Skip to content

Security: Add global PNPM overrides for vulnerable dependencies#10

Closed
ArtyomSavchenko wants to merge 3 commits into
developfrom
claude/dependency-vulnerabilities-minor-wy1vip
Closed

Security: Add global PNPM overrides for vulnerable dependencies#10
ArtyomSavchenko wants to merge 3 commits into
developfrom
claude/dependency-vulnerabilities-minor-wy1vip

Conversation

@ArtyomSavchenko

Copy link
Copy Markdown
Member

Summary

This PR adds PNPM global overrides across multiple configuration files to enforce patched versions of vulnerable transitive dependencies, ensuring consistent security updates across the monorepo.

Key Changes

  • common/config/rush/pnpm-config.json: Added comprehensive globalOverrides section with 31 vulnerable dependency pins, including:

    • XML/parsing libraries (xmldom, fast-xml-parser, svgo)
    • Utility libraries (lodash, underscore, flatted, immutable)
    • Pattern matching (minimatch, glob, linkify-it)
    • Network/protocol libraries (ws, undici, node-forge, basic-ftp)
    • Other critical deps (protobufjs, tar, tmp, form-data)
  • services/ai-bot/love-agent/package.json: Added local pnpm.overrides for 4 critical dependencies (flatted, ws@8, minimatch@3, minimatch@9) to ensure this service uses patched versions

  • foundations/utils/common/config/rush/pnpm-config.json: Added globalOverrides for 4 dependencies (flatted, immutable, minimatch@3, minimatch@9)

  • foundations/net/common/config/rush/pnpm-config.json: Added globalOverrides for 3 dependencies (flatted, minimatch@3, minimatch@9)

Implementation Details

  • All overrides target non-major patched versions to avoid breaking changes
  • Version-specific overrides (e.g., minimatch@3, minimatch@9) allow different major versions to use their respective patched releases
  • The main configuration serves as the source of truth with comprehensive coverage, while service-specific and foundation-specific configs pin only the most critical dependencies relevant to their scope

https://claude.ai/code/session_016qTfxgaq78ErKCNt54Wfnd

claude added 2 commits July 11, 2026 03:15
Pin patched (patch/minor, non-major) versions of transitive dependencies
flagged by Dependabot, via pnpm globalOverrides in the affected Rush
workspaces (regenerated lockfiles) and pnpm.overrides in the standalone
love-agent project. Only fixes reachable without a major-version bump are
included here; major-only fixes are intentionally left out.

Root Rush workspace (common/config/rush):
- basic-ftp 5.2.0 -> 5.3.1 (CRLF cmd injection, DoS)
- @isaacs/brace-expansion 5.0.0 -> 5.0.1 (ReDoS/resource consumption)
- @xmldom/xmldom 0.8.11 -> 0.8.13 (XML injection, DoS)
- fast-uri 3.1.0 -> 3.1.3 (path traversal, host confusion)
- fast-xml-parser 4.5.4 -> 4.5.7, 5.3.5 -> 5.7.3 (entity-expansion DoS)
- flatted 3.3.3 -> 3.4.2 (prototype pollution, recursion DoS)
- form-data 2.5.5 -> 2.5.6, 4.0.4 -> 4.0.6 (CRLF injection)
- glob 10.4.5 -> 10.5.0 (CLI command injection)
- immutable 5.1.4 -> 5.1.9 (prototype pollution)
- linkify-it 5.0.0 -> 5.0.2 (quadratic complexity)
- lodash 4.17.21 -> 4.18.1, lodash-es -> 4.18.1 (code injection, proto pollution)
- minimatch 3.1.2->3.1.4, 5.1.6->5.1.8, 9.0.x->9.0.7, 10.1.1->10.2.3 (ReDoS)
- node-forge 1.3.1 -> 1.4.0 (ASN.1 issues, signature forgery, DoS)
- protobufjs 7.5.5 -> 7.6.5 (code injection, proto pollution, DoS)
- svgo 2.8.0 -> 2.8.2 (billion laughs DoS)
- tar 7.5.2 -> 7.5.19 (path traversal, symlink poisoning)
- tmp 0.2.5 -> 0.2.7 (path traversal)
- underscore 1.13.7 -> 1.13.8 (recursion DoS)
- undici 7.18.2 -> 7.28.0 (WebSocket DoS, request smuggling)
- ws 7.5.10->7.5.11, 8.18.x->8.21.0 (memory exhaustion DoS)

foundations/net, foundations/utils Rush workspaces: flatted, minimatch,
immutable bumped to the same patched versions.

services/ai-bot/love-agent: flatted 3.3.2 -> 3.4.2, ws 8.18.2 -> 8.21.0,
minimatch -> 3.1.4/9.0.7.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_016qTfxgaq78ErKCNt54Wfnd
…files

Apply the same patched (non-major) transitive-dependency versions to the
foundations/server, foundations/core and foundations/communication Rush
pnpm lockfiles. These subspaces cannot be regenerated in isolation here
(their package.json files reference @hcengineering/platform-rig via the
workspace: protocol but the project is not present in the subspace), so
the lockfiles were edited surgically — integrity hashes and transitive
closures were taken from the already-regenerated root lockfile.

- flatted 3.3.3 -> 3.4.2
- minimatch 3.1.2 -> 3.1.4, 9.0.3 -> 9.0.7 (pulls brace-expansion 5.0.7,
  balanced-match 4.0.4)
- linkify-it 5.0.0 -> 5.0.2
- lodash 4.17.21 -> 4.18.1 (server)
- ws 8.18.3 -> 8.21.0 (server, core)
- fast-xml-parser 4.5.4 -> 4.5.7, 5.3.5 -> 5.7.3 (server; pulls
  fast-xml-builder, @nodable/entities, path-expression-matcher,
  xml-naming, strnum 2.4.1, anynum)
- protobufjs 7.5.5 -> 7.6.5 (core; pulls @protobufjs codegen/eventemitter/
  fetch/utf8 point releases)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_016qTfxgaq78ErKCNt54Wfnd
@ArtyomSavchenko ArtyomSavchenko marked this pull request as draft July 11, 2026 03:35
The pnpm range-form overrides for ws, form-data and tar rewrote the
importer `specifier` fields of projects that depend on those packages
directly (e.g. pod-ai-bot, pod-export, desktop), so the specifiers no
longer matched package.json and `rush install` reported the shrinkwrap
as out of date.

These packages already resolve to the patched versions via normal
highest-version resolution (the caret ranges in package.json admit them),
so the overrides were unnecessary for them. Dropped the ws@7/ws@8,
form-data@4 and tar@7 overrides and regenerated the lockfile; ws stays at
7.5.11/8.21.0, form-data at 2.5.6/4.0.6, tar at 7.5.19. The transitive-only
form-data@2 override is kept. Verified with a frozen `rush install`.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_016qTfxgaq78ErKCNt54Wfnd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants