Remove npm overrides once @cursor/sdk bumps vulnerable transitive deps

PR #2 adds `overrides` in package.json to pin patched versions of `@cursor/sdk@1.0.18`'s transitive deps (no upstream fix available):

- `tar` `^7.5.10` — consumed by `sqlite3 → node-gyp@8 / cacache` (install-time only)
- `undici` `^6.24.0` — consumed by `@connectrpc/connect-node@1.7.0`
- `@tootallnate/once` `^2.0.1` — optional install tooling

Remove each override once `@cursor/sdk` (> 1.0.18) ships a version whose transitive deps already satisfy the security floor.

**Check after a `@cursor/sdk` bump:**
1. Bump `@cursor/sdk`, remove the relevant override(s), `npm install`.
2. `npm ls tar undici @tootallnate/once` — confirm acceptable versions resolve without the override.
3. `npm audit --registry https://registry.npmjs.org --audit-level=moderate` -> 0.

Rationale + analysis: `docs/dependencies.md`.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Remove npm overrides once @cursor/sdk bumps vulnerable transitive deps #5

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Remove npm overrides once @cursor/sdk bumps vulnerable transitive deps #5

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions