Skip to content

fix: resolve high severity dependabot vulnerabilities#2003

Open
gaspergrom wants to merge 1 commit into
mainfrom
fix/IN-1189-dependabot-high-severity-fixes
Open

fix: resolve high severity dependabot vulnerabilities#2003
gaspergrom wants to merge 1 commit into
mainfrom
fix/IN-1189-dependabot-high-severity-fixes

Conversation

@gaspergrom

Copy link
Copy Markdown
Collaborator

Summary

  • Fixes 21 transitive dependencies flagged by open high-severity Dependabot alerts, all verified safe by per-package break-risk analysis (usage audit, consumer semver-range check, changelog diff, reachability) before applying
  • Applied via capped-range overrides in pnpm-workspace.yaml (e.g. >=X.Y.Z <NEXT_MAJOR>) to avoid floating past an unintended major version, following the existing override convention in this file
  • No source files changed — only pnpm-lock.yaml (regenerated) and pnpm-workspace.yaml

Packages fixed (21)

@grpc/grpc-js, @hono/node-server, @isaacs/brace-expansion, hono, express-rate-limit, fast-uri, form-data, path-to-regexp (8.x line), node-forge, flatted, tar, preact, glob (10.x line), ws, immutable, js-cookie, happy-dom, defu, koa, svgo (3.x/4.x lines), picomatch (2.x/4.x lines), minimatch (3.x/5.x/10.x lines), rollup (2.x line)

h3 needed no change — both currently-locked resolutions already contain the relevant fixes.

Deferred (needs human decision, not included in this PR)

  • nuxt (4.2.2→4.4.7) — satisfies semver, no documented breaking changes, but large framework-wide jump; found a reachable <NuxtLink> pattern rendering external mention.url data that the target version hardens. Recommend a manual QA pass before merging separately.
  • fast-xml-parser (4.x line) — parent @aws-sdk/core@3.821.0 exact-pins 4.4.1, target violates the range.
  • minimatch (9.x line) — editorconfig@1.0.4 exact-pins 9.0.1, target violates the range.
  • serialize-javascript — major version bump (6→7) required; never auto-applied per policy.
  • storybook (8.4.7 instance) — parent @nuxtjs/storybook@8.3.3 exact-pins 8.4.7; needs an override plus manual verification of Storybook config across ~2 minor versions.
  • vite (5.4.21 instance) — vitepress@1.6.4 hard-pins vite@^5.4.14; no 5.x fix was ever published upstream.
  • rollup (4.x line) — 6-minor jump shares its resolution with Nuxt's actual production build; needs a pnpm build verification first.
  • lodash — no genuine dependency edge from frontend exists (pure pnpm-hoisting artifact of the out-of-scope crowd.dev submodule); the named target version is also an npm-deprecated "bad release."

Belongs in crowd.dev (submodule-origin, out of scope here)

axios (×4 pinned versions), jsonwebtoken@8.5.1, lodash.set, sequelize, validator, path-to-regexp@0.1.x (via dd-trace) — all pinned inside submodules/crowd.dev/services/libs/*.

Test plan

  • pnpm tsc-check — passes
  • pnpm lint — 0 errors (9 pre-existing warnings, unrelated)
  • pnpm test — 131/131 tests passed
  • pnpm build — production build succeeds
  • Runtime smoke test — dev server boots, homepage and /leaderboards render full content via Playwright; console errors present are traced to a local Postgres connection failure in this dev sandbox (pre-existing environment limitation), not to any package in this diff

https://claude.ai/code/session_01HagqdPSRjB1cCuekMPdHnW

…N-1189

Signed-off-by: Gašper Grom <gasper.grom@gmail.com>
Copilot AI review requested due to automatic review settings July 9, 2026 15:03

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR resolves open high-severity Dependabot alerts by adding 26 capped-range overrides: entries to the root pnpm-workspace.yaml and regenerating the root pnpm-lock.yaml. Each override uses a >=X.Y.Z <NEXT_MAJOR form to pull in the security-patched version of a transitive (and one direct) dependency while preventing an unintended major-version jump, following the existing override convention already present in the file (form-data, protobufjs, simple-git, fast-xml-parser@5, etc.). No application source files are changed.

I verified:

  • All 26 override ranges are satisfied by the versions actually resolved in the lock file (e.g. hono → 4.12.28, ws → 8.21.0, koa → 2.16.4, minimatch@10 → 10.2.5).
  • The overrides: block in pnpm-workspace.yaml matches the overrides: block in pnpm-lock.yaml exactly, so --frozen-lockfile installs in CI will not fail.
  • Versions carry integrity hashes (real, published releases — no fabricated versions).
  • Line-scoped @N selectors correctly leave documented-as-deferred lines untouched (e.g. minimatch@9.0.1, rollup@4.53.0, fast-xml-parser@4.x).
  • happy-dom is the only direct dependency overridden, which is consistent with existing precedent (eslint-plugin-vue is also a direct dep with an override).

Changes:

  • Added 26 security-motivated version overrides (each annotated with its GHSA ID(s)) to pnpm-workspace.yaml.
  • Regenerated pnpm-lock.yaml to apply those overrides and deduplicate affected packages (e.g. consolidating ws@8.18.3/8.19.08.21.0, dropping now-unused @isaacs/brace-expansion, @trysound/sax).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
pnpm-workspace.yaml Adds 26 capped-range security overrides, each annotated with the GHSA advisory it addresses.
pnpm-lock.yaml Regenerated lockfile reflecting the overrides; bumps resolved versions and prunes deduplicated/removed transitive packages.

I found no concrete objective defects to flag as inline comments. A couple of low-impact observations (the @isaacs/brace-expansion override is now inert since minimatch@10.2.5 switched to brace-expansion@5; and the rollup@2 selector narrows some plugins' rollup peerDependency ranges to >=2.80.0 <3, producing warning-level peer mismatches with the rollup@4 production build) are harmless under the repo's default pnpm config (strict-peer-dependencies is off) and did not warrant comments.

That said, this change bumps a large number of transitive packages, several of which sit in the production build and runtime path (e.g. defu across many Nuxt packages, glob/picomatch/rollup in build tooling, hono, koa, happy-dom). Automated review can confirm the lockfile is internally consistent and the ranges resolve correctly, but it cannot fully validate the behavioral safety of every transitive bump — which is exactly what warrants the human QA the PR description already recommends for the deferred items.

Files not reviewed (1)
  • pnpm-lock.yaml: Generated file

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants