Skip to content

Security: Fix Dependabot alerts in DevExtreme repository#32856

Open
Raushen wants to merge 1 commit intoDevExpress:26_1from
Raushen:DependaBot_5
Open

Security: Fix Dependabot alerts in DevExtreme repository#32856
Raushen wants to merge 1 commit intoDevExpress:26_1from
Raushen:DependaBot_5

Conversation

@Raushen
Copy link
Contributor

@Raushen Raushen commented Mar 10, 2026

No description provided.

@Raushen Raushen self-assigned this Mar 10, 2026
Copilot AI review requested due to automatic review settings March 10, 2026 18:01
Copilot AI reviewed Mar 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the monorepo’s dependency resolution to address Dependabot security alerts by adding/adjusting pnpm.overrides at the workspace root and regenerating the root lockfile so vulnerable transitive versions are no longer selected.

Changes:

  • Expanded root pnpm.overrides to force patched versions of tar, underscore, hono, @hono/node-server, express-rate-limit, and immutable.
  • Updated root pnpm-lock.yaml to reflect the newly resolved versions (e.g., tar, underscore, hono, express-rate-limit, ip-address, immutable).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

File Description
package.json Adds new root-level pnpm.overrides entries to force patched dependency versions.
pnpm-lock.yaml Regenerates lockfile to pick up the overridden/patched package versions.
Files not reviewed (1)
  • pnpm-lock.yaml: Language not supported

package.json
Comment on lines +83 to +84
"tar@<=7.5.9": "^7.5.10",
"underscore@<=1.13.7": "^1.13.8",
Copy link

Copilot AI Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Root overrides now cover tar<=7.5.9, but the workspace package packages/sbom still has its own pnpm.overrides and lockfile that keep tar@7.5.9 (see packages/sbom/pnpm-lock.yaml). If Dependabot is scanning all workspace lockfiles, this PR may not clear the tar alert until packages/sbom/package.json override and its lockfile are updated/regenerated as well.

Copilot uses AI. Check for mistakes.
package.json
"hono@<4.12.4": "^4.12.4",
"@hono/node-server@<1.19.10": "^1.19.10",
"express-rate-limit@>=8.2.0 <8.2.2": "^8.2.2",
"immutable@>=5.0.0 <5.1.5": "^5.1.5",
Copy link

Copilot AI Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new root override forces immutable to 5.1.5+, but packages/devextreme-themebuilder/package.json still declares immutable: "5.1.4". Root pnpm overrides won’t apply to consumers installing devextreme-themebuilder directly, and this can also cause lockfile drift on future installs. Consider updating the package’s declared dependency to 5.1.5+ (and then regenerating the lockfile) instead of relying solely on the workspace override.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@Raushen Raushen

Labels

26_1 skip-cache

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Raushen