fix(deps): patch 48 Dependabot transitive alerts via pnpm overrides#265
Conversation
Bump 14 vulnerable transitive packages to their first patched release through pnpm-workspace.yaml overrides (ranged, capped within-major), resolving 48 of 50 open Dependabot alerts (all 14 high, 26 medium, 8 low): @babel/core <=7.29.0 -> 7.29.7 GHSA-4x5r-pxfx-6jf8 brace-expansion 5.0.0-5.0.5 -> 5.0.6 GHSA-jxxr-4gwj-5jf2 defu <=6.1.4 -> 6.1.7 GHSA-737v-mqg7-c878 dompurify <3.4.11 -> 3.4.11 (11 advisories) esbuild <=0.24.2,0.27.x -> 0.25/0.28 GHSA-67mh-4wv8-2f99, -g7r4-m6w7-qqqr fast-uri <=3.1.1 -> 3.1.3 GHSA-v39h-62p7-jpjc, -q3j6-qgpj-74h6 hono <4.12.25 -> 4.12.27 (5 advisories; consolidates old pins) lodash <4.18.0 -> 4.18.1 GHSA-r5fr-rjxr-66jc, -f23m-r3pf-42rh postcss <8.5.10 -> 8.5.15 GHSA-qx2v-qp2m-jg93 qs 6.11.1-6.15.1 -> 6.15.3 GHSA-q8mj-m7cp-5q26 tar <=7.5.15 -> 7.5.19 GHSA-vmf3-w455-68vh ua-parser-js 2.0.1-2.0.9 -> 2.0.10 GHSA-9h5v-pfqq-x599 undici 7.x / 8.x -> 7.28.0/8.5.0 (8 advisories, split per major) vite <7.3.5 -> 7.3.6 (5 advisories) Notes: - Override replacement ranges are upper-bounded (e.g. undici 7.x stays <8, fast-uri stays <4) so a vulnerable copy cannot silently cross a major. - vite is added as an explicit apps/web devDependency: pnpm will not re-resolve it via override alone since it is resolved purely as a peer of vitest / vite-tsconfig-paths. - dompurify GHSA-x4vx-rjvf-j5p4 (#75) has no published fix -> suppressed via auditConfig.ignoreCves with a remove-when-fixed note. - better-auth GHSA-wxw3-q3m9-c3jr (#55) is deferred: the only fix (1.6.2) breaks @neondatabase/auth@0.4.1-beta's exact better-auth@1.4.18 pin. Verified on Node 22.23: pnpm build, typecheck (6/6), lint (0 errors), 2066 unit tests, drizzle-kit db:generate. No production-dependency drift; no new packages entered the tree. Claude-Session: https://claude.ai/code/session_01Y23KTs3oaNLNRVajnZtCFg
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Warning Review limit reached
Next review available in: 53 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
📝 WalkthroughWalkthroughAdds a ChangesDependency and Audit Config Update
Estimated code review effort: 2 (Simple) | ~10 minutes Estimated code review effort: 2 (Simple) | ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Coverage Report for apps/web
|
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (2)
pnpm-workspace.yaml (2)
75-77: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winCollapse the three overlapping
h3rules into one.
h3@<1.15.6,h3@<1.15.9, andh3@<=1.15.8all overlap (the last two are equivalent for released versions), and the<1.15.6: '>=1.15.6'rule is both redundant and unbounded (h3 2.x exists, so it can force a 1.x consumer to a breaking major). A single bounded rule is clearer and safer.♻️ Proposed consolidation
- h3@<1.15.6: '>=1.15.6' - h3@<1.15.9: '>=1.15.9' - h3@<=1.15.8: '>=1.15.9' + h3@<1.15.9: '>=1.15.9 <2.0.0'🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@pnpm-workspace.yaml` around lines 75 - 77, The h3 overrides are overlapping and one is unbounded, so consolidate the three entries into a single bounded rule in pnpm-workspace.yaml. Remove the redundant h3@<1.15.6, h3@<1.15.9, and h3@<=1.15.8 mappings and replace them with one clear constraint that preserves the intended minimum version without affecting h3 2.x consumers.
72-73: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueRedundant overlapping override pairs.
flatted@<3.4.0: '>=3.4.0'(Line 72) is fully subsumed byflatted@<=3.4.1: '>=3.4.2'(Line 73); likewiseserialize-javascript@<=7.0.2: '>=7.0.3'(Line 90) is subsumed byserialize-javascript@<7.0.5: '>=7.0.5'(Line 89). The narrower/older keys are dead weight — drop them and keep the single broader rule per package to avoid confusion about which target wins.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@pnpm-workspace.yaml` around lines 72 - 73, The override list contains redundant overlapping rules that are fully subsumed by broader entries, so remove the narrower dead-weight keys and keep one clear rule per package. In pnpm-workspace.yaml, delete the older overlapping override for flatted and the overlapping serialize-javascript entry, leaving the broader matching override as the single source of truth so the intended target version is unambiguous.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@pnpm-workspace.yaml`:
- Around line 60-62: Update the override entries in pnpm-workspace.yaml so each
range is capped to the current major instead of allowing a future major bump;
specifically adjust the brace-expansion, minimatch, and picomatch overrides to
use an upper bound below the next major version. Keep the existing lower bounds,
but revise the affected pnpm override rules so installs can only resolve within
the intended major line.
---
Nitpick comments:
In `@pnpm-workspace.yaml`:
- Around line 75-77: The h3 overrides are overlapping and one is unbounded, so
consolidate the three entries into a single bounded rule in pnpm-workspace.yaml.
Remove the redundant h3@<1.15.6, h3@<1.15.9, and h3@<=1.15.8 mappings and
replace them with one clear constraint that preserves the intended minimum
version without affecting h3 2.x consumers.
- Around line 72-73: The override list contains redundant overlapping rules that
are fully subsumed by broader entries, so remove the narrower dead-weight keys
and keep one clear rule per package. In pnpm-workspace.yaml, delete the older
overlapping override for flatted and the overlapping serialize-javascript entry,
leaving the broader matching override as the single source of truth so the
intended target version is unambiguous.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 5515b827-212d-4985-a049-d054d6b4190a
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (2)
apps/web/package.jsonpnpm-workspace.yaml
Address CodeRabbit feedback on the overrides block — the same within-major discipline applied to the new entries, now extended to pre-existing ones that could force a breaking major bump at install: - brace-expansion@<1.1.13 -> cap <2.0.0 (was force-upgrading a 1.x consumer to 5.x; now correctly resolves to patched 1.1.15) - minimatch@<3.1.4 -> cap <4.0.0 (3.x consumer was jumping to 10.x; now patched 3.1.5) - picomatch@<2.3.2 -> cap <3.0.0 (2.x consumer was jumping to 4.x; now patched 2.3.2) - h3: consolidate three overlapping rules into one bounded h3@<1.15.9 -> '>=1.15.9 <2.0.0' - flatted: drop the <3.4.0 key subsumed by <=3.4.1; cap survivor <4.0.0 - serialize-javascript: drop the <=7.0.2 key subsumed by <7.0.5; cap <8.0.0 The newly within-major versions are all dev-only (eslint/tailwind tooling) and are the patched floor of their advisory. No production dependency drift. Verified on Node 22.23: build, typecheck (6/6), lint (0 errors), 2066 unit tests. Claude-Session: https://claude.ai/code/session_01Y23KTs3oaNLNRVajnZtCFg
|
Thanks @coderabbitai — all three findings addressed in d411a14 (the same within-major discipline applied to the new overrides, extended to the pre-existing ones): Major — unbounded low-major overrides ( Nitpick — Nitpick — redundant pairs: dropped Re-verified on Node 22.23: build, typecheck (6/6), lint (0 errors), 2066 unit tests. No production-dependency drift. |
|
Tip For best results, initiate chat on the files or code changes. 🧩 Analysis chain🏁 Script executed: #!/bin/bash
sed -n '1,120p' pnpm-workspace.yamlLength of output: 4297
Nice work tightening the discipline across the whole overrides matrix, not just the new entries. Thanks for the thorough re-verification (build/typecheck/lint/tests) too. [resolve] ᕦ(ò_óˇ)ᕤ |
Summary
Resolves 48 of the 50 open Dependabot alerts (all 14 high-severity, 26 medium, 8 low) by bumping vulnerable transitive dependencies to their first patched release via
pnpm-workspace.yamloverrides — extending the existing Phase 23 pattern. The remaining 2 are handled explicitly (see below).Alerts auto-close once this lands on
main(Dependabot evaluates the default branch).Fixed (14 packages → 48 alerts)
@babel/corebrace-expansiondefudompurifyesbuildfast-urihonolodashpostcssqstarua-parser-jsundiciviteNot auto-fixed (2 alerts) — need attention
dompurifyGHSA-x4vx-rjvf-j5p4 (chore(main): release 1.9.0 #75, low) — no upstream fix exists (3.4.11 is the latest release and doesn't resolve it). Suppressed viaauditConfig.ignoreCveswith a remove-when-fixed note.better-authGHSA-wxw3-q3m9-c3jr (chore(main): release 1.5.0 #55, medium) — deferred, needs a decision. The only fix is1.6.2, but@neondatabase/auth@0.4.1-betadeclares an exactbetter-auth@1.4.18dependency, and the existing~1.4.18pin was added deliberately to hold that line. Forcing1.6.2risks breaking the app's auth. Recommended: wait for a@neondatabase/authrelease on the1.6.xline, then bump in lockstep. (Left as an inlineNOTEinpnpm-workspace.yaml.)Implementation notes
undici7.x stays<8,fast-uristays<4) so a vulnerable copy can't silently cross a major — an unbounded value initially letfast-urijump to4.xand theundici7.x consumer jump to8.x.viteadded as an explicitapps/webdevDependency (^7.3.6): pnpm won't re-resolve it through an override alone because it's resolved purely as a peer ofvitest/vite-tsconfig-paths(--force/dedupedidn't move it). This is also required becauseauditConfig.ignoreCvesdoesn't dismiss Dependabot alerts — only a lockfile bump does.Verification (Node 22.23)
✅
pnpm build· ✅typecheck(6/6) · ✅lint(0 errors) · ✅ 2066/2066 unit tests · ✅drizzle-kit db:generate✅ No production-dependency drift vs
main; no new packages entered the tree; all vulnerable-version sentinels clear.https://claude.ai/code/session_01Y23KTs3oaNLNRVajnZtCFg
Summary by CodeRabbit