chore: reduce tee-worker JS dependabot alerts#3931
Merged
Kailai-Wang merged 2 commits intodevfrom Mar 18, 2026
Merged
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub. 1 Skipped Deployment
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR reduces JavaScript Dependabot exposure in the tee-worker workspaces that were practical to remediate on this branch.
tee-worker/omni-executor/client-sdktee-worker/omni-executor/ts-teststee-worker/identity/ts-testson the branch with the earlier minimal lockfile/override fixes already validated for manifest correctnessomni-executorwhere possible, and keep only the smallest remaining overrides for upstream packages that do not currently offer a straightforward safe direct upgrade pathWhat Changed
omni-executor/client-sdkomni-executor/client-sdklockfile and kept only minimal residual overrides for upstreamverdaccio/typedoctransitive issues@polkadot/*dependencies inomni-executor/ts-testsajvcoverage where needed inomni-executor/ts-tests@ethersproject/providersfromomni-executor/ts-testsValidation
Manual validation performed on this branch:
cd tee-worker/omni-executor/client-sdk && pnpm audit --audit-level lowcd tee-worker/omni-executor/client-sdk && CI=1 NX_DAEMON=false pnpm nx run-many --target=build --all --outputStyle=staticcd tee-worker/omni-executor/ts-tests && pnpm --dir integration-tests exec prettier --check package.jsoncd tee-worker/omni-executor/ts-tests && pnpm --dir jsonrpc-mock-tests exec prettier --check package.jsoncd tee-worker/omni-executor/ts-tests && pnpm --dir stress-tests exec prettier --check package.jsoncd tee-worker/omni-executor/ts-tests && node -e "for (const p of ['package.json','integration-tests/package.json','jsonrpc-mock-tests/package.json','stress-tests/package.json']) JSON.parse(require('fs').readFileSync(p,'utf8')); console.log('package.json manifests parse successfully')"cd tee-worker/identity/ts-tests && pnpm exec prettier --check package.jsonGitHub Actions:
Notes
identity/client-sdkwas treated as unmaintained and its existing Dependabot alerts were dismissed separately as an operational action, not as part of the code diff in this PR.omni-executor/ts-testsstill has a remainingbitcoinjs-message -> secp256k1 / elliptic / bn.jschain that does not currently have a clean direct upgrade path in this repo.identity/ts-testsstill has additional transitive alert surface outside the narrower fixes included here.