _tsc.js, breaking vue-tsc 2.1.x's internal patches and causing "Search string not found" errors. A fix was merged in vue-tsc 2.2.0. Since the template specifies ^2.1.0 and ^5.6.3, the ranges can resolve to incompatible combinations. Upgrade to vue-tsc@^2.2.0 or constrain TypeScript to ^5.0.0 <5.7.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@v2/pkg/templates/templates/vue-ts/frontend/package.json` around lines 12 -
19, The template's devDependencies allow an incompatible combination (vue-tsc
"^2.1.0" vs typescript "^5.6.3"); update the dependency version for "vue-tsc" to
at least ^2.2.0 to pick up the fix for the tsc entrypoint change, or
alternatively constrain "typescript" to a safe range (e.g., ^5.0.0 <5.7) so the
resolver cannot install TS >=5.7; modify the package.json devDependencies
entries for "vue-tsc" and/or "typescript" accordingly to ensure compatible
ranges.

[leaanthony]

Confirming: the web-search result in your own comment says "@vitejs/plugin-vue v6.0.0 is compatible with Vue 3.5.0 and Vite 7.0.0" — its peer-deps list vite ^5||^6||^7||^8. Combination is valid.

[coderabbitai]

🧩 Analysis chain

🌐 Web query:

vue-tsc 2.1.0 TypeScript 5.6 5.7 compatibility latest version 2025

💡 Result:

• TypeScript 5.6: vue-tsc v2.x supports TS ≥5.0 (so TS 5.6 is generally OK), and TS 5.6 is a real release line. [5]

• TypeScript 5.7: vue-tsc v2.1.x (e.g., 2.1.10) has a known failure with TS 5.7.x (Search string not found: "/supportedTSExtensions..."). This was reproducible already on TS 5.7 RC and later with TS 5.7.2. [1][2]

  • Common workaround reported: downgrade to vue-tsc@2.0.29 + typescript@5.6.2. [2]

• Latest vue-tsc version (as of May 4, 2026): 3.2.8. [3][4]

Practical takeaway: if you need TS 5.7, don’t stay on vue-tsc@2.1.0/2.1.x—upgrade to the latest 3.x (currently 3.2.8). [1][3][4]

Sources: [1] GitHub issue (TS 5.7 RC triggers the error), [2] incident report showing vue-tsc@2.1.10 + typescript@5.7.2 failing and downgrade fix, [3] Snyk package page showing latest vue-tsc 3.2.8 and publish date, [4] Arch Linux commit referencing tag v3.2.8, [5] TypeScript 5.6 release notes.

---

@leaanthony, you're absolutely right about @vitejs/plugin-vue — my own web search confirmed that concern was not an issue, and I should not have framed it as critical.

However, the actionable concern in my comment is actually about vue-tsc, not plugin-vue. They're two separate issues:

• The vue-tsc v2.1.x line has a known breakage with TypeScript 5.7+, triggered by the tsc.js → _tsc.js internal entry-point rename, causing "Search string not found" errors.
• The latest vue-tsc as of May 2026 is 3.2.8.

The risk in the template is that "typescript": "^5.6.3" allows npm/pnpm to install TypeScript 5.7, 5.8, … when a user runs wails init and npm install. If that happens alongside "vue-tsc": "^2.1.0" (which stays on the 2.x track), the build step (vue-tsc --noEmit && vite build) will fail for the end user.

That said, since you own this codebase and know the intended usage, I'll defer to your judgment. If you'd like, I can log this as a follow-up issue to bump vue-tsc to ^3.2.0 (the current stable series) when you're ready.

[Copilot]

Pull request overview

This PR performs a broad dependency refresh across Wails v2/v3 Go modules and multiple Node-based subprojects (runtimes, templates, examples, docs, website) to eliminate open Dependabot security alerts.

Changes:

• Bumped vulnerable Go dependencies across core modules, examples, tests, and scripts (notably golang.org/x/*, go-git/*, sha1cd, etc.).
• Updated JavaScript tooling and framework deps (notably Vite → ^7, Vitest upgrades, and added overrides to break vulnerable transitive chains).
• Regenerated/updated several lockfiles and built JS artifacts to reflect the upgraded toolchains.

Reviewed changes

Copilot reviewed 48 out of 85 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
webview2/scripts/go.mod	Updates Go version and golang.org/x/net for the webview2 updater scripts
webview2/scripts/go.sum	Refreshes sums after golang.org/x/net bump
website/package.json	Updates Crowdin CLI/client + Prettier; adds npm/pnpm overrides for vulnerable transitives
v3/tests/window-visibility-test/go.mod	Updates Go version and several indirect Go deps used by the test module
v3/tests/window-visibility-test/go.sum	Refreshes sums for updated indirect dependencies
v3/test/dnd-npm-runtime/frontend/package.json	Bumps Vite to ^7 for the test frontend
v3/internal/setupwizard/frontend/package.json	Bumps Vite to ^7 for the setup wizard frontend
v3/internal/runtime/desktop/@wailsio/runtime/package.json	Updates runtime dev deps (happy-dom/vite/vitest/etc) and adds overrides
v3/go.mod	Bumps core Go dependencies for v3 (go-git, x/*, etc)
v3/go.sum	Refreshes sums for updated v3 module dependencies
v3/examples/server/go.mod	Updates Go version and indirect dependency versions for the server example
v3/examples/server/go.sum	Refreshes sums for the server example’s updated deps
v3/examples/print/go.mod	Updates Go version and indirect dependency versions for the print example
v3/examples/print/go.sum	Refreshes sums for the print example’s updated deps
v3/examples/notifications/go.mod	Updates Go version and indirect dependency versions for the notifications example
v3/examples/notifications/go.sum	Refreshes sums for the notifications example’s updated deps
v3/examples/notifications/frontend/package.json	Bumps TypeScript and Vite for notifications example frontend
v3/examples/ios/go.mod	Updates Go version and indirect dependency versions for the iOS example
v3/examples/ios/go.sum	Refreshes sums for the iOS example’s updated deps
v3/examples/ios/frontend/package.json	Bumps Vite for iOS example frontend
v3/examples/gin-service/go.mod	Updates Go version and indirect dependency versions for gin-service example
v3/examples/gin-service/go.sum	Refreshes sums for gin-service example’s updated deps
v3/examples/gin-routing/go.mod	Updates Go version and indirect dependency versions for gin-routing example
v3/examples/gin-routing/go.sum	Refreshes sums for gin-routing example’s updated deps
v3/examples/gin-example/go.mod	Updates Go version and indirect dependency versions for gin example
v3/examples/gin-example/go.sum	Refreshes sums for gin example’s updated deps
v3/examples/file-association/go.mod	Updates Go version and indirect dependency versions for file-association example
v3/examples/file-association/go.sum	Refreshes sums for file-association example’s updated deps
v3/examples/file-association/frontend/package.json	Bumps Vite for file-association example frontend
v3/examples/dock/frontend/package.json	Bumps TypeScript and Vite for dock example frontend
v3/examples/dev/go.mod	Updates Go version and indirect dependency versions for dev example
v3/examples/dev/go.sum	Refreshes sums for dev example’s updated deps
v3/examples/dev/frontend/package.json	Updates Svelte + plugin + Vite for dev example frontend
v3/examples/custom-protocol-example/frontend/package.json	Bumps Vite for custom-protocol example frontend
v3/examples/badge/frontend/package.json	Bumps TypeScript and Vite for badge example frontend
v3/examples/badge-custom/frontend/package.json	Bumps TypeScript and Vite for badge-custom example frontend
v3/examples/android/go.mod	Updates Go version and indirect dependency versions for Android example
v3/examples/android/go.sum	Refreshes sums for Android example’s updated deps
v3/examples/android/frontend/package.json	Bumps Vite for Android example frontend
v2/pkg/templates/templates/vue/frontend/package.json	Updates Vue template scaffold deps (Vue/Vite/plugin-vue)
v2/pkg/templates/templates/vue-ts/frontend/package.json	Updates Vue+TS template scaffold deps (Vue/Vite/plugin-vue/TS/vue-tsc/etc)
v2/pkg/templates/templates/vanilla/frontend/package.json	Updates vanilla template scaffold to Vite ^7
v2/pkg/templates/templates/vanilla-ts/frontend/package.json	Updates vanilla+TS template scaffold to TS ^5.6 + Vite ^7
v2/pkg/templates/templates/svelte/frontend/package.json	Updates Svelte template scaffold to Svelte 5 + plugin + Vite ^7
v2/pkg/templates/templates/svelte-ts/frontend/package.json	Updates Svelte+TS scaffold deps (tsconfig/check/tslib/TS + Vite ^7)
v2/pkg/templates/templates/react/frontend/package.json	Updates React template scaffold to React 19 + Vite plugin-react + Vite ^7
v2/pkg/templates/templates/react-ts/frontend/package.json	Updates React+TS template scaffold to React 19 + TS ^5.6 + Vite ^7
v2/pkg/templates/templates/preact/frontend/package.json	Updates Preact template scaffold deps (preact/preset-vite + Vite ^7)
v2/pkg/templates/templates/preact-ts/frontend/package.json	Updates Preact+TS scaffold deps (TS ^5.6 + Vite ^7)
v2/pkg/templates/templates/lit/frontend/package.json	Updates Lit template scaffold to Lit 3 + Vite ^7
v2/pkg/templates/templates/lit-ts/frontend/package.json	Updates Lit+TS scaffold deps (TS ^5.6 + Vite ^7)
v2/internal/staticanalysis/test/standard/go.mod	Updates Go version and indirect Go deps for staticanalysis test fixture
v2/internal/staticanalysis/test/standard/go.sum	Refreshes sums for updated fixture dependencies
v2/internal/frontend/runtime/package.json	Updates runtime build/test toolchain deps (esbuild/happy-dom/svelte/vitest)
v2/internal/frontend/runtime/dev/package.json	Updates esbuild for runtime dev bundle build
v2/internal/frontend/runtime/runtime_prod_desktop.js	Updates generated/minified runtime artifact after toolchain bumps
v2/go.mod	Updates v2 module dependencies (go-git, testify, x/*, etc)
v2/examples/panic-recovery-test/frontend/package.json	Bumps Vite for this example frontend
v2/examples/dragdrop-test/go.mod	Updates Go version, updates indirect deps, removes stale local replace
v2/examples/dragdrop-test/go.sum	Refreshes sums for updated example dependencies
v2/examples/dragdrop-test/frontend/package.json	Bumps Vite for this example frontend
v2/examples/customlayout/myfrontend/package.json	Bumps Vite for this example frontend
v2/examples/customlayout/go.mod	Updates Go version and indirect deps for customlayout example module
v2/examples/customlayout/go.sum	Refreshes sums for updated customlayout example dependencies
docs/package.json	Bumps Astro and adds overrides to address vulnerable transitives

Files not reviewed (12)

• docs/package-lock.json: Language not supported
• scripts/sponsors/package-lock.json: Language not supported
• v2/examples/dragdrop-test/frontend/package-lock.json: Language not supported
• v2/internal/frontend/runtime/runtime_prod_desktop.js: Language not supported
• v3/examples/android/frontend/package-lock.json: Language not supported
• v3/examples/custom-protocol-example/frontend/package-lock.json: Language not supported
• v3/examples/dev/frontend/package-lock.json: Language not supported
• v3/examples/dock/frontend/package-lock.json: Language not supported
• v3/examples/file-association/frontend/package-lock.json: Language not supported
• v3/examples/ios/frontend/package-lock.json: Language not supported
• v3/internal/setupwizard/frontend/package-lock.json: Language not supported
• v3/test/dnd-npm-runtime/frontend/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[leaanthony]

Superseded by a freshly-rebased PR — closing this one. Master diverged hard after Dependabot's batch PR #5443 merged (which fixed 337 of the 449 alerts here), and rebasing this 6-commit branch produced too many conflicts on package.json files that #5443 had also touched (different target versions for vite, happy-dom, svelte etc). Restarting from current master is cleaner. New PR coming up.