Skip to content

fix(security): resolve 118 Dependabot alerts via major-bounded pnpm overrides#9375

Open
rllyy97 wants to merge 1 commit into
mainfrom
rllyy97-super-broccoli
Open

fix(security): resolve 118 Dependabot alerts via major-bounded pnpm overrides#9375
rllyy97 wants to merge 1 commit into
mainfrom
rllyy97-super-broccoli

Conversation

@rllyy97

@rllyy97 rllyy97 commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Summary

Triage finding: 0 of the 126 open alerts were already resolved. I cross-referenced every alert's vulnerable version range against the versions actually installed in pnpm-lock.yaml — all 126 had a vulnerable version present. So rather than just dismissing, this PR actually fixes 118 of them by extending the existing pnpm.overrides block, and documents the 8 that need manual follow-up.

What this PR does

Extends pnpm.overrides in package.json with major-bounded selectors (">=patched <nextMajor.0.0") that force patched, in-range versions of the affected transitive dependencies, then regenerates pnpm-lock.yaml.

  • Resolves 118 / 126 alerts9 critical, 45 high, 52 medium, 12 low (72 runtime, 46 dev)
  • No unintended major version bumps — every override is bounded to the consumer's current major (verified by diffing the package version-set before/after)
  • 🔒 Three deeply-nested transitive deps that pnpm range-selectors could not bind use scoped parent>child overrides instead:
    • @docusaurus/core>webpack-dev-server
    • webpack-bundle-analyzer>ws
    • prebuild-install>tar-fs
  • 🔒 @modelcontextprotocol/sdk>@hono/node-server is pinned to 1.19.14 to keep it within its ^1.19.9 constraint (an unbounded override was pulling in an invalid 2.x).

The original overrides and the exact version pins (redux/react/etc.) at the bottom of the block are untouched.

Remaining 8 alerts (not fixed here — need manual work or dismissal)

All require a cross-major bump of the direct consumer or have no published fix, so they're intentionally left out to avoid breaking changes in a security-hygiene PR:

Alert Package Sev Scope Why not auto-fixed
#228 elliptic low dev No published fix — dismiss-as-tolerable-risk candidate
#200 playwright high dev Bump @playwright/test devDep to ≥1.55.1
#463 js-cookie high runtime Direct consumer on 2.2.1; needs 3.x
#276 serialize-javascript high runtime Needs 7.x (cross-major from 6.0.2)
#465 serialize-javascript medium runtime Needs 7.0.5 (cross-major)
#373 fast-xml-parser medium runtime One consumer on 4.5.7 needs cross-major 5.7.0
#462 uuid medium runtime Consumers on 3/8/9.x need 11.x
#230 diff low runtime Consumer on 7.0.0 needs 8.0.3

#228 elliptic is the only genuine "not relevant / can't fix" alert — no fix exists, it's low-severity and dev-scoped, so it's the best candidate to formally dismiss.

Validation

  • pnpm install --lockfile-only applied cleanly; re-verified with a lockfile-vs-alert-range checker (118 resolved / 8 remaining).
  • biome check passes on package.json (repo-pinned biome 1.9.4).
  • ⚠️ I did not run the full monorepo build/test locally (long-running). Since all overrides are within-major, risk is low, but please let CI run a full pnpm install + build/test to validate before merge.

Files changed

  • package.json — new bounded + scoped entries in pnpm.overrides
  • pnpm-lock.yaml — regenerated

🤖 Generated with GitHub Copilot CLI.

…verrides

Triage of all 126 open Dependabot alerts found 0 already resolved -- every
alert had a vulnerable version present in pnpm-lock.yaml. This extends the
existing pnpm.overrides block to force patched, in-range versions for the
affected transitive dependencies.

Resolves 118/126 alerts (9 critical, 45 high, 52 medium, 12 low) with no
unintended major version bumps. Overrides are major-bounded
(">=patched <nextMajor.0.0") so consumers stay within their declared major.
Three deeply-nested transitive deps that range selectors could not bind
(webpack-dev-server, ws, tar-fs) use scoped parent>child overrides, and
@modelcontextprotocol/sdk>@hono/node-server is pinned to 1.19.14 to stay
within its ^1.19.9 constraint.

8 alerts remain -- all require a cross-major bump of the direct consumer or
have no published fix, so they are intentionally left for manual follow-up:
  #230 diff, #228 elliptic (no fix), #373 fast-xml-parser, #463 js-cookie,
  #200 playwright (@playwright/test devDep), #465 & #276 serialize-javascript,
  #462 uuid.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 7, 2026 20:20

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to remediate a large set of Dependabot security alerts in the monorepo by extending pnpm.overrides in the root package.json (using major-bounded selectors and a few scoped parent>child overrides) and regenerating pnpm-lock.yaml accordingly.

Changes:

  • Expanded pnpm.overrides with additional bounded and scoped overrides to force patched transitive dependency versions.
  • Regenerated pnpm-lock.yaml to reflect the updated override set.
  • Reformatted the lint-staged entry in package.json without changing its behavior.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
package.json Adds many new pnpm.overrides entries (plus a minor lint-staged formatting change) to force patched dependency versions.
pnpm-lock.yaml Regenerated lockfile reflecting the updated override set and resulting resolved versions.

Comment thread package.json
Comment on lines +185 to +187
"lodash-es@>=4.0.0 <4.18.0": ">=4.18.0 <5.0.0",
"path-to-regexp@>=0.0.0 <0.1.13": ">=0.1.13 <1.0.0",
"node-forge@>=1.0.0 <1.4.0": ">=1.4.0 <2.0.0",
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

📊 Coverage Check

No source files changed in this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants