chore(deps): bump transitive dependency overrides

[nicktrn]

Routine maintenance pass on a few transitive pnpm.overrides.

• fast-uri / fast-xml-builder: add overrides pinning to current releases (3.1.2 / 1.1.7).
• protobufjs / qs: bump existing override pins that had fallen a patch behind (7.5.6 / 6.15.2).

Overrides-only - no first-party code changes; lockfile regenerated to match. Verified the affected transitives resolve to the pinned releases via pnpm why -r.

[coderabbitai]

Walkthrough

This PR updates dependency version overrides in pnpm.overrides within package.json. It changes the resolved version for qs from 6.14.1 to ^6.15.2, bumps protobufjs from ^7.5.5 to ^7.5.6, and adds new overrides for fast-uri (^3.1.2) and fast-xml-builder (^1.1.7) while retaining the existing defu override. No other package.json fields or scripts are modified.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description adequately covers the changes, but lacks several sections from the required template including Testing, Changelog, Screenshots, and issue reference.	Add missing template sections: include issue reference (Closes #), detailed Testing section describing verification steps, and a structured Changelog entry.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and accurately summarizes the main change: updating transitive dependency overrides in pnpm configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/bump-transitive-deps

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: c342022

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

[coderabbitai]

🧹 Nitpick comments (1)

package.json (1)

103-125: ⚡ Quick win

Verify Prettier formatting compliance.

Ensure pnpm run format has been run before committing, as required by the coding guidelines for .json files.

As per coding guidelines, JSON files should be formatted using Prettier by running pnpm run format before committing.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` around lines 103 - 125, The package.json changes are not
Prettier-formatted; run the repository formatter and fix whitespace/ordering per
project rules by running "pnpm run format" (or your project's Prettier command)
on package.json, verify the diff for package.json now matches Prettier output
(check the dependency entries such as the modified version lines like
"qs@>=6.0.0 <6.15.2", "vite@>=5.0.0 <6.4.2", etc.), stage and recommit the
formatted package.json so the file complies with the project's JSON formatting
guidelines.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@package.json`:
- Around line 103-125: The package.json changes are not Prettier-formatted; run
the repository formatter and fix whitespace/ordering per project rules by
running "pnpm run format" (or your project's Prettier command) on package.json,
verify the diff for package.json now matches Prettier output (check the
dependency entries such as the modified version lines like "qs@>=6.0.0 <6.15.2",
"vite@>=5.0.0 <6.4.2", etc.), stage and recommit the formatted package.json so
the file complies with the project's JSON formatting guidelines.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 0f4f6fe7-8829-4948-b29b-5ecb0649a228

📥 Commits

Reviewing files that changed from the base of the PR and between 8ab5b48 and c342022.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json

📜 Review details

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{js,ts,tsx,jsx,css,json,md}

📄 CodeRabbit inference engine (AGENTS.md)

Use Prettier for code formatting and run pnpm run format before committing

Files:

• package.json

🧠 Learnings (6)

📓 Common learnings

Learnt from: ericallam
Repo: triggerdotdev/trigger.dev PR: 3543
File: pnpm-workspace.yaml:15-16
Timestamp: 2026-05-14T13:46:01.116Z
Learning: In `pnpm-workspace.yaml` of triggerdotdev/trigger.dev, `secure-exec` and `secure-exec/*` are intentionally excluded from `minimumReleaseAge` quarantine. They back the `secureExec` build extension (packages/build/src/extensions/secureExec.ts) and rely on lockfile-pinned installs for version immutability. Both entries are planned to be removed alongside the build extension in a follow-up PR.

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-06-02T21:20:56.997Z
Learning: Install dependencies with `pnpm i` (requires pnpm `10.33.2` and Node.js `20.20.2`)

📚 Learning: 2026-06-02T21:20:43.541Z

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-06-02T21:20:43.541Z
Learning: Edit `package.json` directly instead of using `pnpm add` for adding dependencies, then run `pnpm i` from the repo root

Applied to files:

• package.json

📚 Learning: 2026-06-02T21:20:56.997Z

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-06-02T21:20:56.997Z
Learning: Install dependencies with `pnpm i` (requires pnpm `10.33.2` and Node.js `20.20.2`)

Applied to files:

• package.json

📚 Learning: 2026-06-02T21:20:43.541Z

Learnt from: CR
Repo: triggerdotdev/trigger.dev PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-06-02T21:20:43.541Z
Learning: Add a changeset when modifying any public package (`packages/*` or `integrations/*`) using `pnpm run changeset:add`

Applied to files:

• package.json

📚 Learning: 2026-04-27T16:40:37.692Z

Learnt from: nicktrn
Repo: triggerdotdev/trigger.dev PR: 3456
File: apps/webapp/package.json:230-230
Timestamp: 2026-04-27T16:40:37.692Z
Learning: In `apps/webapp/remix.config.js` (Remix 2.x, CJS server build via `serverModuleFormat: "cjs"`), ESM-only npm packages must be added to the `serverDependenciesToBundle` array so esbuild inlines them rather than emitting a `require()` call. The `engines` field allows Node >=18.19.0 || >=20.6.0, so `require(esm)` (Node 20.19+) cannot be relied upon. Packages already listed include p-limit, p-map, axios, and (as of PR `#3456`) uuid. When upgrading a dependency that drops CJS support, always check the post-build artifact for `require("<package>")` and add it to `serverDependenciesToBundle` if present.

Applied to files:

• package.json

📚 Learning: 2026-05-14T13:46:01.116Z

Learnt from: ericallam
Repo: triggerdotdev/trigger.dev PR: 3543
File: pnpm-workspace.yaml:15-16
Timestamp: 2026-05-14T13:46:01.116Z
Learning: In `pnpm-workspace.yaml` of triggerdotdev/trigger.dev, `secure-exec` and `secure-exec/*` are intentionally excluded from `minimumReleaseAge` quarantine. They back the `secureExec` build extension (packages/build/src/extensions/secureExec.ts) and rely on lockfile-pinned installs for version immutability. Both entries are planned to be removed alongside the build extension in a follow-up PR.

Applied to files:

• package.json

🔇 Additional comments (1)

package.json (1)

103-103: ⚡ Quick win

Confirm override pins match upstream patched security versions (and consider newer patch releases).

• qs: fixed in 6.15.2 (CVE-2026-8723 / GHSA-q8mj-m7cp-5q26) — your override for <6.15.2 should force ^6.15.2.
• protobufjs: patched in 7.5.6 (GHSA-75px-5xx7-5xc7) — ensure pnpm.overrides for protobufjs forces 7.5.6+ (latest in 7.x is 7.6.2).
• fast-uri: patched in 3.1.2 (GHSA-v39h-62p7-jpjc) — ensure overrides force 3.1.2 (latest in 3.x is 3.1.2).
• fast-xml-builder: patched in 1.1.7 (GHSA-5wm8-gmm8-39j9) — ensure overrides force 1.1.7+ (latest in 1.x is 1.2.0).
• Ensure pnpm run format was run for the root package.json.