Address OSV Scanner findings & revert PR 2313

[tk-o]

This PR reverts the update from PR #2313 as it didn't improve the original issue it was meant to address. This PR also applies version upgrades accordingly to the OSV Scanner findings.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
admin.ensnode.io	Ready	Preview, Comment	Jun 18, 2026 2:48pm
enskit-react-example.ensnode.io	Ready	Preview, Comment	Jun 18, 2026 2:48pm
ensnode.io	Ready	Preview, Comment	Jun 18, 2026 2:48pm
ensrainbow.io	Ready	Preview, Comment	Jun 18, 2026 2:48pm

[changeset-bot]

⚠️ No Changeset found

Latest commit: 3733d64

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Warning

Review limit reached

@tk-o, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 38 minutes and 34 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 843d364d-e5c9-487e-9c6b-029bc6ff7548

📥 Commits

Reviewing files that changed from the base of the PR and between fe6b24d and 3733d64.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/ci-issues

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

⚠️ Not ready to approve

The revert removes lockfile regeneration from the changeset:version flow, which can leave pnpm-lock.yaml out-of-sync after versioning (especially for examples/* that pin monorepo package versions).

Pull request overview

This PR reverts the release:postversion behavior introduced in PR #2313 (stopping automatic lockfile regeneration after changeset version) and updates dependency resolutions/overrides to address OSV Scanner findings in the ENSNode monorepo tooling layer.

Changes:

• Reverted release:postversion to no longer run pnpm install --lockfile-only.
• Updated pnpm.overrides to force patched versions for dompurify and undici.
• Regenerated pnpm-lock.yaml to reflect the new override resolutions (notably dompurify@3.4.11 and undici@7.28.0).

File summaries

File	Description
package.json	Removes lockfile regeneration from release:postversion; adds/updates pnpm.overrides for OSV fixes.
pnpm-lock.yaml	Updates resolved dependency graph to match the new pnpm.overrides (dompurify/undici).

Copilot's findings

Files not reviewed (1)

• pnpm-lock.yaml: Generated file

• Files reviewed: 1/2 changed files
• Comments generated: 1

Note

Your feedback helps us improve the quality of this feature.
Please use 👍 or 👎 to tell us whether this assessment is correct.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[greptile-apps]

Greptile Summary

This PR reverts the pnpm install --lockfile-only step from the release:postversion script (reverting PR #2313) and applies OSV Scanner security overrides for dompurify and undici.

• Removes pnpm install --lockfile-only from release:postversion, restoring the simpler pnpm docker:version:sync && pnpm generate:openapi flow.
• Bumps the dompurify override from <3.4.9 → ^3.4.9 to <3.4.11 → ^3.4.11, and updates the resolved snapshot accordingly (3.4.10 → 3.4.11).
• Adds a new undici@<7.28.0 → ^7.28.0 override that consolidates the previously split undici@6.24.0 (jsdom) and undici@7.25.0 (testcontainers) into a single undici@7.28.0 snapshot.

Confidence Score: 5/5

Safe to merge — the changes are limited to dependency overrides addressing known security advisories and a revert of a release-script addition that was not solving the intended problem.

The release:postversion revert simply removes pnpm install --lockfile-only, which only ran to regenerate the lockfile during the release flow; since changeset bumps only touch version fields (not dependency versions), the lockfile does not need regeneration at that step. The dompurify bump to 3.4.11 and the new undici@<7.28.0 override consolidate two previously split undici snapshots (6.24.0 and 7.25.0) into a single 7.28.0 snapshot — the project's engines field already requires Node >= 24.13.0, which comfortably satisfies undici 7.28.0's node >= 20.18.1 requirement. No application logic is touched.

No files require special attention.

Important Files Changed

Filename	Overview
package.json	Reverts pnpm install --lockfile-only from release:postversion; tightens dompurify override to 3.4.11 and adds undici@<7.28.0 override — all intentional security and tooling changes.
pnpm-lock.yaml	Lockfile updated to reflect the two new overrides: dompurify resolved to 3.4.11 and all undici snapshots consolidated at 7.28.0; no unexpected transitive additions.

_{Reviews (1): Last reviewed commit: "Address OSV Scanner findings & revert PR..." | Re-trigger Greptile}

[Y3drk]

The reversal of PR #2313 is correct, and the package version overrides look good.

LGTM.