Skip to content

Fix/pnpm security overrides#501

Merged
Shramkoweb merged 2 commits into
mainfrom
fix/pnpm-security-overrides
Jun 24, 2026
Merged

Fix/pnpm security overrides#501
Shramkoweb merged 2 commits into
mainfrom
fix/pnpm-security-overrides

Conversation

@Shramkoweb

@Shramkoweb Shramkoweb commented Jun 24, 2026

Copy link
Copy Markdown
Owner

Summary by CodeRabbit

  • Chores
    • Updated several project dependencies and build tools to newer versions.
    • Refined package version overrides to keep key libraries on consistent, pinned releases.
    • Bumped the package manager version for improved tooling consistency.

Patch vulnerable transitive dependencies via pnpm.overrides. Each
parent is already latest/pins exact, so overrides are the only fix:

- hono ^4.12.25 — GHSA-88fw-hqm2-52qc (high, CORS) + 4 moderate;
  @prisma/dev@0.24.3 ranges ^4.12.8 but lockfile was stuck on 4.12.23
- @opentelemetry/{core,resources,sdk-trace-base} ^2.8.0 — core <2.8.0
  advisory; @sentry/node 10.57 pins the otel set at 2.6.1, overriding
  all three keeps the tree aligned
- js-yaml@4 ^4.2.0 — patches the cosmiconfig (commitlint) instance;
  scoped to v4 because gray-matter (prod) pins js-yaml ^3 and uses the
  removed safeLoad API — a global override breaks the build
- @babel/core@7 ^7.29.6 — low advisory via jest's istanbul tooling

Existing @hono/node-server and postcss overrides verified still
load-bearing (removal re-introduces findings); kept.

Known remaining: js-yaml 3.14.2 (moderate, no 3.x patch exists) via
gray-matter and jest coverage tooling. Below the prod --audit-level=high
gate; no upgrade path until gray-matter drops js-yaml 3.
@Shramkoweb Shramkoweb self-assigned this Jun 24, 2026
@vercel

vercel Bot commented Jun 24, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
portfolio Ready Ready Preview Jun 24, 2026 8:33am

@coderabbitai

coderabbitai Bot commented Jun 24, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d10263b4-497b-40d9-9b38-1cf86e355477

📥 Commits

Reviewing files that changed from the base of the PR and between 1e5e5f0 and 5ca6bae.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (1)
  • package.json

📝 Walkthrough

Walkthrough

package.json bumps swr to 2.4.2, @tailwindcss/postcss and tailwindcss to 4.3.1, and packageManager to pnpm@10.34.4. The pnpm.overrides section is extended with forced version pins for hono, multiple @opentelemetry/* packages, js-yaml@4, and @babel/core@7.

Changes

Dependency and tooling updates

Layer / File(s) Summary
Dependency version bumps and pnpm overrides
package.json
Bumps swr (2.4.1→2.4.2), @tailwindcss/postcss and tailwindcss (4.3.0→4.3.1), and packageManager (pnpm 10.34.3→10.34.4). Extends pnpm.overrides to pin hono, several @opentelemetry/* packages, js-yaml@4, and @babel/core@7.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Hop, hop, versions climb,
A patch here, a patch there in time,
Overrides nailed down tight,
Telemetry locked just right,
The garden stays fresh and prime! 🌿

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the main change: updating pnpm security overrides and related dependency pins.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/pnpm-security-overrides

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

Copy link
Copy Markdown

Lighthouse Results

URL Perf A11y BP SEO LCP FCP TBT CLS
/ 53 96 96 69 4.28s 1.55s 4452ms 0.000
/ 97 96 96 69 2.06s 0.92s 174ms 0.000
/blog 89 100 96 66 2.10s 1.20s 402ms 0.000
/blog 89 100 96 66 1.89s 0.99s 416ms 0.000
/about 89 96 93 69 3.42s 0.92s 177ms 0.000
/about 97 96 93 69 2.12s 0.92s 156ms 0.000
/ 97 96 96 69 2.06s 0.92s 163ms 0.000
/blog 85 100 96 66 2.57s 0.99s 462ms 0.000
/about 98 96 93 69 2.27s 0.92s 111ms 0.000

@Shramkoweb
Shramkoweb merged commit 1e40e74 into main Jun 24, 2026
13 checks passed
@Shramkoweb
Shramkoweb deleted the fix/pnpm-security-overrides branch June 24, 2026 08:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant