fix(deps): resolve all 26 open Dependabot alerts via active pnpm overrides#545
fix(deps): resolve all 26 open Dependabot alerts via active pnpm overrides#545coderdan wants to merge 4 commits into
Conversation
…rides Root cause: the root package.json has a top-level npm-format `overrides` block that pnpm ignores, so earlier fixes (next >=15.5.15, lodash >=4.18.0, postcss >=8.5.10, vite catalog pin) never took effect, and the catalog:security pins for next/vite were referenced by nothing. - Add range-scoped security overrides to pnpm-workspace.yaml (the active location): next, lodash, js-cookie, postcss, vite 7.x, esbuild 0.27/28, js-yaml 3.x/4.x - Reference catalog:security next from packages/nextjs devDependencies so the 15.5.18 pin actually resolves (peer range unchanged) - Give wizard an explicit @anthropic-ai/sdk ^0.106.0 dependency — the vulnerable 0.81.0 was a stale auto-installed peer of claude-agent-sdk (which wants >=0.93.0); overrides don't rewrite peer resolutions - Bump root js-yaml to ^4.2.0; temporarily exclude js-yaml from the 7-day cooldown (3.15.0 security release is 6 days old — remove the exclusion after 2026-07-04) Verified: no vulnerable versions remain in the lockfile; full turbo build (10 packages), wizard tests (139), and script tests (20) pass.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (4)
🚧 Files skipped from review as they are similar to previous changes (2)
📝 WalkthroughWalkthroughThis PR updates workspace supply-chain controls and validation, revises cooldown guidance, and bumps dependency versions in root and package manifests. ChangesDependency and workspace override updates
Estimated code review effort: 2 (Simple) | ~10 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@package.json`:
- Line 61: The root npm-format overrides entry for js-yaml is stale and still
pins the vulnerable 4.1.1 version even though devDependencies.js-yaml was bumped
to ^4.2.0. Update the package.json overrides.js-yaml value to match the new safe
version, or remove the dead npm overrides block entirely if pnpm-workspace.yaml
is now the source of truth; check the js-yaml entries in package.json to keep
them consistent.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 42b994b8-ad53-4cc5-b0f5-c1cd530b9e89
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (4)
package.jsonpackages/nextjs/package.jsonpackages/wizard/package.jsonpnpm-workspace.yaml
There was a problem hiding this comment.
Pull request overview
This PR aims to eliminate a set of open Dependabot security alerts by making pnpm overrides actually apply (moving them into pnpm-workspace.yaml), pinning security-sensitive toolchain deps via catalogs, and ensuring a published runtime package (@cipherstash/wizard) no longer pulls a vulnerable peer version.
Changes:
- Added pnpm workspace-level
overridestargeting vulnerable transitive dependency ranges (Next, lodash, js-cookie, postcss, vite, esbuild, js-yaml). - Activated the existing
catalog:securityNext.js pin by addingnext: catalog:securitytopackages/nextjsdevDependencies. - Updated
@cipherstash/wizardto depend directly on@anthropic-ai/sdk@^0.106.0and refreshed lockfile resolutions accordingly.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| pnpm-workspace.yaml | Adds effective pnpm overrides for vulnerable transitive deps and a temporary minimumReleaseAgeExclude entry. |
| pnpm-lock.yaml | Captures the resulting dependency graph changes (Next/esbuild/js-yaml/etc.) after applying overrides and catalog pins. |
| packages/nextjs/package.json | Adds next: catalog:security to ensure the workspace resolves the pinned Next version for dev/test. |
| packages/wizard/package.json | Adds an explicit @anthropic-ai/sdk runtime dependency to avoid a vulnerable peer resolution path. |
| package.json | Bumps root js-yaml devDependency range to ^4.2.0. |
Files not reviewed (1)
- pnpm-lock.yaml: Generated file
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Restore fast-uri 3.1.3: the lockfile regen let the 7-day cooldown demote ajv's fast-uri to 3.1.2, un-fixing GHSA-4c8g-83qw-93j6 / CVE-2026-13676; pin the patched release until it matures - Replace the js-yaml minimumReleaseAgeExclude entry (name-scoped, first-party-only list) with exact pins (3.15.0 / matured 4.2.0, evicting immature 4.3.0) installed via a one-off --config.minimumReleaseAge=0 run per SKILL.md; locked versions are not re-age-checked so normal installs need no bypass - Delete the inert npm-format overrides block and stale workspaces.catalogs duplicate from root package.json (dead config that contradicted the live pins; the overrides copy still pinned vulnerable js-yaml 4.1.1) - Annotate every override with its Dependabot alert + GHSA ID, note the esbuild-outside-tsup-range tradeoff, and document the wizard's @anthropic-ai/sdk dep as a peer-resolution pin (not unused) - Gate both escape hatches in the supply-chain e2e test: overrides must stay range-scoped and ≤12 entries; minimumReleaseAgeExclude must stay first-party-only - Fix SKILL.md's cooldown-bypass recipe: the documented --ignore-workspace-min-release-age flag does not exist in pnpm 10; the one-off equivalent is --config.minimumReleaseAge=0 with an exact pin Verified: full turbo build (10 pkgs), wizard tests (139), script tests (20), supply-chain e2e (14, incl. 2 new gates) all pass; frozen-lockfile install passes with no bypass.
🦋 Changeset detectedLatest commit: 17f4745 The changes in this PR will be included in the next version bump. This PR includes changesets to release 2 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@pnpm-workspace.yaml`:
- Around line 59-64: The js-yaml pin comment is stale because it still
references the removed `--ignore-workspace-min-release-age` workaround, which no
longer matches the updated `SKILL.md` recipe. Update the explanatory comment
near the `js-yaml@<3.15.0` entry in `pnpm-workspace.yaml` so it points to the
current `pnpm install --config.minimumReleaseAge=0` flow and remove the old flag
reference while keeping the note about the bypass/maturity window.
In `@skills/stash-supply-chain-security/SKILL.md`:
- Around line 141-147: The one-off pnpm install override is using the wrong
config flag format, so pnpm 10.33.2 will ignore it. Update the install example
in SKILL.md to use the kebab-case CLI override with pnpm install and the
minimum-release-age setting, and make sure the guidance around the one-off run
matches the accepted pnpm config override form.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: ce94914e-4930-4ed5-a911-b51d53e0926f
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (4)
e2e/tests/supply-chain.e2e.test.tspackage.jsonpnpm-workspace.yamlskills/stash-supply-chain-security/SKILL.md
💤 Files with no reviewable changes (1)
- package.json
|
@calvinbrewer — re your earlier concern about js-yaml upgrades breaking changesets: this PR moves js-yaml on both majors (3.14.2 → 3.15.0 and 4.1.1 → 4.2.0, security fix GHSA-h67p-54hq-rp68), so I validated the changesets pipeline end-to-end rather than assuming:
To keep this from regressing silently, js-yaml 4.x is exact-pinned to 4.2.0 in the workspace overrides with a comment saying any future bump must re-verify |
…ab-case form CodeRabbit flagged two doc issues on #545: - pnpm-workspace.yaml's js-yaml 3.x comment still cited the nonexistent --ignore-workspace-min-release-age flag - SKILL.md used --config.minimumReleaseAge=0 Empirically both --config.minimum-release-age and --config.minimumReleaseAge are applied by pnpm 10.33.2 (verified with a huge value forcing NO_MATURE_MATCHING_VERSION in a scratch project), but kebab-case is the docs-canonical form, so standardize on it everywhere.
Copilot review on #545 correctly noted the new direct dependency changes @cipherstash/wizard's published manifest, which per AGENTS.md needs a changeset. Patch bump — peer-resolution pin only, no behaviour change.
Why Dependabot couldn't fix these itself
Nearly all 26 open alerts are transitive deps Dependabot can't PR against, and the repo's previous mitigation attempts were silently inert:
package.jsonhad a top-leveloverridesblock in npm format, which pnpm ignores — it containednext: >=15.5.15,lodash: >=4.18.0,postcss: >=8.5.10,vite: catalog:security… none of it ever applied (and itsjs-yaml: 4.1.1pinned the vulnerable version). Deleted in this PR, along with the staleworkspaces.catalogsduplicate that still advertised vulnerable pins (next 15.5.10,vite 6.4.1).catalog:securitypins fornext: 15.5.18/vite: 8.0.13inpnpm-workspace.yamlwere referenced by no package.@anthropic-ai/sdk@0.81.0was a stale auto-installed peer ofclaude-agent-sdk(peer floor>=0.93.0) — verified empirically that pnpm overrides rewrite peer ranges, not peer resolutions, so an explicit dep is the only working fix.What this PR does
Range-scoped overrides in
pnpm-workspace.yaml(the location pnpm actually reads), each annotated in-file with its alert + advisory:next@<15.5.18 → ~15.5.18lodash@<4.18.0 → ^4.18.0js-cookie@<3.0.7 → ^3.0.7postcss@<8.5.10 → ^8.5.10vite@>=7.0.0 <7.3.5 → ~7.3.5esbuild@>=0.27.3 <0.28.1 → ^0.28.1^0.27.0; builds pass, retire by bumping tsup once it declares^0.28js-yaml@<3.15.0 → 3.15.0(exact)js-yaml@>=4.0.0 <5 → 4.2.0(exact, matured)fast-uri@<3.1.3 → 3.1.3(exact)^3.1.3)Manifest changes:
packages/nextjs:next: catalog:securitydevDep — makes the existing 15.5.18 pin real; peer range^14 || ^15unchanged. (Kept alongside the override deliberately: tested override-only and it floats to 15.5.19 instead of the catalog-pinned version.)packages/wizard: explicit@anthropic-ai/sdk: ^0.106.0(alert fix(protect): proper handling of composite types #128, GHSA-p7fg-763f-g4gf / CVE-2026-41686) — the only alert reaching published-package runtime (npx stash init). This is a peer-resolution pin, never imported — documented in the workspace file so it isn't tidied away as unused.js-yaml→^4.2.0.Cooldown bypass (per SKILL.md): js-yaml 3.15.0 (published 2026-06-26) and fast-uri 3.1.3 (2026-06-29) are inside the 7-day window. Both are exact-pinned and were admitted via a single one-off
pnpm install --config.minimumReleaseAge=0run — no persistentminimumReleaseAgeExcludeentry (an earlier revision used one; removed after review). Locked versions aren't re-age-checked, so normal and--frozen-lockfileinstalls need no bypass. Also fixed SKILL.md's bypass recipe — the--ignore-workspace-min-release-ageflag it documented doesn't exist in pnpm 10.New CI gates in
e2e/tests/supply-chain.e2e.test.ts: overrides must stay range-scoped (no blanket pins) and ≤12 entries;minimumReleaseAgeExcludemust stay first-party-only.Verification
--frozen-lockfileinstall ✅.changeset status(exercises@manypkg/get-packages→ js-yaml 3.15.0) and a fullchangeset versionrun with a throwaway changeset (exercises@changesets/parse→ js-yaml 4.2.0) both work — changelogs and version bumps generated correctly, then reverted.Follow-ups
fast-uripin to^3.1.3after 2026-07-06 (noted in the workspace comment).^0.28and retire the esbuild override note.Summary by CodeRabbit