Security: Add global PNPM overrides for vulnerable dependencies#10
Closed
ArtyomSavchenko wants to merge 3 commits into
Closed
Security: Add global PNPM overrides for vulnerable dependencies#10ArtyomSavchenko wants to merge 3 commits into
ArtyomSavchenko wants to merge 3 commits into
Conversation
Pin patched (patch/minor, non-major) versions of transitive dependencies flagged by Dependabot, via pnpm globalOverrides in the affected Rush workspaces (regenerated lockfiles) and pnpm.overrides in the standalone love-agent project. Only fixes reachable without a major-version bump are included here; major-only fixes are intentionally left out. Root Rush workspace (common/config/rush): - basic-ftp 5.2.0 -> 5.3.1 (CRLF cmd injection, DoS) - @isaacs/brace-expansion 5.0.0 -> 5.0.1 (ReDoS/resource consumption) - @xmldom/xmldom 0.8.11 -> 0.8.13 (XML injection, DoS) - fast-uri 3.1.0 -> 3.1.3 (path traversal, host confusion) - fast-xml-parser 4.5.4 -> 4.5.7, 5.3.5 -> 5.7.3 (entity-expansion DoS) - flatted 3.3.3 -> 3.4.2 (prototype pollution, recursion DoS) - form-data 2.5.5 -> 2.5.6, 4.0.4 -> 4.0.6 (CRLF injection) - glob 10.4.5 -> 10.5.0 (CLI command injection) - immutable 5.1.4 -> 5.1.9 (prototype pollution) - linkify-it 5.0.0 -> 5.0.2 (quadratic complexity) - lodash 4.17.21 -> 4.18.1, lodash-es -> 4.18.1 (code injection, proto pollution) - minimatch 3.1.2->3.1.4, 5.1.6->5.1.8, 9.0.x->9.0.7, 10.1.1->10.2.3 (ReDoS) - node-forge 1.3.1 -> 1.4.0 (ASN.1 issues, signature forgery, DoS) - protobufjs 7.5.5 -> 7.6.5 (code injection, proto pollution, DoS) - svgo 2.8.0 -> 2.8.2 (billion laughs DoS) - tar 7.5.2 -> 7.5.19 (path traversal, symlink poisoning) - tmp 0.2.5 -> 0.2.7 (path traversal) - underscore 1.13.7 -> 1.13.8 (recursion DoS) - undici 7.18.2 -> 7.28.0 (WebSocket DoS, request smuggling) - ws 7.5.10->7.5.11, 8.18.x->8.21.0 (memory exhaustion DoS) foundations/net, foundations/utils Rush workspaces: flatted, minimatch, immutable bumped to the same patched versions. services/ai-bot/love-agent: flatted 3.3.2 -> 3.4.2, ws 8.18.2 -> 8.21.0, minimatch -> 3.1.4/9.0.7. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_016qTfxgaq78ErKCNt54Wfnd
…files Apply the same patched (non-major) transitive-dependency versions to the foundations/server, foundations/core and foundations/communication Rush pnpm lockfiles. These subspaces cannot be regenerated in isolation here (their package.json files reference @hcengineering/platform-rig via the workspace: protocol but the project is not present in the subspace), so the lockfiles were edited surgically — integrity hashes and transitive closures were taken from the already-regenerated root lockfile. - flatted 3.3.3 -> 3.4.2 - minimatch 3.1.2 -> 3.1.4, 9.0.3 -> 9.0.7 (pulls brace-expansion 5.0.7, balanced-match 4.0.4) - linkify-it 5.0.0 -> 5.0.2 - lodash 4.17.21 -> 4.18.1 (server) - ws 8.18.3 -> 8.21.0 (server, core) - fast-xml-parser 4.5.4 -> 4.5.7, 5.3.5 -> 5.7.3 (server; pulls fast-xml-builder, @nodable/entities, path-expression-matcher, xml-naming, strnum 2.4.1, anynum) - protobufjs 7.5.5 -> 7.6.5 (core; pulls @protobufjs codegen/eventemitter/ fetch/utf8 point releases) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_016qTfxgaq78ErKCNt54Wfnd
The pnpm range-form overrides for ws, form-data and tar rewrote the importer `specifier` fields of projects that depend on those packages directly (e.g. pod-ai-bot, pod-export, desktop), so the specifiers no longer matched package.json and `rush install` reported the shrinkwrap as out of date. These packages already resolve to the patched versions via normal highest-version resolution (the caret ranges in package.json admit them), so the overrides were unnecessary for them. Dropped the ws@7/ws@8, form-data@4 and tar@7 overrides and regenerated the lockfile; ws stays at 7.5.11/8.21.0, form-data at 2.5.6/4.0.6, tar at 7.5.19. The transitive-only form-data@2 override is kept. Verified with a frozen `rush install`. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_016qTfxgaq78ErKCNt54Wfnd
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds PNPM global overrides across multiple configuration files to enforce patched versions of vulnerable transitive dependencies, ensuring consistent security updates across the monorepo.
Key Changes
common/config/rush/pnpm-config.json: Added comprehensive
globalOverridessection with 31 vulnerable dependency pins, including:services/ai-bot/love-agent/package.json: Added local
pnpm.overridesfor 4 critical dependencies (flatted, ws@8, minimatch@3, minimatch@9) to ensure this service uses patched versionsfoundations/utils/common/config/rush/pnpm-config.json: Added
globalOverridesfor 4 dependencies (flatted, immutable, minimatch@3, minimatch@9)foundations/net/common/config/rush/pnpm-config.json: Added
globalOverridesfor 3 dependencies (flatted, minimatch@3, minimatch@9)Implementation Details
minimatch@3,minimatch@9) allow different major versions to use their respective patched releaseshttps://claude.ai/code/session_016qTfxgaq78ErKCNt54Wfnd