Transitive via mermaid@11.14.0 — only consumer in this package — uses
uuid v4 (random IDs for diagrams), unaffected by the buffer-bounds bug
in v3/v5/v6, but Dependabot still flags any uuid <14.0.0. Pinned via
overrides so future mermaid bumps stay on the patched line.
Closes Dependabot #88.
vite-plugin-singlefile@2.0.2 declares a peer dependency on
vite ^5.4.11 || ^6.0.0, but socratiq/ pins vite ^8.0.10. npm refused
to resolve the dep tree, so 'npm ci' failed in the SocratiQ Bundle
Drift workflow on every PR that touched socratiq/package-lock.json
— including dependabot bumps for unrelated transitive packages
(see #1538 markdown-it, #1539 solid-js).
vite-plugin-singlefile@2.3.0+ supports vite 5/6/7/8, so a one-line
bump unblocks 'npm ci', which lets the bundle drift check actually
run again.
Also commits the regenerated production bundle and stylesheet to
satisfy the drift check itself.
The new bundle-drift CI guard caught a real inconsistency left over
from #1394: package.json declares "dompurify": "^3.4.0" (added as
part of the security-fix commits), but package-lock.json still
pinned dompurify@2.5.8. As a result:
- npm ci refused to install from the lock (exit code EUSAGE), which
broke both the drift guard and anyone running `npm ci` locally.
- The committed bundle.js was built against the old dompurify, so
the rendered book was silently serving the 2.5.x code instead of
the 3.4.x the package.json declared.
This commit runs `npm install` (lock: 2.5.8 -> 3.4.1) and `npm run
build:vite` to regenerate the bundle from sources that actually
match the declared dependency set. Vite reports 2976 modules
transformed, bundle size 6.6 MB unchanged.
The drift guard should now pass on this branch, validating that the
guard works end-to-end on its introduction PR.
The package had been carrying the legacy name "injectchat" inherited
from an earlier prototype. Rename to the scoped name matching the
rest of the mlsysbook ecosystem, add a real description, and mark the
package private so it cannot be accidentally published to npm.
No behavioural change — the package is consumed only via the prebuilt
bundle at book/quarto/tools/scripts/socratiQ/bundle.js; nothing in
the repository imports it by name.
