Skip to content

fix(deps): override vulnerable transitive dependencies#1380

Open
vklimontovich wants to merge 1 commit into
newjitsufrom
fix/vulnerable-deps
Open

fix(deps): override vulnerable transitive dependencies#1380
vklimontovich wants to merge 1 commit into
newjitsufrom
fix/vulnerable-deps

Conversation

@vklimontovich

@vklimontovich vklimontovich commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Resolves all 11 open high-severity Dependabot alerts via range-scoped pnpm overrides, following the existing convention in root package.json:

  • tar@<7.5.11^7.5.11 (6 CVEs — alerts 699, 701, 705, 719, 761, 763)
  • yeoman-environment@<6.0.1^6.0.1 (alert 1030)
  • serialize-javascript@<7.0.3^7.0.3 (alert 753)
  • parse-duration@<2.1.3^2.1.3 (alert 505)
  • underscore@<1.13.8^1.13.8 (alert 1027)
  • sigstore@<4.1.1^4.1.1 (alert 1032)

The large lockfile diff is mostly pruning: the committed lockfile contained importers for cli/build-scripts, examples/react-app, libs/core-functions, services/profiles — directories that are not tracked in git (local leftovers in the checkout where the lockfile was last regenerated). A clean-checkout pnpm install removes them and their dependency trees. pnpm install --frozen-lockfile now matches a clean checkout exactly.

Typecheck passes across the monorepo (pnpm codegen && pnpm typecheck). The affected packages are dev-tooling chains (react-scripts, webpack-cli generators, yeoman), not runtime dependencies.

Resolves 11 high-severity Dependabot alerts: tar, yeoman-environment,
serialize-javascript, parse-duration, underscore, sigstore. Lockfile also
prunes stale importers (untracked local dirs) not present in the repo.

@jitsu-code-review jitsu-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed the dependency-only changes in this PR: the new root overrides in package.json and the corresponding pnpm-lock.yaml re-resolution.

What I checked:

  • Existing review threads (none open/resolved)
  • Override/lockfile consistency for the newly added security constraints
  • Whether vulnerable versions targeted by the new overrides still appear in the lockfile
  • Whether the large lockfile shrink appears to come from removing stale importer entries

Findings:

  • No actionable bugs, security regressions, or correctness issues identified in this changeset.

@jitsu-code-review jitsu-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed override additions and the regenerated for correctness/security regressions.

No actionable bugs or user-visible regressions found in this changeset. The new overrides are consistent with existing range-scoped policy and the lockfile no longer includes the vulnerable versions targeted by this PR.

@jitsu-code-review jitsu-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed package.json override additions and the regenerated pnpm-lock.yaml for correctness and security regressions.

No actionable bugs or user-visible regressions found in this changeset. The new overrides follow the existing range-scoped policy, and the lockfile no longer includes the vulnerable versions targeted by this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant