fix(security): resolve 118 Dependabot alerts via major-bounded pnpm overrides#9375
Open
rllyy97 wants to merge 1 commit into
Open
fix(security): resolve 118 Dependabot alerts via major-bounded pnpm overrides#9375rllyy97 wants to merge 1 commit into
rllyy97 wants to merge 1 commit into
Conversation
…verrides
Triage of all 126 open Dependabot alerts found 0 already resolved -- every
alert had a vulnerable version present in pnpm-lock.yaml. This extends the
existing pnpm.overrides block to force patched, in-range versions for the
affected transitive dependencies.
Resolves 118/126 alerts (9 critical, 45 high, 52 medium, 12 low) with no
unintended major version bumps. Overrides are major-bounded
(">=patched <nextMajor.0.0") so consumers stay within their declared major.
Three deeply-nested transitive deps that range selectors could not bind
(webpack-dev-server, ws, tar-fs) use scoped parent>child overrides, and
@modelcontextprotocol/sdk>@hono/node-server is pinned to 1.19.14 to stay
within its ^1.19.9 constraint.
8 alerts remain -- all require a cross-major bump of the direct consumer or
have no published fix, so they are intentionally left for manual follow-up:
#230 diff, #228 elliptic (no fix), #373 fast-xml-parser, #463 js-cookie,
#200 playwright (@playwright/test devDep), #465 & #276 serialize-javascript,
#462 uuid.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR aims to remediate a large set of Dependabot security alerts in the monorepo by extending pnpm.overrides in the root package.json (using major-bounded selectors and a few scoped parent>child overrides) and regenerating pnpm-lock.yaml accordingly.
Changes:
- Expanded
pnpm.overrideswith additional bounded and scoped overrides to force patched transitive dependency versions. - Regenerated
pnpm-lock.yamlto reflect the updated override set. - Reformatted the
lint-stagedentry inpackage.jsonwithout changing its behavior.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Adds many new pnpm.overrides entries (plus a minor lint-staged formatting change) to force patched dependency versions. |
| pnpm-lock.yaml | Regenerated lockfile reflecting the updated override set and resulting resolved versions. |
Comment on lines
+185
to
+187
| "lodash-es@>=4.0.0 <4.18.0": ">=4.18.0 <5.0.0", | ||
| "path-to-regexp@>=0.0.0 <0.1.13": ">=0.1.13 <1.0.0", | ||
| "node-forge@>=1.0.0 <1.4.0": ">=1.4.0 <2.0.0", |
Contributor
📊 Coverage CheckNo source files changed in this PR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Triage finding: 0 of the 126 open alerts were already resolved. I cross-referenced every alert's vulnerable version range against the versions actually installed in
pnpm-lock.yaml— all 126 had a vulnerable version present. So rather than just dismissing, this PR actually fixes 118 of them by extending the existingpnpm.overridesblock, and documents the 8 that need manual follow-up.What this PR does
Extends
pnpm.overridesinpackage.jsonwith major-bounded selectors (">=patched <nextMajor.0.0") that force patched, in-range versions of the affected transitive dependencies, then regeneratespnpm-lock.yaml.parent>childoverrides instead:@docusaurus/core>webpack-dev-serverwebpack-bundle-analyzer>wsprebuild-install>tar-fs@modelcontextprotocol/sdk>@hono/node-serveris pinned to1.19.14to keep it within its^1.19.9constraint (an unbounded override was pulling in an invalid2.x).The original overrides and the exact version pins (redux/react/etc.) at the bottom of the block are untouched.
Remaining 8 alerts (not fixed here — need manual work or dismissal)
All require a cross-major bump of the direct consumer or have no published fix, so they're intentionally left out to avoid breaking changes in a security-hygiene PR:
@playwright/testdevDep to ≥1.55.1#228 elliptic is the only genuine "not relevant / can't fix" alert — no fix exists, it's low-severity and dev-scoped, so it's the best candidate to formally dismiss.
Validation
pnpm install --lockfile-onlyapplied cleanly; re-verified with a lockfile-vs-alert-range checker (118 resolved / 8 remaining).biome checkpasses onpackage.json(repo-pinned biome 1.9.4).pnpm install+ build/test to validate before merge.Files changed
package.json— new bounded + scoped entries inpnpm.overridespnpm-lock.yaml— regenerated🤖 Generated with GitHub Copilot CLI.