Bumped 11 vulnerable transitive deps via pnpm.overrides

[9larsons]

Summary

Adds 11 entries to the root pnpm.overrides block to force vulnerable transitive deps forward, without touching any direct deps. All replacement versions are pinned with ^x.y.z to keep upgrades within the existing major.

Modules: @tootallnate/once, clean-css, debug (×2 ranges), diff (×2 ranges), handlebars, minimatch (×2 ranges), qs, tmp

Audit delta: pnpm audit 153 → 123 (−1 crit, −14 high, −4 mod, −11 low)

Notes

• handlebars and tmp are direct deps in ghost/core but already match the override-target version, so this is a no-op for direct deps.
• Transitive major-version jumps (clean-css 3 → 4, tmp 0.0.x → 0.2.5, diff 1 → 3, minimatch 0 → 3) are confined to the Ember admin dev/build toolchain (broccoli-clean-css, mocha 2.5.3, sane, external-editor, fixturify-project); none reach production runtime, public apps, or ghost/core/server/.
• Lockfile shrank by ~110 lines from override deduplication.

Test plan

• pnpm install — clean
• pnpm test (15 unit-test projects, excluding e2e and ghost-admin) — pass
• pnpm --filter ghost-admin run build — exit 0
• pnpm --filter ghost-admin run test — 1065 / 1065 passing
• CI green
• No regressions in admin asset pipeline (pnpm dev → load /ghost)

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 870a87b3-4c76-47b6-a37d-e886c11087e7

📥 Commits

Reviewing files that changed from the base of the PR and between 6946c63 and 6aab219.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• package.json

---

Walkthrough

The package.json file was modified to update the pnpm.overrides configuration. The lodash.template dependency remains pinned to version 4.5.0. Additionally, new override entries were added for eight transitive dependencies: @tootallnate/once, clean-css, debug, diff, handlebars, minimatch, qs, and tmp. These overrides specify conditional version constraints using semver selectors to control how pnpm resolves different versions of these packages. No public API exports or entity declarations were changed in this modification.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Bumped 11 vulnerable transitive deps via pnpm.overrides' accurately summarizes the main change: updating package.json's pnpm.overrides block to address 11 vulnerable transitive dependencies.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, providing context about the vulnerability fixes, audit delta, affected modules, and test results.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dep-bumps/batch-a-overrides

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

docs/dep-bumps.md (1)

230-236: Add a language to the fenced code block (markdownlint MD040).

📝 Proposed fix

-```
+```bash
 pnpm install                        # refresh lockfile
 pnpm audit --json | jq '.metadata.vulnerabilities'   # confirm count drops
 pnpm nx run-many -t build           # build check
 pnpm nx run-many -t test            # unit tests
 pnpm --filter `@tryghost/e2e` test    # e2e (only if touched workspace matters)

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @docs/dep-bumps.md around lines 230 - 236, The fenced code block containing
the pnpm commands (the block starting with the three backticks before "pnpm
install" and ending after "pnpm --filter @tryghost/e2e test") needs a language
tag to satisfy markdownlint MD040; update the opening fence to use "```bash"
(and keep the closing fence) so the block is explicitly marked as bash/sh and no
other content needs changing.

</details>

</blockquote></details>

</blockquote></details>

<details>
<summary>🤖 Prompt for all review comments with AI agents</summary>

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @docs/dep-bumps.md:

• Around line 70-82: The example in the Batch A JSON block uses ">=" range
  specifiers on the RHS (e.g. entries like "minimatch@>=9.0.0 <9.0.7": ">=9.0.7",
  "debug@>=4.0.0 <4.3.1": ">=4.3.1") which contradicts the override-hygiene rule;
  update each RHS to the exact pinned version that actually shipped (replace all
  ">=x.y.z" RHS values with their corresponding exact versions from the committed
  package.json) so the snippet matches the real overrides and avoids reintroducing
  the minimatch@10 resolution bug.

---

Nitpick comments:
In @docs/dep-bumps.md:

• Around line 230-236: The fenced code block containing the pnpm commands (the
  block starting with the three backticks before "pnpm install" and ending after
  "pnpm --filter @tryghost/e2e test") needs a language tag to satisfy markdownlint
  MD040; update the opening fence to use "```bash" (and keep the closing fence) so
  the block is explicitly marked as bash/sh and no other content needs changing.

</details>

<details>
<summary>🪄 Autofix (Beta)</summary>

Fix all unresolved CodeRabbit comments on this PR:

- [ ] <!-- {"checkboxId": "4b0d0e0a-96d7-4f10-b296-3a18ea78f0b9"} --> Push a commit to this branch (recommended)
- [ ] <!-- {"checkboxId": "ff5b1114-7d8c-49e6-8ac1-43f82af23a33"} --> Create a new PR with the fixes

</details>

---

<details>
<summary>ℹ️ Review info</summary>

<details>
<summary>⚙️ Run configuration</summary>

**Configuration used**: Path: .coderabbit.yaml

**Review profile**: CHILL

**Plan**: Pro

**Run ID**: `93450ae4-ce44-47d5-b249-7aae7fd4eb39`

</details>

<details>
<summary>📥 Commits</summary>

Reviewing files that changed from the base of the PR and between b11949015d0f7292aa92ae328378ee6c187476da and 6946c63c1b5e8f54f6204d9036d742a1307051bc.

</details>

<details>
<summary>⛔ Files ignored due to path filters (1)</summary>

* `pnpm-lock.yaml` is excluded by `!**/pnpm-lock.yaml`

</details>

<details>
<summary>📒 Files selected for processing (2)</summary>

* `docs/dep-bumps.md`
* `package.json`

</details>

</details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.14%. Comparing base (10da091) to head (6aab219).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #27569   +/-   ##
=======================================
  Coverage   73.14%   73.14%           
=======================================
  Files        1557     1557           
  Lines      126175   126189   +14     
  Branches    15310    15309    -1     
=======================================
+ Hits        92289    92305   +16     
+ Misses      32927    32907   -20     
- Partials      959      977   +18     

Flag	Coverage Δ
admin-tests	49.80% <ø> (+0.01%)	⬆️
e2e-tests	73.14% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.