fix(deps): override vulnerable transitive dependencies#1380
fix(deps): override vulnerable transitive dependencies#1380vklimontovich wants to merge 1 commit into
Conversation
Resolves 11 high-severity Dependabot alerts: tar, yeoman-environment, serialize-javascript, parse-duration, underscore, sigstore. Lockfile also prunes stale importers (untracked local dirs) not present in the repo.
There was a problem hiding this comment.
Reviewed the dependency-only changes in this PR: the new root overrides in package.json and the corresponding pnpm-lock.yaml re-resolution.
What I checked:
- Existing review threads (none open/resolved)
- Override/lockfile consistency for the newly added security constraints
- Whether vulnerable versions targeted by the new overrides still appear in the lockfile
- Whether the large lockfile shrink appears to come from removing stale importer entries
Findings:
- No actionable bugs, security regressions, or correctness issues identified in this changeset.
There was a problem hiding this comment.
Reviewed override additions and the regenerated for correctness/security regressions.
No actionable bugs or user-visible regressions found in this changeset. The new overrides are consistent with existing range-scoped policy and the lockfile no longer includes the vulnerable versions targeted by this PR.
There was a problem hiding this comment.
Reviewed package.json override additions and the regenerated pnpm-lock.yaml for correctness and security regressions.
No actionable bugs or user-visible regressions found in this changeset. The new overrides follow the existing range-scoped policy, and the lockfile no longer includes the vulnerable versions targeted by this PR.
Resolves all 11 open high-severity Dependabot alerts via range-scoped pnpm overrides, following the existing convention in root
package.json:tar@<7.5.11→^7.5.11(6 CVEs — alerts 699, 701, 705, 719, 761, 763)yeoman-environment@<6.0.1→^6.0.1(alert 1030)serialize-javascript@<7.0.3→^7.0.3(alert 753)parse-duration@<2.1.3→^2.1.3(alert 505)underscore@<1.13.8→^1.13.8(alert 1027)sigstore@<4.1.1→^4.1.1(alert 1032)The large lockfile diff is mostly pruning: the committed lockfile contained importers for
cli/build-scripts,examples/react-app,libs/core-functions,services/profiles— directories that are not tracked in git (local leftovers in the checkout where the lockfile was last regenerated). A clean-checkoutpnpm installremoves them and their dependency trees.pnpm install --frozen-lockfilenow matches a clean checkout exactly.Typecheck passes across the monorepo (
pnpm codegen && pnpm typecheck). The affected packages are dev-tooling chains (react-scripts, webpack-cli generators, yeoman), not runtime dependencies.