From f729f436f745c3815337321193857be0bd4259dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Pierzcha=C5=82a?= Date: Mon, 1 Jun 2026 19:11:40 +0200 Subject: [PATCH 1/2] fix: resolve test-app dependabot alerts The postcss/uuid overrides added in #464 stopped applying once test-app ended up nested under the repo-root pnpm-workspace.yaml: pnpm only honors overrides from a workspace root, so test-app's package.json `pnpm.overrides` were silently ignored and the lockfile drifted back to vulnerable versions. Move the overrides into a dedicated examples/test-app/pnpm-workspace.yaml so test-app is its own pnpm root and the overrides are honored, and add scoped overrides for the two remaining alerts: - postcss 8.4.49 -> 8.5.12 (XSS in CSS stringify) - uuid 7.0.3 -> 14.0.0 (missing buffer bounds check) - ws@8 8.20.0 -> 8.21.0 (uninitialized memory disclosure) - brace-expansion@5 5.0.5 -> 5.0.6 (ReDoS / max bypass) ws and brace-expansion overrides are scoped to the vulnerable majors so the non-vulnerable ws@7 / brace-expansion@1 copies in the tree are left untouched. --- examples/test-app/package.json | 7 ----- examples/test-app/pnpm-lock.yaml | 40 +++++++++++++++------------ examples/test-app/pnpm-workspace.yaml | 6 ++++ 3 files changed, 29 insertions(+), 24 deletions(-) create mode 100644 examples/test-app/pnpm-workspace.yaml diff --git a/examples/test-app/package.json b/examples/test-app/package.json index 1f7916bcf..7278441d2 100644 --- a/examples/test-app/package.json +++ b/examples/test-app/package.json @@ -26,12 +26,5 @@ "devDependencies": { "@types/react": "~19.2.2", "typescript": "~5.9.2" - }, - "pnpm": { - "overrides": { - "@xmldom/xmldom": "0.8.13", - "postcss": "8.5.12", - "uuid": "14.0.0" - } } } diff --git a/examples/test-app/pnpm-lock.yaml b/examples/test-app/pnpm-lock.yaml index 9b0e7f8d7..5efa6c3bb 100644 --- a/examples/test-app/pnpm-lock.yaml +++ b/examples/test-app/pnpm-lock.yaml @@ -4,6 +4,13 @@ settings: autoInstallPeers: true excludeLinksFromLockfile: false +overrides: + '@xmldom/xmldom': 0.8.13 + postcss: 8.5.12 + uuid: 14.0.0 + ws@8: ^8.20.1 + brace-expansion@5: ^5.0.6 + importers: .: @@ -1337,8 +1344,8 @@ packages: brace-expansion@1.1.13: resolution: {integrity: sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==} - brace-expansion@5.0.5: - resolution: {integrity: sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==} + brace-expansion@5.0.6: + resolution: {integrity: sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==} engines: {node: 18 || 20 || >=22} braces@3.0.3: @@ -2351,8 +2358,8 @@ packages: resolution: {integrity: sha512-NCrCHhWmnQklfH4MtJMRjZ2a8c80qXeMlQMv2uVp9ISJMTt562SbGd6n2oq0PaPgKm7Z6pL9E2UlLIhC+SHL3w==} engines: {node: '>=4.0.0'} - postcss@8.4.49: - resolution: {integrity: sha512-OCVPnIObs4N29kxTjzLfUryOkvZEq+pf8jTF0lg8E7uETuWHA+v7j3c/xJmiqpX450191LlmZfUKkXxkTry7nA==} + postcss@8.5.12: + resolution: {integrity: sha512-W62t/Se6rA0Az3DfCL0AqJwXuKwBeYg6nOaIgzP+xZ7N5BFCI7DYi1qs6ygUYT6rvfi6t9k65UMLJC+PHZpDAA==} engines: {node: ^10 || ^12 || >=14} pretty-format@29.7.0: @@ -2808,9 +2815,8 @@ packages: resolution: {integrity: sha512-pMZTvIkT1d+TFGvDOqodOclx0QWkkgi6Tdoa8gC8ffGAAqz9pzPTZWAybbsHHoED/ztMtkv/VoYTYyShUn81hA==} engines: {node: '>= 0.4.0'} - uuid@7.0.3: - resolution: {integrity: sha512-DPSke0pXhTZgoF/d+WSt2QaKMCFSfx7QegxEWT+JOuHF5aWrKEn0G+ztjuJg/gG8/ItK+rbPCD/yNv8yyih6Cg==} - deprecated: uuid@10 and below is no longer supported. For ESM codebases, update to uuid@latest. For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028). + uuid@14.0.0: + resolution: {integrity: sha512-Qo+uWgilfSmAhXCMav1uYFynlQO7fMFiMVZsQqZRMIXp0O7rR7qjkj+cPvBHLgBqi960QCoo/PH2/6ZtVqKvrg==} hasBin: true validate-npm-package-name@5.0.1: @@ -2873,8 +2879,8 @@ packages: utf-8-validate: optional: true - ws@8.20.0: - resolution: {integrity: sha512-sAt8BhgNbzCtgGbt2OxmpuryO63ZoDk/sqaB/znQm94T4fCEsy/yV+7CdC1kJhOU9lboAEU7R3kquuycDoibVA==} + ws@8.21.0: + resolution: {integrity: sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g==} engines: {node: '>=10.0.0'} peerDependencies: bufferutil: ^4.0.1 @@ -3584,7 +3590,7 @@ snapshots: terminal-link: 2.1.1 toqr: 0.1.1 wrap-ansi: 7.0.0 - ws: 8.20.0 + ws: 8.21.0 zod: 3.25.76 optionalDependencies: expo-router: 55.0.11(@expo/log-box@55.0.10)(@expo/metro-runtime@55.0.9)(@types/react@19.2.14)(expo-constants@55.0.12)(expo-font@55.0.6)(expo-linking@55.0.11)(expo@55.0.12)(react-dom@19.2.4(react@19.2.0))(react-native-gesture-handler@2.31.2(react-native@0.83.4(@babel/core@7.29.0)(@types/react@19.2.14)(react@19.2.0))(react@19.2.0))(react-native-safe-area-context@5.6.2(react-native@0.83.4(@babel/core@7.29.0)(@types/react@19.2.14)(react@19.2.0))(react@19.2.0))(react-native-screens@4.23.0(react-native@0.83.4(@babel/core@7.29.0)(@types/react@19.2.14)(react@19.2.0))(react@19.2.0))(react-native@0.83.4(@babel/core@7.29.0)(@types/react@19.2.14)(react@19.2.0))(react@19.2.0) @@ -3738,7 +3744,7 @@ snapshots: jsc-safe-url: 0.2.4 lightningcss: 1.32.0 picomatch: 4.0.4 - postcss: 8.4.49 + postcss: 8.5.12 resolve-from: 5.0.0 optionalDependencies: expo: 55.0.12(@babel/core@7.29.0)(@expo/dom-webview@55.0.5)(@expo/metro-runtime@55.0.9)(expo-router@55.0.11)(react-dom@19.2.4(react@19.2.0))(react-native@0.83.4(@babel/core@7.29.0)(@types/react@19.2.14)(react@19.2.0))(react@19.2.0)(typescript@5.9.3) @@ -4622,7 +4628,7 @@ snapshots: balanced-match: 1.0.2 concat-map: 0.0.1 - brace-expansion@5.0.5: + brace-expansion@5.0.6: dependencies: balanced-match: 4.0.4 @@ -5577,7 +5583,7 @@ snapshots: minimatch@10.2.5: dependencies: - brace-expansion: 5.0.5 + brace-expansion: 5.0.6 minimatch@3.1.5: dependencies: @@ -5705,7 +5711,7 @@ snapshots: pngjs@3.4.0: {} - postcss@8.4.49: + postcss@8.5.12: dependencies: nanoid: 3.3.11 picocolors: 1.1.1 @@ -6146,7 +6152,7 @@ snapshots: utils-merge@1.0.1: {} - uuid@7.0.3: {} + uuid@14.0.0: {} validate-npm-package-name@5.0.1: {} @@ -6196,12 +6202,12 @@ snapshots: ws@7.5.10: {} - ws@8.20.0: {} + ws@8.21.0: {} xcode@3.0.1: dependencies: simple-plist: 1.3.1 - uuid: 7.0.3 + uuid: 14.0.0 xml2js@0.6.0: dependencies: diff --git a/examples/test-app/pnpm-workspace.yaml b/examples/test-app/pnpm-workspace.yaml new file mode 100644 index 000000000..68b5690b5 --- /dev/null +++ b/examples/test-app/pnpm-workspace.yaml @@ -0,0 +1,6 @@ +overrides: + '@xmldom/xmldom': 0.8.13 + postcss: 8.5.12 + uuid: 14.0.0 + ws@8: ^8.20.1 + brace-expansion@5: ^5.0.6 From 217e19022e15b2509c6a00d019b717920fb7574f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Pierzcha=C5=82a?= Date: Mon, 1 Jun 2026 19:19:04 +0200 Subject: [PATCH 2/2] chore: drop dead lodash-es override, document test-app workspace - Remove the no-op `lodash-es` override from the root package.json (leftover from #368). lodash-es is no longer in the dependency tree, so the override resolved to nothing; regenerating the root lockfile is a no-op. - Add a comment to examples/test-app/pnpm-workspace.yaml explaining why the file exists, so it isn't "tidied away" and the override drift reintroduced. --- examples/test-app/pnpm-workspace.yaml | 8 ++++++++ package.json | 5 ----- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/examples/test-app/pnpm-workspace.yaml b/examples/test-app/pnpm-workspace.yaml index 68b5690b5..023c6e043 100644 --- a/examples/test-app/pnpm-workspace.yaml +++ b/examples/test-app/pnpm-workspace.yaml @@ -1,3 +1,11 @@ +# This file exists so examples/test-app is treated as its own pnpm workspace +# root. pnpm only honors `overrides` from a workspace root, and because this +# app is nested under the repo-root pnpm-workspace.yaml (without being a member) +# its overrides were silently ignored when declared in package.json, letting the +# lockfile drift back to vulnerable transitive versions (see PR #649). Keeping +# them here ensures they actually apply. These pin transitive deps to versions +# that clear Dependabot security alerts; ws/brace-expansion are scoped to the +# vulnerable major so the non-vulnerable ws@7 / brace-expansion@1 copies stay. overrides: '@xmldom/xmldom': 0.8.13 postcss: 8.5.12 diff --git a/package.json b/package.json index f0ca8ca51..f327c6e20 100644 --- a/package.json +++ b/package.json @@ -163,11 +163,6 @@ "README.md", "LICENSE" ], - "pnpm": { - "overrides": { - "lodash-es": "4.18.1" - } - }, "keywords": [ "agent", "device",