Skip to content

fix(deps): resolve all 26 open Dependabot alerts via active pnpm overrides#545

Merged
coderdan merged 6 commits into
mainfrom
chore/dependabot-alert-cleanup
Jul 8, 2026
Merged

fix(deps): resolve all 26 open Dependabot alerts via active pnpm overrides#545
coderdan merged 6 commits into
mainfrom
chore/dependabot-alert-cleanup

Conversation

@coderdan

@coderdan coderdan commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Why Dependabot couldn't fix these itself

Nearly all 26 open alerts are transitive deps Dependabot can't PR against, and the repo's previous mitigation attempts were silently inert:

  • The root package.json had a top-level overrides block in npm format, which pnpm ignores — it contained next: >=15.5.15, lodash: >=4.18.0, postcss: >=8.5.10, vite: catalog:security… none of it ever applied (and its js-yaml: 4.1.1 pinned the vulnerable version). Deleted in this PR, along with the stale workspaces.catalogs duplicate that still advertised vulnerable pins (next 15.5.10, vite 6.4.1).
  • The catalog:security pins for next: 15.5.18 / vite: 8.0.13 in pnpm-workspace.yaml were referenced by no package.
  • @anthropic-ai/sdk@0.81.0 was a stale auto-installed peer of claude-agent-sdk (peer floor >=0.93.0) — verified empirically that pnpm overrides rewrite peer ranges, not peer resolutions, so an explicit dep is the only working fix.

What this PR does

Range-scoped overrides in pnpm-workspace.yaml (the location pnpm actually reads), each annotated in-file with its alert + advisory:

Override Alerts Advisory
next@<15.5.18 → ~15.5.18 #96, #115#127 GHSA-267c-6grr-h53f, GHSA-26hh-7cqf-hhc6, GHSA-36qx-fr4f-26g5, GHSA-3g8h-86w9-wvmq, GHSA-492v-c6pp-mqqv, GHSA-8h8q-6873-q5fj, GHSA-c4j6-fc7j-m34r, GHSA-ffhc-5mcf-pf4q, GHSA-gx5p-jg67-6x7h, GHSA-h64f-5h5j-jqjh, GHSA-mg66-mrh9-m8jx, GHSA-q4gf-8mx6-v5v3, GHSA-vfv6-92ff-j949, GHSA-wfc6-r584-vfw7, GHSA-3x4c-7xq6-9pq8, GHSA-ggv3-7p47-pfv8
lodash@<4.18.0 → ^4.18.0 #87, #88 GHSA-f23m-r3pf-42rh (CVE-2026-2950), GHSA-r5fr-rjxr-66jc (CVE-2026-4800)
js-cookie@<3.0.7 → ^3.0.7 #133 GHSA-qjx8-664m-686j (CVE-2026-46625)
postcss@<8.5.10 → ^8.5.10 #102 GHSA-qx2v-qp2m-jg93 (CVE-2026-41305)
vite@>=7.0.0 <7.3.5 → ~7.3.5 #145, #146 GHSA-fx2h-pf6j-xcff (CVE-2026-53571), GHSA-v6wh-96g9-6wx3 (CVE-2026-53632)
esbuild@>=0.27.3 <0.28.1 → ^0.28.1 #142 GHSA-g7r4-m6w7-qqqr⚠️ 0.28.1 is the first patched release and sits outside tsup@8.5.1's declared ^0.27.0; builds pass, retire by bumping tsup once it declares ^0.28
js-yaml@<3.15.0 → 3.15.0 (exact) #153 GHSA-h67p-54hq-rp68 (CVE-2026-53550)
js-yaml@>=4.0.0 <5 → 4.2.0 (exact, matured) #152 GHSA-h67p-54hq-rp68 (CVE-2026-53550)
fast-uri@<3.1.3 → 3.1.3 (exact) regression guard GHSA-4c8g-83qw-93j6 (CVE-2026-13676) — the lockfile regen let the 7-day cooldown demote ajv's fast-uri to vulnerable 3.1.2; this pins the patched release (matures 2026-07-06, then relaxable to ^3.1.3)

Manifest changes:

  • packages/nextjs: next: catalog:security devDep — makes the existing 15.5.18 pin real; peer range ^14 || ^15 unchanged. (Kept alongside the override deliberately: tested override-only and it floats to 15.5.19 instead of the catalog-pinned version.)
  • packages/wizard: explicit @anthropic-ai/sdk: ^0.106.0 (alert fix(protect): proper handling of composite types #128, GHSA-p7fg-763f-g4gf / CVE-2026-41686) — the only alert reaching published-package runtime (npx stash init). This is a peer-resolution pin, never imported — documented in the workspace file so it isn't tidied away as unused.
  • Root js-yaml^4.2.0.

Cooldown bypass (per SKILL.md): js-yaml 3.15.0 (published 2026-06-26) and fast-uri 3.1.3 (2026-06-29) are inside the 7-day window. Both are exact-pinned and were admitted via a single one-off pnpm install --config.minimumReleaseAge=0 run — no persistent minimumReleaseAgeExclude entry (an earlier revision used one; removed after review). Locked versions aren't re-age-checked, so normal and --frozen-lockfile installs need no bypass. Also fixed SKILL.md's bypass recipe — the --ignore-workspace-min-release-age flag it documented doesn't exist in pnpm 10.

New CI gates in e2e/tests/supply-chain.e2e.test.ts: overrides must stay range-scoped (no blanket pins) and ≤12 entries; minimumReleaseAgeExclude must stay first-party-only.

Verification

  • No vulnerable versions remain in the lockfile (every alert range checked).
  • Full turbo build 10/10 · wizard tests 139 ✅ · script tests 20 ✅ · supply-chain e2e 14 ✅ (incl. the 2 new gates) · --frozen-lockfile install ✅.
  • Changesets regression check (js-yaml moved on both majors, and a past js-yaml upgrade broke changesets): changeset status (exercises @manypkg/get-packages → js-yaml 3.15.0) and a full changeset version run with a throwaway changeset (exercises @changesets/parse → js-yaml 4.2.0) both work — changelogs and version bumps generated correctly, then reverted.

Follow-ups

  1. Relax fast-uri pin to ^3.1.3 after 2026-07-06 (noted in the workspace comment).
  2. Bump tsup to a release declaring esbuild ^0.28 and retire the esbuild override note.
  3. The open Dependabot PRs (chore(deps): bump the production-minor-patch group across 1 directory with 29 updates #544, chore(deps-dev): bump the dev-dependencies group across 1 directory with 9 updates #525, chore(deps): bump the actions-minor-patch group across 1 directory with 3 updates #514) are still worth merging for general freshness; chore(deps-dev): bump js-yaml from 4.1.1 to 4.2.0 #520 (js-yaml) is superseded by this PR.

Summary by CodeRabbit

  • Security
    • Updated dependency constraints and added a security-focused SDK pin so patched versions are selected.
    • Added workspace-level overrides to keep vulnerable transitive dependencies within patched version ranges.
  • Tests
    • Strengthened supply-chain checks in E2E to validate release-age exclusions, enforce narrowly scoped overrides, and confirm overrides actually take effect.
  • Documentation
    • Updated the security-fix bypass instructions to require pinning the exact patched version and use a safer pnpm config override.

…rides

Root cause: the root package.json has a top-level npm-format `overrides`
block that pnpm ignores, so earlier fixes (next >=15.5.15, lodash
>=4.18.0, postcss >=8.5.10, vite catalog pin) never took effect, and the
catalog:security pins for next/vite were referenced by nothing.

- Add range-scoped security overrides to pnpm-workspace.yaml (the active
  location): next, lodash, js-cookie, postcss, vite 7.x, esbuild 0.27/28,
  js-yaml 3.x/4.x
- Reference catalog:security next from packages/nextjs devDependencies so
  the 15.5.18 pin actually resolves (peer range unchanged)
- Give wizard an explicit @anthropic-ai/sdk ^0.106.0 dependency — the
  vulnerable 0.81.0 was a stale auto-installed peer of claude-agent-sdk
  (which wants >=0.93.0); overrides don't rewrite peer resolutions
- Bump root js-yaml to ^4.2.0; temporarily exclude js-yaml from the
  7-day cooldown (3.15.0 security release is 6 days old — remove the
  exclusion after 2026-07-04)

Verified: no vulnerable versions remain in the lockfile; full turbo
build (10 packages), wizard tests (139), and script tests (20) pass.
@coderdan coderdan requested a review from a team as a code owner July 3, 2026 07:05
@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@coderdan, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 4 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cb6fceb0-8519-4b81-8b83-1ff01d580856

📥 Commits

Reviewing files that changed from the base of the PR and between fba3e6f and 0489974.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (3)
  • package.json
  • packages/nextjs/package.json
  • packages/wizard/package.json
📝 Walkthrough

Walkthrough

This PR adds workspace-level pnpm security overrides, expands supply-chain validation tests, updates install guidance, and bumps dependency pins in root and package manifests.

Changes

Dependency and workspace override updates

Layer / File(s) Summary
Workspace override and enforcement updates
pnpm-workspace.yaml, skills/stash-supply-chain-security/SKILL.md
Adds a top-level pnpm overrides block and revises the supply-chain cooldown bypass procedure and scope guidance.
Supply-chain e2e assertions
e2e/package.json, e2e/tests/supply-chain.e2e.test.ts
Adds semver test dependencies, parses resolved lockfile versions, and expands assertions for workspace config, override effectiveness, and patched SDK resolution.
Dependency manifest updates
package.json, packages/nextjs/package.json, packages/wizard/package.json, .changeset/wizard-anthropic-sdk-security-pin.md
Updates the root js-yaml devDependency, adds next and @anthropic-ai/sdk pins, and records the wizard SDK pin in a changeset.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Possibly related PRs

  • cipherstash/stack#332: Modifies package.json pnpm override configuration, which is directly related to the new workspace override rules and override-location assertions.
  • cipherstash/stack#382: Introduces the supply-chain e2e suite that this PR expands with additional pnpm workspace and lockfile checks.
  • cipherstash/stack#414: Adjusts next version constraints, matching the next security pin updated in this PR.

Suggested reviewers: calvinbrewer

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: fixing Dependabot alerts through pnpm overrides.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/dependabot-alert-cleanup

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 61: The root npm-format overrides entry for js-yaml is stale and still
pins the vulnerable 4.1.1 version even though devDependencies.js-yaml was bumped
to ^4.2.0. Update the package.json overrides.js-yaml value to match the new safe
version, or remove the dead npm overrides block entirely if pnpm-workspace.yaml
is now the source of truth; check the js-yaml entries in package.json to keep
them consistent.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 42b994b8-ad53-4cc5-b0f5-c1cd530b9e89

📥 Commits

Reviewing files that changed from the base of the PR and between b650a8c and f73f523.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (4)
  • package.json
  • packages/nextjs/package.json
  • packages/wizard/package.json
  • pnpm-workspace.yaml

Comment thread package.json

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to eliminate a set of open Dependabot security alerts by making pnpm overrides actually apply (moving them into pnpm-workspace.yaml), pinning security-sensitive toolchain deps via catalogs, and ensuring a published runtime package (@cipherstash/wizard) no longer pulls a vulnerable peer version.

Changes:

  • Added pnpm workspace-level overrides targeting vulnerable transitive dependency ranges (Next, lodash, js-cookie, postcss, vite, esbuild, js-yaml).
  • Activated the existing catalog:security Next.js pin by adding next: catalog:security to packages/nextjs devDependencies.
  • Updated @cipherstash/wizard to depend directly on @anthropic-ai/sdk@^0.106.0 and refreshed lockfile resolutions accordingly.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
pnpm-workspace.yaml Adds effective pnpm overrides for vulnerable transitive deps and a temporary minimumReleaseAgeExclude entry.
pnpm-lock.yaml Captures the resulting dependency graph changes (Next/esbuild/js-yaml/etc.) after applying overrides and catalog pins.
packages/nextjs/package.json Adds next: catalog:security to ensure the workspace resolves the pinned Next version for dev/test.
packages/wizard/package.json Adds an explicit @anthropic-ai/sdk runtime dependency to avoid a vulnerable peer resolution path.
package.json Bumps root js-yaml devDependency range to ^4.2.0.
Files not reviewed (1)
  • pnpm-lock.yaml: Generated file

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread packages/wizard/package.json
- Restore fast-uri 3.1.3: the lockfile regen let the 7-day cooldown
  demote ajv's fast-uri to 3.1.2, un-fixing GHSA-4c8g-83qw-93j6 /
  CVE-2026-13676; pin the patched release until it matures
- Replace the js-yaml minimumReleaseAgeExclude entry (name-scoped,
  first-party-only list) with exact pins (3.15.0 / matured 4.2.0,
  evicting immature 4.3.0) installed via a one-off
  --config.minimumReleaseAge=0 run per SKILL.md; locked versions are
  not re-age-checked so normal installs need no bypass
- Delete the inert npm-format overrides block and stale
  workspaces.catalogs duplicate from root package.json (dead config
  that contradicted the live pins; the overrides copy still pinned
  vulnerable js-yaml 4.1.1)
- Annotate every override with its Dependabot alert + GHSA ID, note
  the esbuild-outside-tsup-range tradeoff, and document the wizard's
  @anthropic-ai/sdk dep as a peer-resolution pin (not unused)
- Gate both escape hatches in the supply-chain e2e test: overrides
  must stay range-scoped and ≤12 entries; minimumReleaseAgeExclude
  must stay first-party-only
- Fix SKILL.md's cooldown-bypass recipe: the documented
  --ignore-workspace-min-release-age flag does not exist in pnpm 10;
  the one-off equivalent is --config.minimumReleaseAge=0 with an
  exact pin

Verified: full turbo build (10 pkgs), wizard tests (139), script
tests (20), supply-chain e2e (14, incl. 2 new gates) all pass;
frozen-lockfile install passes with no bypass.
@changeset-bot

changeset-bot Bot commented Jul 3, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 0489974

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages
Name Type
@cipherstash/wizard Patch
@cipherstash/e2e Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pnpm-workspace.yaml`:
- Around line 59-64: The js-yaml pin comment is stale because it still
references the removed `--ignore-workspace-min-release-age` workaround, which no
longer matches the updated `SKILL.md` recipe. Update the explanatory comment
near the `js-yaml@<3.15.0` entry in `pnpm-workspace.yaml` so it points to the
current `pnpm install --config.minimumReleaseAge=0` flow and remove the old flag
reference while keeping the note about the bypass/maturity window.

In `@skills/stash-supply-chain-security/SKILL.md`:
- Around line 141-147: The one-off pnpm install override is using the wrong
config flag format, so pnpm 10.33.2 will ignore it. Update the install example
in SKILL.md to use the kebab-case CLI override with pnpm install and the
minimum-release-age setting, and make sure the guidance around the one-off run
matches the accepted pnpm config override form.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ce94914e-4930-4ed5-a911-b51d53e0926f

📥 Commits

Reviewing files that changed from the base of the PR and between f73f523 and d232298.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (4)
  • e2e/tests/supply-chain.e2e.test.ts
  • package.json
  • pnpm-workspace.yaml
  • skills/stash-supply-chain-security/SKILL.md
💤 Files with no reviewable changes (1)
  • package.json

Comment thread pnpm-workspace.yaml
Comment thread skills/stash-supply-chain-security/SKILL.md
@coderdan

coderdan commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

@calvinbrewer — re your earlier concern about js-yaml upgrades breaking changesets: this PR moves js-yaml on both majors (3.14.2 → 3.15.0 and 4.1.1 → 4.2.0, security fix GHSA-h67p-54hq-rp68), so I validated the changesets pipeline end-to-end rather than assuming:

  • changeset status — exercises @manypkg/get-packagesread-yaml-filejs-yaml 3.15.0 (parsing pnpm-workspace.yaml and workspace manifests). ✅
  • changeset status --verbose + full changeset version with a throwaway changeset — exercises @changesets/parsejs-yaml 4.2.0 (frontmatter parsing), changelog assembly, and version bumps across all packages. Output was correct (@cipherstash/nextjs 4.1.0 → 4.1.1 with the expected changelog entry); all artifacts were then reverted and the two real pending changesets (native-binary-guards, stack-protect-ffi-0-26-oidc-strategy) are untouched. ✅

To keep this from regressing silently, js-yaml 4.x is exact-pinned to 4.2.0 in the workspace overrides with a comment saying any future bump must re-verify changeset status/version — it can't float to a new version without a deliberate edit. If you remember what broke last time, happy to add a targeted regression test for it.

coderdan added 2 commits July 3, 2026 22:54
…ab-case form

CodeRabbit flagged two doc issues on #545:
- pnpm-workspace.yaml's js-yaml 3.x comment still cited the nonexistent
  --ignore-workspace-min-release-age flag
- SKILL.md used --config.minimumReleaseAge=0

Empirically both --config.minimum-release-age and --config.minimumReleaseAge
are applied by pnpm 10.33.2 (verified with a huge value forcing
NO_MATURE_MATCHING_VERSION in a scratch project), but kebab-case is the
docs-canonical form, so standardize on it everywhere.
Copilot review on #545 correctly noted the new direct dependency changes
@cipherstash/wizard's published manifest, which per AGENTS.md needs a
changeset. Patch bump — peer-resolution pin only, no behaviour change.
@coderdan coderdan requested review from auxesis and calvinbrewer July 3, 2026 12:58

@auxesis auxesis left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test-coverage review — supply-chain hardening

Verdict: approve-worthy config change with a coherent test-gap theme. The non-test changes are declarative supply-chain config: a range-scoped security overrides block + minimumReleaseAgeExclude in pnpm-workspace.yaml, an @anthropic-ai/sdk@^0.106.0 peer-resolution pin in packages/wizard, and next: catalog:security in packages/nextjs. The two new tests are well-scoped but assert only the shape of the config (selectors range-scoped, exclusion list first-party-only, count caps). Nothing asserts the effect — that the lockfile actually resolved these to patched versions. That is precisely the failure the fast-uri override comment in pnpm-workspace.yaml documents (a re-resolve silently demoted fast-uri back to 3.1.2). All three inline comments are non-blocking test-coverage enhancements; the config itself resolves correctly today (verified against pnpm-lock.yaml).

Review stats

Source Raw findings Survived
codex (gpt-5.5) [test-gap] 3 3
claude (claude-opus-4-8) [test-gap] 2 2
  • Kept findings after de-dup: 3 (all verified against the diff/lockfile).
  • Cross-model overlap: 2 of 3 kept findings were corroborated by both models (the override-effect gap and the @anthropic-ai/sdk pin gap). The packages/nextjs catalog gap is single-source (codex).
  • Dropped: 0.
  • No overflow beyond the 3 inline comments (well under the 8-comment cap).

Comment thread e2e/tests/supply-chain.e2e.test.ts
Comment thread packages/wizard/package.json
Comment thread packages/nextjs/package.json

@auxesis auxesis left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These all look good, thanks for tackling @coderdan.

The supply chain security tests flagged below can be addressed in a follow up PR.

@coderdan coderdan removed the request for review from calvinbrewer July 8, 2026 03:12
…lved

The supply-chain suite proved override selectors were well-formed but not
that they actually applied — a shape-only check the re-resolve regression it
documents (fast-uri silently demoted below its pin) would pass straight
through. Add outcome assertions to the pnpm-lock.yaml integrity block:

- every override `selector -> target`: no resolved version may still match
  the vulnerable selector yet fail the target (the "matched but not raised"
  regression). Tolerates a target that sits inside its own selector range
  (js-yaml@>=4.0.0 <5 -> 4.2.0). Guards the vacuous empty-block case.
- package.json has no top-level `overrides` (pnpm ignores it; the pins must
  live in pnpm-workspace.yaml), so the block can't be silently moved back.
- @anthropic-ai/sdk resolves >= 0.106.0 — a peer-resolution pin the
  override-effect test can't cover generically.

Declares semver (+ @types/semver) as e2e devDeps, previously only present
transitively.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@e2e/tests/supply-chain.e2e.test.ts`:
- Around line 153-190: The failure is caused by the lockfile still resolving
fast-uri@3.1.2, so the security override is not reflected in the installed
state. Update the lockfile by re-running the workspace install with the minimum
release age temporarily disabled, then recheck that resolvedVersionsByName no
longer contains any version matching the vulnerable fast-uri selector but below
the override target. Keep the existing “every security override actually took
effect” test unchanged; it is correctly catching the stale pnpm-lock.yaml state.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9991d09d-34b1-4925-8b44-ada1864b3658

📥 Commits

Reviewing files that changed from the base of the PR and between 17f4745 and fba3e6f.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • e2e/package.json
  • e2e/tests/supply-chain.e2e.test.ts
✅ Files skipped from review due to trivial changes (1)
  • e2e/package.json

Comment thread e2e/tests/supply-chain.e2e.test.ts
Bring the alert-cleanup branch up to date with main (91 commits: EQL v3,
protect-ffi 0.27, auth 0.40, vitest 3.2.6, et al.).

main carries no `overrides:` block, so a plain textual merge of the two
lockfiles kept main's resolved fast-uri@3.1.2 while adopting this branch's
`fast-uri@<3.1.3 -> 3.1.3` pin — an inconsistent lockfile the new
override-effect e2e test correctly flagged (fast-uri still inside its
vulnerable range under --frozen-lockfile). Regenerated the lockfile with
`pnpm update fast-uri -r` so the override actually applies; fast-uri now
resolves to the patched 3.1.3 and every override target is satisfied.
Frozen-lockfile install is clean and all 17 supply-chain e2e tests pass.
@coderdan coderdan merged commit 8145936 into main Jul 8, 2026
9 checks passed
@coderdan coderdan deleted the chore/dependabot-alert-cleanup branch July 8, 2026 03:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants