chore(deps): configure Dependabot + pin postcss (patch GHSA-qx2v-qp2m-jg93)#54
Conversation
…2m-jg93 Dependabot's vulnerability ALERTS were on, but there was no .github/dependabot.yml — so no update PRs were ever opened (which is why it looked like Dependabot wasn't working). Add a config: weekly npm updates (single root pnpm-lock covers all workspaces; minor/patch grouped into one PR) + weekly github-actions updates. Also pin postcss to ^8.5.15 via pnpm.overrides — a transitive was resolving the vulnerable 8.4.31 (< 8.5.10, GHSA-qx2v-qp2m-jg93, moderate). 8.5.x is a backwards- compatible bump; the web build (Tailwind/postcss pipeline) passes. Two open advisories are deliberately NOT touched here (flagged for a decision): - better-auth (moderate, GHSA-wxw3-q3m9-c3jr, OAuth state mismatch → 1.6.2): it's pinned to ~1.4.18 for @neondatabase/auth compat; bumping risks the auth stack and the e2e harness auths via a seam, so it can't verify real sign-in. - esbuild (moderate+low → 0.25.0 / 0.28.1): dev-only tooling (drizzle-kit, tsx, storybook), not in the prod runtime; 4 versions across consumers make a clean single-version override risky for low real-world benefit. Claude-Session: https://claude.ai/code/session_01HgjBcWAo4VLxXMf22NPBZx
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (3)
📝 WalkthroughWalkthroughThis PR adds a Dependabot configuration file for automated npm and github-actions dependency updates, corrects a Next.js generated types reference path in next-env.d.ts, and introduces a postcss version override in package.json's pnpm.overrides section. ChangesRepository Maintenance Updates
Estimated code review effort: 1 (Trivial) | ~3 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@coderabbitai please review |
🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
gh pr view 54 --repo RyRy79261/ops-board --json title,body,files,additions,deletions
echo "---DIFF---"
gh pr diff 54 --repo RyRy79261/ops-boardLength of output: 6163
This is unrelated to the stated purpose of the PR (Dependabot config + postcss pin) and looks like it was auto-regenerated locally by Next.js (the file even has a
On the two flagged advisories (better-auth, esbuild): the reasoning in the PR description for not auto-fixing these is sound — better-auth is correctly treated as the higher-priority one needing a real Vercel-preview Google sign-in test before bumping past Overall: the two intentional changes (dependabot.yml, postcss pin) look good to merge. Only the ✅ Action performedReview finished.
|
Context
You asked me to check Dependabot. Finding: the vulnerability alerts were on, but there was no
.github/dependabot.yml— so Dependabot never opened a single update PR. That's why it felt like it wasn't working. There were 4 open alerts (0 critical, 0 high, 3 moderate, 1 low) and 0 Dependabot PRs.This PR
.github/dependabot.yml— weeklynpmupdates (one root entry; pnpm's single lockfile covers all workspaces; minor/patch grouped into one PR to cut noise) + weeklygithub-actionsupdates. From now on, new advisories get auto-PRs.postcssto^8.5.15viapnpm.overrides— a transitive was resolving the vulnerable8.4.31(< 8.5.10, GHSA-qx2v-qp2m-jg93, moderate). 8.5.x is a backwards-compatible bump; the web build (Tailwind/postcss) passes.pnpm auditis now 0 high (CIsupply-chainstays green).state), patched in 1.6.2. It's pinned to~1.4.18for@neondatabase/authcompat (peers@better-auth/passkey,@daveyplate/better-auth-uiare on 1.4.x too). Bumping risks breaking the auth stack, and the e2e harness auths via a seam so it can't verify real sign-in. This is the one genuinely security-relevant to prod. Recommended path: bump the override to~1.6.2on a branch and test a real Google sign-in in a Vercel preview, or wait for a@neondatabase/authrelease that pulls 1.6.x.>=0.25.0/>=0.28.1. Dev-only tooling (viadrizzle-kit,tsx,storybook) — not in the deployed runtime. Four versions across consumers (0.18/0.25/0.27/0.28) make a clean single-version override risky for low real-world benefit. Low priority; Dependabot (now configured) will nudge these.Verification
pnpm audit→ 0 highhttps://claude.ai/code/session_01HgjBcWAo4VLxXMf22NPBZx
Summary by CodeRabbit