JOB-148890 Dependabot alerts leaking across pnpm workspaces#29
Merged
timoteialbu merged 1 commit intomasterfrom Feb 17, 2026
Merged
Conversation
Dependabot alerts are fetched at repository scope (all NPM alerts for the entire repo), but dependency graphs and ownership are resolved at workspace scope. This caused vulnerable packages from other workspaces to be injected into every workspace's results with no dependency graph and no ownership path, resulting in false `attention_needed` notifications. For example, `@grpc/grpc-js` (a dependency of a different workspace) was showing up as `attention_needed` in `packages/visualizations` even though it is not in that workspace's dependency tree at all. The fix adds a `filter_to_workspace_packages` step after the Dependabot pass that removes any packages not present in the workspace's known dependency tree (`all_libraries` from `pnpm list`). This is applied in both `get_versions_for_workspace` and `get_versions` code paths. Co-authored-by: Cursor <cursoragent@cursor.com>
timoteialbu
changed the title
naarok
approved these changes
Feb 17, 2026
timoteialbu
deleted the
fix/filter-dependabot-alerts-to-workspace-scope
branch
6 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
filter_to_workspace_packagesmethod that removes Dependabot-injected packages not present in the workspace's dependency tree (all_librariesfrompnpm list)get_versions_for_workspace(per-workspace path) andget_versions(legacy single-package path)Problem
When analyzing pnpm workspaces, the Dependabot API query (
github.rb) fetches all NPM alerts for the entire repository. For a vulnerable package like@grpc/grpc-jsthat belongs to workspace X, the alert would also be injected into workspace Y'sparsed_results. Since@grpc/grpc-jsis not in workspace Y's dependency tree:LibNode/ dependency graph is created for itnil)attention_neededFix
After
add_dependabot_findingsruns,filter_to_workspace_packagescomparesparsed_resultskeys againstall_libraries(the complete set of packages frompnpm list --depth=Infinityfor that workspace). Any package not inall_libraries— meaning it was injected by Dependabot but doesn't exist in this workspace — is removed fromparsed_resultsbefore the dependency graph and ownership passes run.Test plan
filter_to_workspace_packages:@grpc/grpc-js)parsed_resultsbundle exec rspec spec/pnpm_spec.rb)jobber-frontendto verify@grpc/grpc-jsno longer appears inpackages/visualizationsresults@grpc/grpc-jsstill appears in whichever workspace actually depends on itMade with Cursor