Fix/pnpm security overrides#501
Conversation
Patch vulnerable transitive dependencies via pnpm.overrides. Each parent is already latest/pins exact, so overrides are the only fix: - hono ^4.12.25 — GHSA-88fw-hqm2-52qc (high, CORS) + 4 moderate; @prisma/dev@0.24.3 ranges ^4.12.8 but lockfile was stuck on 4.12.23 - @opentelemetry/{core,resources,sdk-trace-base} ^2.8.0 — core <2.8.0 advisory; @sentry/node 10.57 pins the otel set at 2.6.1, overriding all three keeps the tree aligned - js-yaml@4 ^4.2.0 — patches the cosmiconfig (commitlint) instance; scoped to v4 because gray-matter (prod) pins js-yaml ^3 and uses the removed safeLoad API — a global override breaks the build - @babel/core@7 ^7.29.6 — low advisory via jest's istanbul tooling Existing @hono/node-server and postcss overrides verified still load-bearing (removal re-introduces findings); kept. Known remaining: js-yaml 3.14.2 (moderate, no 3.x patch exists) via gray-matter and jest coverage tooling. Below the prod --audit-level=high gate; no upgrade path until gray-matter drops js-yaml 3.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
📝 WalkthroughWalkthrough
ChangesDependency and tooling updates
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Lighthouse Results
|
Summary by CodeRabbit