fix: bump yaml and tar to resolve security advisories by brendanjryan · Pull Request #241 · wevm/mppx

brendanjryan · 2026-03-25T21:17:02Z

Resolves all pnpm audit vulnerabilities via overrides:

yaml (moderate)

Advisory: GHSA-48c2-rrv3-qjmp — stack overflow via deeply nested YAML collections
Path: testcontainers > docker-compose > yaml
Fix: >=2.8.3

tar (6× high)

GHSA-34x7, GHSA-8qq5, GHSA-83g3, GHSA-qffp, GHSA-9ppj, GHSA-r6q2 — path traversal / symlink attacks
Path: prool > tar
Fix: >=7.5.11

picomatch (2× high)

Advisory: GHSA-c2c7-rcm5-vvqj — ReDoS via extglob quantifiers
Paths: @changesets/cli > ... > picomatch, vite-plus > ... > picomatch
Fix: >=2.3.2 / >=4.0.4

ox (type dedup)

Pins ox to 0.14.1 to prevent transitive version mismatch with viem causing type errors in CI build.

$ pnpm audit
No known vulnerabilities found

socket-security · 2026-03-25T21:17:55Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Package	Supply Chain Security	Quality	Maintenance
mppx@0.4.9
vite@8.0.0 ⏵ 8.0.2	⁺¹	⁺¹	⁺¹
viem@2.47.6

View full report

pkg-pr-new · 2026-03-25T21:25:45Z

Open in StackBlitz

npm i https://pkg.pr.new/mppx@241

commit: 2ad5289

Adds pnpm overrides: - yaml >=2.8.3 — GHSA-48c2-rrv3-qjmp (stack overflow via nested YAML) - tar >=7.5.11 — 6 high-severity path traversal CVEs - picomatch >=2.3.2 / >=4.0.4 — GHSA-c2c7-rcm5-vvqj (ReDoS via extglob) - ox 0.14.1 — deduplicate transitive versions to prevent type conflicts

brendanjryan force-pushed the fix/bump-yaml-cve branch from bed81e3 to 1a225fd Compare March 25, 2026 21:23

brendanjryan changed the title ~~fix: bump yaml to >=2.8.3 (GHSA-48c2-rrv3-qjmp)~~ fix: bump yaml and tar to resolve security advisories Mar 25, 2026

brendanjryan force-pushed the fix/bump-yaml-cve branch from 1a225fd to 6990943 Compare March 25, 2026 21:25

brendanjryan force-pushed the fix/bump-yaml-cve branch from 6990943 to 2ad5289 Compare March 25, 2026 21:27

brendanjryan merged commit 99e03b4 into main Mar 25, 2026
8 checks passed

brendanjryan deleted the fix/bump-yaml-cve branch March 25, 2026 21:36

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix: bump yaml and tar to resolve security advisories#241

fix: bump yaml and tar to resolve security advisories#241
brendanjryan merged 1 commit intomainfrom
fix/bump-yaml-cve

brendanjryan commented Mar 25, 2026 •

edited

Loading

Uh oh!

socket-security bot commented Mar 25, 2026 •

edited

Loading

Uh oh!

pkg-pr-new bot commented Mar 25, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

brendanjryan commented Mar 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

yaml (moderate)

tar (6× high)

picomatch (2× high)

ox (type dedup)

Uh oh!

socket-security bot commented Mar 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

pkg-pr-new bot commented Mar 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

brendanjryan commented Mar 25, 2026 •

edited

Loading

socket-security bot commented Mar 25, 2026 •

edited

Loading

pkg-pr-new bot commented Mar 25, 2026 •

edited

Loading