fix: resolve high severity dependabot vulnerabilities#2003
Conversation
…N-1189 Signed-off-by: Gašper Grom <gasper.grom@gmail.com>
There was a problem hiding this comment.
Pull request overview
This PR resolves open high-severity Dependabot alerts by adding 26 capped-range overrides: entries to the root pnpm-workspace.yaml and regenerating the root pnpm-lock.yaml. Each override uses a >=X.Y.Z <NEXT_MAJOR form to pull in the security-patched version of a transitive (and one direct) dependency while preventing an unintended major-version jump, following the existing override convention already present in the file (form-data, protobufjs, simple-git, fast-xml-parser@5, etc.). No application source files are changed.
I verified:
- All 26 override ranges are satisfied by the versions actually resolved in the lock file (e.g.
hono→ 4.12.28,ws→ 8.21.0,koa→ 2.16.4,minimatch@10→ 10.2.5). - The
overrides:block inpnpm-workspace.yamlmatches theoverrides:block inpnpm-lock.yamlexactly, so--frozen-lockfileinstalls in CI will not fail. - Versions carry integrity hashes (real, published releases — no fabricated versions).
- Line-scoped
@Nselectors correctly leave documented-as-deferred lines untouched (e.g.minimatch@9.0.1,rollup@4.53.0,fast-xml-parser@4.x). happy-domis the only direct dependency overridden, which is consistent with existing precedent (eslint-plugin-vueis also a direct dep with an override).
Changes:
- Added 26 security-motivated version overrides (each annotated with its GHSA ID(s)) to
pnpm-workspace.yaml. - Regenerated
pnpm-lock.yamlto apply those overrides and deduplicate affected packages (e.g. consolidatingws@8.18.3/8.19.0→8.21.0, dropping now-unused@isaacs/brace-expansion,@trysound/sax).
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
pnpm-workspace.yaml |
Adds 26 capped-range security overrides, each annotated with the GHSA advisory it addresses. |
pnpm-lock.yaml |
Regenerated lockfile reflecting the overrides; bumps resolved versions and prunes deduplicated/removed transitive packages. |
I found no concrete objective defects to flag as inline comments. A couple of low-impact observations (the @isaacs/brace-expansion override is now inert since minimatch@10.2.5 switched to brace-expansion@5; and the rollup@2 selector narrows some plugins' rollup peerDependency ranges to >=2.80.0 <3, producing warning-level peer mismatches with the rollup@4 production build) are harmless under the repo's default pnpm config (strict-peer-dependencies is off) and did not warrant comments.
That said, this change bumps a large number of transitive packages, several of which sit in the production build and runtime path (e.g. defu across many Nuxt packages, glob/picomatch/rollup in build tooling, hono, koa, happy-dom). Automated review can confirm the lockfile is internally consistent and the ranges resolve correctly, but it cannot fully validate the behavioral safety of every transitive bump — which is exactly what warrants the human QA the PR description already recommends for the deferred items.
Files not reviewed (1)
- pnpm-lock.yaml: Generated file
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Summary
safeby per-package break-risk analysis (usage audit, consumer semver-range check, changelog diff, reachability) before applyingpnpm-workspace.yaml(e.g.>=X.Y.Z <NEXT_MAJOR>) to avoid floating past an unintended major version, following the existing override convention in this filepnpm-lock.yaml(regenerated) andpnpm-workspace.yamlPackages fixed (21)
@grpc/grpc-js, @hono/node-server, @isaacs/brace-expansion, hono, express-rate-limit, fast-uri, form-data, path-to-regexp (8.x line), node-forge, flatted, tar, preact, glob (10.x line), ws, immutable, js-cookie, happy-dom, defu, koa, svgo (3.x/4.x lines), picomatch (2.x/4.x lines), minimatch (3.x/5.x/10.x lines), rollup (2.x line)
h3needed no change — both currently-locked resolutions already contain the relevant fixes.Deferred (needs human decision, not included in this PR)
<NuxtLink>pattern rendering externalmention.urldata that the target version hardens. Recommend a manual QA pass before merging separately.@aws-sdk/core@3.821.0exact-pins4.4.1, target violates the range.editorconfig@1.0.4exact-pins9.0.1, target violates the range.@nuxtjs/storybook@8.3.3exact-pins8.4.7; needs an override plus manual verification of Storybook config across ~2 minor versions.vitepress@1.6.4hard-pinsvite@^5.4.14; no 5.x fix was ever published upstream.pnpm buildverification first.frontendexists (pure pnpm-hoisting artifact of the out-of-scope crowd.dev submodule); the named target version is also an npm-deprecated "bad release."Belongs in crowd.dev (submodule-origin, out of scope here)
axios (×4 pinned versions), jsonwebtoken@8.5.1, lodash.set, sequelize, validator, path-to-regexp@0.1.x (via dd-trace) — all pinned inside
submodules/crowd.dev/services/libs/*.Test plan
pnpm tsc-check— passespnpm lint— 0 errors (9 pre-existing warnings, unrelated)pnpm test— 131/131 tests passedpnpm build— production build succeeds/leaderboardsrender full content via Playwright; console errors present are traced to a local Postgres connection failure in this dev sandbox (pre-existing environment limitation), not to any package in this diffhttps://claude.ai/code/session_01HagqdPSRjB1cCuekMPdHnW