Skip to content

fix(deps): patch 48 Dependabot transitive alerts via pnpm overrides#265

Merged
RyRy79261 merged 2 commits into
mainfrom
fix/dependabot-transitive-deps
Jul 1, 2026
Merged

fix(deps): patch 48 Dependabot transitive alerts via pnpm overrides#265
RyRy79261 merged 2 commits into
mainfrom
fix/dependabot-transitive-deps

Conversation

@RyRy79261

@RyRy79261 RyRy79261 commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Summary

Resolves 48 of the 50 open Dependabot alerts (all 14 high-severity, 26 medium, 8 low) by bumping vulnerable transitive dependencies to their first patched release via pnpm-workspace.yaml overrides — extending the existing Phase 23 pattern. The remaining 2 are handled explicitly (see below).

Alerts auto-close once this lands on main (Dependabot evaluates the default branch).

Fixed (14 packages → 48 alerts)

package vulnerable → patched advisories
@babel/core ≤7.29.0 7.29.7 GHSA-4x5r-pxfx-6jf8
brace-expansion 5.0.0–5.0.5 5.0.6 GHSA-jxxr-4gwj-5jf2
defu ≤6.1.4 6.1.7 GHSA-737v-mqg7-c878
dompurify <3.4.11 3.4.11 11 advisories
esbuild ≤0.24.2, 0.27.x 0.25.12 / 0.28.1 GHSA-67mh-4wv8-2f99, -g7r4-m6w7-qqqr
fast-uri ≤3.1.1 3.1.3 GHSA-v39h-62p7-jpjc, -q3j6-qgpj-74h6
hono <4.12.25 4.12.27 5 advisories (consolidates old pins)
lodash <4.18.0 4.18.1 GHSA-r5fr-rjxr-66jc, -f23m-r3pf-42rh
postcss <8.5.10 8.5.15 GHSA-qx2v-qp2m-jg93
qs 6.11.1–6.15.1 6.15.3 GHSA-q8mj-m7cp-5q26
tar ≤7.5.15 7.5.19 GHSA-vmf3-w455-68vh
ua-parser-js 2.0.1–2.0.9 2.0.10 GHSA-9h5v-pfqq-x599
undici 7.x / 8.x 7.28.0 / 8.5.0 8 advisories (split per major)
vite <7.3.5 7.3.6 5 advisories

Not auto-fixed (2 alerts) — need attention

  • dompurify GHSA-x4vx-rjvf-j5p4 (chore(main): release 1.9.0 #75, low)no upstream fix exists (3.4.11 is the latest release and doesn't resolve it). Suppressed via auditConfig.ignoreCves with a remove-when-fixed note.
  • better-auth GHSA-wxw3-q3m9-c3jr (chore(main): release 1.5.0 #55, medium)deferred, needs a decision. The only fix is 1.6.2, but @neondatabase/auth@0.4.1-beta declares an exact better-auth@1.4.18 dependency, and the existing ~1.4.18 pin was added deliberately to hold that line. Forcing 1.6.2 risks breaking the app's auth. Recommended: wait for a @neondatabase/auth release on the 1.6.x line, then bump in lockstep. (Left as an inline NOTE in pnpm-workspace.yaml.)

Implementation notes

  • Override replacement ranges are upper-bounded (e.g. undici 7.x stays <8, fast-uri stays <4) so a vulnerable copy can't silently cross a major — an unbounded value initially let fast-uri jump to 4.x and the undici 7.x consumer jump to 8.x.
  • vite added as an explicit apps/web devDependency (^7.3.6): pnpm won't re-resolve it through an override alone because it's resolved purely as a peer of vitest/vite-tsconfig-paths (--force/dedupe didn't move it). This is also required because auditConfig.ignoreCves doesn't dismiss Dependabot alerts — only a lockfile bump does.

Verification (Node 22.23)

pnpm build · ✅ typecheck (6/6) · ✅ lint (0 errors) · ✅ 2066/2066 unit tests · ✅ drizzle-kit db:generate
✅ No production-dependency drift vs main; no new packages entered the tree; all vulnerable-version sentinels clear.

Note: the tree already required Node >=22.19.0 (via undici); local install needs a matching Node. CI's node-version: '22' satisfies this. The root engines.node: ">=22" is looser than reality but left unchanged here.

https://claude.ai/code/session_01Y23KTs3oaNLNRVajnZtCFg

Summary by CodeRabbit

  • Chores
    • Updated the web app’s development toolchain.
    • Expanded dependency version constraints to include additional package updates and compatibility bounds.
    • Added a security exception entry and refined existing dependency rules for more consistent builds.

Bump 14 vulnerable transitive packages to their first patched release
through pnpm-workspace.yaml overrides (ranged, capped within-major),
resolving 48 of 50 open Dependabot alerts (all 14 high, 26 medium, 8 low):

  @babel/core   <=7.29.0         -> 7.29.7      GHSA-4x5r-pxfx-6jf8
  brace-expansion 5.0.0-5.0.5    -> 5.0.6       GHSA-jxxr-4gwj-5jf2
  defu          <=6.1.4          -> 6.1.7       GHSA-737v-mqg7-c878
  dompurify     <3.4.11          -> 3.4.11      (11 advisories)
  esbuild       <=0.24.2,0.27.x  -> 0.25/0.28   GHSA-67mh-4wv8-2f99, -g7r4-m6w7-qqqr
  fast-uri      <=3.1.1          -> 3.1.3       GHSA-v39h-62p7-jpjc, -q3j6-qgpj-74h6
  hono          <4.12.25         -> 4.12.27     (5 advisories; consolidates old pins)
  lodash        <4.18.0          -> 4.18.1      GHSA-r5fr-rjxr-66jc, -f23m-r3pf-42rh
  postcss       <8.5.10          -> 8.5.15      GHSA-qx2v-qp2m-jg93
  qs            6.11.1-6.15.1    -> 6.15.3      GHSA-q8mj-m7cp-5q26
  tar           <=7.5.15         -> 7.5.19      GHSA-vmf3-w455-68vh
  ua-parser-js  2.0.1-2.0.9      -> 2.0.10      GHSA-9h5v-pfqq-x599
  undici        7.x / 8.x        -> 7.28.0/8.5.0 (8 advisories, split per major)
  vite          <7.3.5           -> 7.3.6       (5 advisories)

Notes:
- Override replacement ranges are upper-bounded (e.g. undici 7.x stays <8,
  fast-uri stays <4) so a vulnerable copy cannot silently cross a major.
- vite is added as an explicit apps/web devDependency: pnpm will not
  re-resolve it via override alone since it is resolved purely as a peer
  of vitest / vite-tsconfig-paths.
- dompurify GHSA-x4vx-rjvf-j5p4 (#75) has no published fix -> suppressed
  via auditConfig.ignoreCves with a remove-when-fixed note.
- better-auth GHSA-wxw3-q3m9-c3jr (#55) is deferred: the only fix (1.6.2)
  breaks @neondatabase/auth@0.4.1-beta's exact better-auth@1.4.18 pin.

Verified on Node 22.23: pnpm build, typecheck (6/6), lint (0 errors),
2066 unit tests, drizzle-kit db:generate. No production-dependency drift;
no new packages entered the tree.

Claude-Session: https://claude.ai/code/session_01Y23KTs3oaNLNRVajnZtCFg
@vercel

vercel Bot commented Jul 1, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
intake-tracker Ready Ready Preview, Comment Jul 1, 2026 9:27pm

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@RyRy79261, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 53 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8080cc14-a1fd-44fe-8801-9d8e6265b183

📥 Commits

Reviewing files that changed from the base of the PR and between 75dc192 and d411a14.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (1)
  • pnpm-workspace.yaml
📝 Walkthrough

Walkthrough

Adds a vite devDependency pin (^7.3.6) to apps/web/package.json and expands pnpm-workspace.yaml audit configuration with a new dompurify CVE suppression and a broader overrides matrix covering multiple transitive dependencies.

Changes

Dependency and Audit Config Update

Layer / File(s) Summary
Vite devDependency pin
apps/web/package.json
Adds vite ^7.3.6 to devDependencies.
Audit config overrides and CVE suppression
pnpm-workspace.yaml
Adds a dompurify CVE ignore entry and expands auditConfig.overrides with new/consolidated version constraints for esbuild, lodash, postcss, qs, tar, ua-parser-js, undici, hono, vite, and others.

Estimated code review effort: 2 (Simple) | ~10 minutes

Estimated code review effort: 2 (Simple) | ~10 minutes

Poem

A pin for vite, a patch for the rest,
Audit rules stacked in their tidiest nest.
Hop through the overrides, one by one,
CVEs suppressed 'til the fixes are done.
Thump thump — dependencies safe in the sun! 🐇✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: patching Dependabot transitive alerts using pnpm overrides.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/dependabot-transitive-deps

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Coverage Report for apps/web

Status Category Percentage Covered / Total
🔵 Lines 56.31% (🎯 54%) 6684 / 11869
🔵 Statements 54.93% (🎯 53%) 7133 / 12984
🔵 Functions 45.93% (🎯 45%) 1480 / 3222
🔵 Branches 46.69% (🎯 44%) 4011 / 8590
Generated in workflow #488 for commit d411a14 by the Vitest Coverage Report Action

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (2)
pnpm-workspace.yaml (2)

75-77: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Collapse the three overlapping h3 rules into one.

h3@<1.15.6, h3@<1.15.9, and h3@<=1.15.8 all overlap (the last two are equivalent for released versions), and the <1.15.6: '>=1.15.6' rule is both redundant and unbounded (h3 2.x exists, so it can force a 1.x consumer to a breaking major). A single bounded rule is clearer and safer.

♻️ Proposed consolidation
-  h3@<1.15.6: '>=1.15.6'
-  h3@<1.15.9: '>=1.15.9'
-  h3@<=1.15.8: '>=1.15.9'
+  h3@<1.15.9: '>=1.15.9 <2.0.0'
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pnpm-workspace.yaml` around lines 75 - 77, The h3 overrides are overlapping
and one is unbounded, so consolidate the three entries into a single bounded
rule in pnpm-workspace.yaml. Remove the redundant h3@<1.15.6, h3@<1.15.9, and
h3@<=1.15.8 mappings and replace them with one clear constraint that preserves
the intended minimum version without affecting h3 2.x consumers.

72-73: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Redundant overlapping override pairs.

flatted@<3.4.0: '>=3.4.0' (Line 72) is fully subsumed by flatted@<=3.4.1: '>=3.4.2' (Line 73); likewise serialize-javascript@<=7.0.2: '>=7.0.3' (Line 90) is subsumed by serialize-javascript@<7.0.5: '>=7.0.5' (Line 89). The narrower/older keys are dead weight — drop them and keep the single broader rule per package to avoid confusion about which target wins.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pnpm-workspace.yaml` around lines 72 - 73, The override list contains
redundant overlapping rules that are fully subsumed by broader entries, so
remove the narrower dead-weight keys and keep one clear rule per package. In
pnpm-workspace.yaml, delete the older overlapping override for flatted and the
overlapping serialize-javascript entry, leaving the broader matching override as
the single source of truth so the intended target version is unambiguous.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pnpm-workspace.yaml`:
- Around line 60-62: Update the override entries in pnpm-workspace.yaml so each
range is capped to the current major instead of allowing a future major bump;
specifically adjust the brace-expansion, minimatch, and picomatch overrides to
use an upper bound below the next major version. Keep the existing lower bounds,
but revise the affected pnpm override rules so installs can only resolve within
the intended major line.

---

Nitpick comments:
In `@pnpm-workspace.yaml`:
- Around line 75-77: The h3 overrides are overlapping and one is unbounded, so
consolidate the three entries into a single bounded rule in pnpm-workspace.yaml.
Remove the redundant h3@<1.15.6, h3@<1.15.9, and h3@<=1.15.8 mappings and
replace them with one clear constraint that preserves the intended minimum
version without affecting h3 2.x consumers.
- Around line 72-73: The override list contains redundant overlapping rules that
are fully subsumed by broader entries, so remove the narrower dead-weight keys
and keep one clear rule per package. In pnpm-workspace.yaml, delete the older
overlapping override for flatted and the overlapping serialize-javascript entry,
leaving the broader matching override as the single source of truth so the
intended target version is unambiguous.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5515b827-212d-4985-a049-d054d6b4190a

📥 Commits

Reviewing files that changed from the base of the PR and between 57ef14f and 75dc192.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • apps/web/package.json
  • pnpm-workspace.yaml

Comment thread pnpm-workspace.yaml Outdated
Address CodeRabbit feedback on the overrides block — the same
within-major discipline applied to the new entries, now extended to
pre-existing ones that could force a breaking major bump at install:

- brace-expansion@<1.1.13 -> cap <2.0.0  (was force-upgrading a 1.x
  consumer to 5.x; now correctly resolves to patched 1.1.15)
- minimatch@<3.1.4        -> cap <4.0.0  (3.x consumer was jumping to
  10.x; now patched 3.1.5)
- picomatch@<2.3.2        -> cap <3.0.0  (2.x consumer was jumping to
  4.x; now patched 2.3.2)
- h3: consolidate three overlapping rules into one bounded
  h3@<1.15.9 -> '>=1.15.9 <2.0.0'
- flatted: drop the <3.4.0 key subsumed by <=3.4.1; cap survivor <4.0.0
- serialize-javascript: drop the <=7.0.2 key subsumed by <7.0.5; cap <8.0.0

The newly within-major versions are all dev-only (eslint/tailwind
tooling) and are the patched floor of their advisory. No production
dependency drift.

Verified on Node 22.23: build, typecheck (6/6), lint (0 errors),
2066 unit tests.

Claude-Session: https://claude.ai/code/session_01Y23KTs3oaNLNRVajnZtCFg
@RyRy79261

Copy link
Copy Markdown
Owner Author

Thanks @coderabbitai — all three findings addressed in d411a14 (the same within-major discipline applied to the new overrides, extended to the pre-existing ones):

Major — unbounded low-major overrides (brace-expansion / minimatch / picomatch): capped to <2.0.0 / <4.0.0 / <3.0.0. This was not a no-op — they were silently force-upgrading real (dev-only) consumers across majors. After the cap they correctly resolve to the patched floor within-major: brace-expansion@1.1.15 (was 5.x), minimatch@3.1.5 (was 10.x), picomatch@2.3.2 (was 4.x). All three are ≥ the advisory fix and pulled only via @intake/web devDependencies.

Nitpick — h3: three overlapping rules consolidated into one bounded h3@<1.15.9: '>=1.15.9 <2.0.0' (h3 is not currently in the tree; this is hygiene against the 2.x major).

Nitpick — redundant pairs: dropped flatted@<3.4.0 (subsumed by <=3.4.1) and serialize-javascript@<=7.0.2 (subsumed by <7.0.5); capped the surviving rules <4.0.0 / <8.0.0.

Re-verified on Node 22.23: build, typecheck (6/6), lint (0 errors), 2066 unit tests. No production-dependency drift.

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
sed -n '1,120p' pnpm-workspace.yaml

Length of output: 4297


@RyRy79261 Confirmed — I checked pnpm-workspace.yaml at d411a14 and all three points are correctly implemented:

  • brace-expansion / minimatch / picomatch overrides are now upper-bounded within-major (<2.0.0 / <4.0.0 / <3.0.0 respectively), preventing the previous silent cross-major force-upgrades.
  • h3 is consolidated into a single bounded rule: h3@<1.15.9: '>=1.15.9 <2.0.0'.
  • The redundant flatted@<3.4.0 and serialize-javascript@<=7.0.2 entries are gone, with the surviving rules correctly capped at <4.0.0 and <8.0.0.

Nice work tightening the discipline across the whole overrides matrix, not just the new entries. Thanks for the thorough re-verification (build/typecheck/lint/tests) too.

[resolve]

ᕦ(ò_óˇ)ᕤ

@RyRy79261 RyRy79261 merged commit 500f9d7 into main Jul 1, 2026
22 checks passed
@RyRy79261 RyRy79261 deleted the fix/dependabot-transitive-deps branch July 1, 2026 21:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant