fix(deps): migrate pnpm.overrides from package.json to pnpm-workspace.yaml#665
Conversation
….yaml pnpm v10 stopped reading package.json pnpm.overrides — three security pins (fast-uri, fast-xml-builder, ip-address) were silently unenforced and fast-xml-parser was double-defined with the looser constraint winning. Migrate all four into pnpm-workspace.yaml, tighten fast-xml-parser to >=5.7.0 to restore the CVE-2026-41650 pin, refresh the lockfile, rebuild dist/.
fro-bot
left a comment
fro-bot
left a comment
There was a problem hiding this comment.
Verdict: PASS
This is a correct and well-scoped migration. The root cause (pnpm v10 silently ignoring package.json pnpm.overrides) is real, the fix is appropriate, and the lockfile confirms all four security pins are now actively enforced at the correct versions.
Key findings:
pnpm-workspace.yamlnow consolidates all overrides. The four migrated entries (fast-uri,fast-xml-builder,fast-xml-parser,ip-address) are present and thefast-xml-parserconstraint is correctly tightened from>=5.5.7→>=5.7.0to restore the CVE-2026-41650 pin.- Lockfile resolves to:
fast-uri@3.1.2,fast-xml-builder@1.2.0,fast-xml-parser@5.7.2,ip-address@10.2.0— all satisfy their respective floor constraints. package.jsonpnpmblock is fully removed (no stale override entries left behind).dist/rebuild is consistent with a pure dependency version change: chunk hash rotation andlicenses.txtdelta, no runtime behavior change.
Blocking issues
None
Non-blocking concerns
None
Missing tests
None — this is a dependency configuration change with no testable runtime behavior delta. The lockfile itself is the verification artifact.
Risk assessment (LOW):
Regression risk is low. The change moves from a broken enforcement state to a correctly enforced one. All resolved versions already satisfied the pins before this PR (the lockfile happened to pick safe versions), so there is no observable runtime change. The only risk would be if a future pnpm install now forces a version bump on one of the pinned packages — but that's the intended behavior of the security overrides.
Run Summary
| Field | Value |
|---|---|
| Event | pull_request |
| Repository | fro-bot/agent |
| Run ID | 26339749915 |
| Cache | hit |
| Session | ses_1a9fd344dffemYLdk7r6TX47pW |
2 participants
pnpm v10 stopped reading
pnpm.overridesfrompackage.json— everypnpm installwas logging:Three security pins (
fast-uri,fast-xml-builder,ip-address) were silently NOT enforced.fast-xml-parserwas double-defined —package.jsonhad>=5.7.0(the CVE-2026-41650 fix from PR #541) butpnpm-workspace.yamlhad the looser>=5.5.7; the looser constraint was the live one because the package.json side was ignored. The lockfile happened to resolve to 5.7.2 so the security pin was incidentally honored, but any future regression to <5.7.0 would have gone undetected.Changes:
fast-uri,fast-xml-builder,ip-addressfrompackage.jsonpnpm.overridesintopnpm-workspace.yamloverridesfast-xml-parserinpnpm-workspace.yamlfrom>=5.5.7to>=5.7.0(restoring the CVE-2026-41650 pin to enforcement)pnpmblock frompackage.jsonpnpm-lock.yamlResolved versions all honor the pins:
fast-uri@3.1.2fast-xml-builder@1.2.0fast-xml-parser@5.7.2ip-address@10.2.0dist/rebuilt — chunk hash rotated andlicenses.txtreflects the new resolved versions;main.js/post.jssame byte size (no runtime change). Lint and types clean;pnpm installno longer warns.