Skip to content

chore(deps): configure Dependabot + pin postcss (patch GHSA-qx2v-qp2m-jg93)#54

Merged
RyRy79261 merged 1 commit into
mainfrom
chore/dependabot-and-postcss
Jul 1, 2026
Merged

chore(deps): configure Dependabot + pin postcss (patch GHSA-qx2v-qp2m-jg93)#54
RyRy79261 merged 1 commit into
mainfrom
chore/dependabot-and-postcss

Conversation

@RyRy79261

@RyRy79261 RyRy79261 commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Context

You asked me to check Dependabot. Finding: the vulnerability alerts were on, but there was no .github/dependabot.yml — so Dependabot never opened a single update PR. That's why it felt like it wasn't working. There were 4 open alerts (0 critical, 0 high, 3 moderate, 1 low) and 0 Dependabot PRs.

This PR

  1. Adds .github/dependabot.yml — weekly npm updates (one root entry; pnpm's single lockfile covers all workspaces; minor/patch grouped into one PR to cut noise) + weekly github-actions updates. From now on, new advisories get auto-PRs.
  2. Pins postcss to ^8.5.15 via pnpm.overrides — a transitive was resolving the vulnerable 8.4.31 (< 8.5.10, GHSA-qx2v-qp2m-jg93, moderate). 8.5.x is a backwards-compatible bump; the web build (Tailwind/postcss) passes.

pnpm audit is now 0 high (CI supply-chain stays green).

⚠️ Two advisories I did NOT auto-fix (need your call)

  • better-auth — moderate, GHSA-wxw3-q3m9-c3jr (OAuth callback accepts mismatched state), patched in 1.6.2. It's pinned to ~1.4.18 for @neondatabase/auth compat (peers @better-auth/passkey, @daveyplate/better-auth-ui are on 1.4.x too). Bumping risks breaking the auth stack, and the e2e harness auths via a seam so it can't verify real sign-in. This is the one genuinely security-relevant to prod. Recommended path: bump the override to ~1.6.2 on a branch and test a real Google sign-in in a Vercel preview, or wait for a @neondatabase/auth release that pulls 1.6.x.
  • esbuild — moderate + low (dev-server SSRF / file-read), patched >=0.25.0 / >=0.28.1. Dev-only tooling (via drizzle-kit, tsx, storybook) — not in the deployed runtime. Four versions across consumers (0.18/0.25/0.27/0.28) make a clean single-version override risky for low real-world benefit. Low priority; Dependabot (now configured) will nudge these.

Verification

  • web build passes with postcss 8.5.15; pnpm audit → 0 high
  • CodeRabbit CLI: no findings

https://claude.ai/code/session_01HgjBcWAo4VLxXMf22NPBZx

Summary by CodeRabbit

  • Chores
    • Added automated dependency update settings for weekly package and GitHub Actions updates.
    • Updated project configuration to use the current generated type paths for better environment consistency.
    • Added a dependency override to keep a key build tool version aligned across the workspace.

…2m-jg93

Dependabot's vulnerability ALERTS were on, but there was no .github/dependabot.yml
— so no update PRs were ever opened (which is why it looked like Dependabot
wasn't working). Add a config: weekly npm updates (single root pnpm-lock covers
all workspaces; minor/patch grouped into one PR) + weekly github-actions updates.

Also pin postcss to ^8.5.15 via pnpm.overrides — a transitive was resolving the
vulnerable 8.4.31 (< 8.5.10, GHSA-qx2v-qp2m-jg93, moderate). 8.5.x is a backwards-
compatible bump; the web build (Tailwind/postcss pipeline) passes.

Two open advisories are deliberately NOT touched here (flagged for a decision):
- better-auth (moderate, GHSA-wxw3-q3m9-c3jr, OAuth state mismatch → 1.6.2): it's
  pinned to ~1.4.18 for @neondatabase/auth compat; bumping risks the auth stack
  and the e2e harness auths via a seam, so it can't verify real sign-in.
- esbuild (moderate+low → 0.25.0 / 0.28.1): dev-only tooling (drizzle-kit, tsx,
  storybook), not in the prod runtime; 4 versions across consumers make a clean
  single-version override risky for low real-world benefit.

Claude-Session: https://claude.ai/code/session_01HgjBcWAo4VLxXMf22NPBZx
@vercel

vercel Bot commented Jul 1, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
ops-board-web Ready Ready Preview, Comment Jul 1, 2026 5:23pm

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5bc984eb-5070-456a-a239-c335463dfec2

📥 Commits

Reviewing files that changed from the base of the PR and between da4cf14 and 3e9d766.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (3)
  • .github/dependabot.yml
  • apps/web/next-env.d.ts
  • package.json

📝 Walkthrough

Walkthrough

This PR adds a Dependabot configuration file for automated npm and github-actions dependency updates, corrects a Next.js generated types reference path in next-env.d.ts, and introduces a postcss version override in package.json's pnpm.overrides section.

Changes

Repository Maintenance Updates

Layer / File(s) Summary
Dependabot configuration
.github/dependabot.yml
Adds weekly npm and github-actions update jobs at repo root, with PR limits, grouped minor/patch updates, and dependency labels.
Next.js types path fix
apps/web/next-env.d.ts
Updates routes type reference from dev path to generated production path.
Postcss override
package.json
Adds postcss ^8.5.15 entry to pnpm.overrides.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Poem

Three small burrows, tidy and neat,
Dependabot hops in on quiet feet,
A type path fixed, a version pinned,
Configs groomed like fur in the wind,
This rabbit thumps approval—complete! 🐇✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main changes: Dependabot configuration and a postcss security pin.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/dependabot-and-postcss

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@RyRy79261

Copy link
Copy Markdown
Owner Author

@coderabbitai please review

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown
🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
gh pr view 54 --repo RyRy79261/ops-board --json title,body,files,additions,deletions
echo "---DIFF---"
gh pr diff 54 --repo RyRy79261/ops-board

Length of output: 6163


@RyRy79261 Reviewed the diff — here's the breakdown:

.github/dependabot.yml

  • Root npm entry with weekly schedule is correct given pnpm's single lockfile covers all workspaces.
  • Grouping minor/patch into one PR while leaving majors ungrouped is a sensible noise-reduction default.
  • github-actions ecosystem entry is a good addition to keep CI actions current.
  • Nothing blocking here — config is valid and matches the PR description.

postcss pin (package.json + pnpm-lock.yaml)

  • The override cleanly replaces 8.4.31 with 8.5.15 everywhere in the lockfile (no dangling 8.4.31 resolution left behind), and it patches GHSA-qx2v-qp2m-jg93 as described.

apps/web/next-env.d.ts ⚠️ — flagging for your attention

-import "./.next/dev/types/routes.d.ts";
+import "./.next/types/routes.d.ts";

This is unrelated to the stated purpose of the PR (Dependabot config + postcss pin) and looks like it was auto-regenerated locally by Next.js (the file even has a // NOTE: This file should not be edited header). It's likely just a stray artifact from running next dev/next build with a different Next.js version/mode locally versus what CI uses. Worth double-checking:

  • If your Next.js version in this branch differs from main, this could be expected and harmless (Next regenerates this on build regardless).
  • If not, consider reverting this hunk to keep the diff scoped to the PR's actual intent, since unrelated generated-file churn can cause noisy diffs on future PRs if the two environments keep flip-flopping the path.

On the two flagged advisories (better-auth, esbuild): the reasoning in the PR description for not auto-fixing these is sound — better-auth is correctly treated as the higher-priority one needing a real Vercel-preview Google sign-in test before bumping past ~1.4.18, and esbuild's dev-only exposure with multiple installed versions makes a blanket override premature. No action needed from me there; just make sure a follow-up issue/reminder exists for the better-auth bump since it's genuinely security-relevant to prod.

Overall: the two intentional changes (dependabot.yml, postcss pin) look good to merge. Only the next-env.d.ts line is worth a quick sanity check before merging.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@RyRy79261 RyRy79261 merged commit 4523efc into main Jul 1, 2026
14 checks passed
@RyRy79261 RyRy79261 deleted the chore/dependabot-and-postcss branch July 1, 2026 21:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant