fix: resolve test-app dependabot alerts#649
Conversation
The postcss/uuid overrides added in #464 stopped applying once test-app ended up nested under the repo-root pnpm-workspace.yaml: pnpm only honors overrides from a workspace root, so test-app's package.json `pnpm.overrides` were silently ignored and the lockfile drifted back to vulnerable versions. Move the overrides into a dedicated examples/test-app/pnpm-workspace.yaml so test-app is its own pnpm root and the overrides are honored, and add scoped overrides for the two remaining alerts: - postcss 8.4.49 -> 8.5.12 (XSS in CSS stringify) - uuid 7.0.3 -> 14.0.0 (missing buffer bounds check) - ws@8 8.20.0 -> 8.21.0 (uninitialized memory disclosure) - brace-expansion@5 5.0.5 -> 5.0.6 (ReDoS / max bypass) ws and brace-expansion overrides are scoped to the vulnerable majors so the non-vulnerable ws@7 / brace-expansion@1 copies in the tree are left untouched.
Size Report
Startup median (7 runs, lower is better):
Top changed chunks:
|
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f729f436f7
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| @@ -0,0 +1,6 @@ | |||
| overrides: | |||
There was a problem hiding this comment.
The documented install paths still run pnpm install --dir examples/test-app --ignore-workspace from the root script and pnpm install --ignore-workspace in examples/test-app/README.md; --ignore-workspace makes pnpm behave as if no pnpm-workspace.yaml exists, so these newly moved overrides are not applied on the normal setup path. After a contributor runs the documented install, pnpm can either rewrite the lockfile back without the security overrides or report the lockfile overrides/config as mismatched, which defeats the Dependabot-alert fix this commit is trying to make durable.
Useful? React with 👍 / 👎.
- Remove the no-op `lodash-es` override from the root package.json (leftover from #368). lodash-es is no longer in the dependency tree, so the override resolved to nothing; regenerating the root lockfile is a no-op. - Add a comment to examples/test-app/pnpm-workspace.yaml explaining why the file exists, so it isn't "tidied away" and the override drift reintroduced.
|
1 participant
Summary
Resolves all 4 open Dependabot alerts, all transitive deps in
examples/test-app/pnpm-lock.yaml.The
postcss/uuidoverrides added in #464 had stopped applying: once test-app ended up nested under the repo-rootpnpm-workspace.yaml, pnpm only honored overrides from a workspace root, so test-app'spackage.jsonpnpm.overrideswere silently ignored and the lockfile drifted back to vulnerable versions.Fix
examples/test-app/pnpm-workspace.yamlso test-app is its own pnpm root and the overrides are actually honored (the canonical location in pnpm 10+).pnpmfield frompackage.json(single source of truth).postcssuuidws@8brace-expansion@5maxbypasswsandbrace-expansionoverrides are scoped to the vulnerable majors (ws@8,brace-expansion@5) so the non-vulnerablews@7/brace-expansion@1copies elsewhere in the tree are left untouched.Notes
uuid7→14 (forced by the existing override, used byxcode). API-compatible —uuid.v1()/v4()named exports work viarequireacross v7→v14.