Skip to content

fix(security): update pnpm overrides to resolve 29 vulnerabilities#70

Merged
jmlweb merged 2 commits into
mainfrom
fix/security-overrides
Mar 22, 2026
Merged

fix(security): update pnpm overrides to resolve 29 vulnerabilities#70
jmlweb merged 2 commits into
mainfrom
fix/security-overrides

Conversation

@jmlweb
Copy link
Copy Markdown
Owner

@jmlweb jmlweb commented Mar 22, 2026

Security fixes

Updates pnpm.overrides to force patched versions of vulnerable transitive dependencies:

Package Fix
undici >=7.24.0 (CRLF injection, DoS)
hono >=4.12.4
@hono/node-server >=1.19.10
@modelcontextprotocol/sdk >=1.26.0
@isaacs/brace-expansion >=5.0.1
minimatch >=10.2.3
rollup >=4.59.0
flatted >=3.4.2
ajv >=8.18.0
qs >=6.14.2

Result: No known vulnerabilities found

Hustle added 2 commits March 22, 2026 12:59
fix: update dependency overrides to resolve security vulnerabilities
685befa 
- undici: >=7.24.0 (CRLF injection, unbounded memory)
- hono: >=4.12.4
- @hono/node-server: >=1.19.10
- @modelcontextprotocol/sdk: >=1.26.0
- @isaacs/brace-expansion: >=5.0.1
- minimatch: >=10.2.3
- rollup: >=4.59.0
- flatted: >=3.4.2
- ajv: >=8.18.0
- qs: >=6.14.2

Resolves 29 vulnerabilities (2 low, 8 moderate, 19 high) → 0
fix(security): remove ajv override that broke ESLint (ajv v6/v8 incom…
88aac5c 
…patibility)

ajv override forced >=8.18.0 but @eslint/eslintrc requires ajv v6.
ESLint's ajv@6.x is already patched (>=6.14.0), so no override needed.
All other overrides retained. Result: 0 vulnerabilities + lint passing.
@jmlweb jmlweb merged commit fe75550 into main Mar 22, 2026
9 checks passed
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 22, 2026

🎉 This PR is included in version 3.0.2 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jmlweb