fix: patch high-severity transitive vulnerabilities via pnpm overrides#29
fix: patch high-severity transitive vulnerabilities via pnpm overrides#29
Conversation
Co-authored-by: fbosch <6979916+fbosch@users.noreply.github.com>
commit: |
There was a problem hiding this comment.
Pull request overview
This PR addresses CI failures from pnpm audit --audit-level=high by forcing patched versions of vulnerable transitive dependencies via pnpm overrides (notably rollup and minimatch).
Changes:
- Add
pnpm.overridesinpackage.jsonto require patchedrollupandminimatchversions. - Regenerate
pnpm-lock.yamlto resolve torollup@4.59.0andminimatch@10.2.4.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| package.json | Introduces pnpm overrides for patched rollup/minimatch versions. |
| pnpm-lock.yaml | Lockfile updates reflecting the new override-driven resolutions. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| }, | ||
| "pnpm": { | ||
| "overrides": { | ||
| "rollup": ">=4.59.0", | ||
| "minimatch": ">=10.2.3" | ||
| } |
There was a problem hiding this comment.
This repo already has an overrides: block in pnpm-workspace.yaml (currently for minimatch). Adding a second overrides source in package.json can be confusing and lead to drift; consider consolidating overrides in one place (update/remove the workspace override if package.json is the new source of truth).
| }, | |
| "pnpm": { | |
| "overrides": { | |
| "rollup": ">=4.59.0", | |
| "minimatch": ">=10.2.3" | |
| } |
| "rollup": ">=4.59.0", | ||
| "minimatch": ">=10.2.3" |
There was a problem hiding this comment.
The override ranges are open-ended (">=") which can allow future major versions (e.g., rollup@5, minimatch@11) to be selected the next time the lockfile is regenerated, potentially introducing breaking changes. Prefer pinning to an exact patched version (or at least a major-locked range like ^4.59.0 / ^10.2.3), and consider using the selector form (e.g., only override <patched) to minimize blast radius.
| "rollup": ">=4.59.0", | |
| "minimatch": ">=10.2.3" | |
| "rollup": "^4.59.0", | |
| "minimatch": "^10.2.3" |
Three high-severity CVEs in transitive dependencies (
rollupviaunbuild,minimatchviac8 → test-exclude) were causingpnpm audit --audit-level=highto fail in CI.Changes
package.json— addspnpm.overridesto pin vulnerable transitive deps to patched versions:pnpm-lock.yaml— regenerated; resolves torollup@4.59.0andminimatch@10.2.4Vulnerabilities addressed
rollup<4.59.0>=4.59.0minimatch<10.2.3>=10.2.3minimatch<10.2.3>=10.2.3💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.