Skip to content

Commit 217e190

Browse files
committed
chore: drop dead lodash-es override, document test-app workspace
- Remove the no-op `lodash-es` override from the root package.json (leftover from #368). lodash-es is no longer in the dependency tree, so the override resolved to nothing; regenerating the root lockfile is a no-op. - Add a comment to examples/test-app/pnpm-workspace.yaml explaining why the file exists, so it isn't "tidied away" and the override drift reintroduced.
1 parent f729f43 commit 217e190

2 files changed

Lines changed: 8 additions & 5 deletions

File tree

examples/test-app/pnpm-workspace.yaml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,11 @@
1+
# This file exists so examples/test-app is treated as its own pnpm workspace
2+
# root. pnpm only honors `overrides` from a workspace root, and because this
3+
# app is nested under the repo-root pnpm-workspace.yaml (without being a member)
4+
# its overrides were silently ignored when declared in package.json, letting the
5+
# lockfile drift back to vulnerable transitive versions (see PR #649). Keeping
6+
# them here ensures they actually apply. These pin transitive deps to versions
7+
# that clear Dependabot security alerts; ws/brace-expansion are scoped to the
8+
# vulnerable major so the non-vulnerable ws@7 / brace-expansion@1 copies stay.
19
overrides:
210
'@xmldom/xmldom': 0.8.13
311
postcss: 8.5.12

package.json

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -163,11 +163,6 @@
163163
"README.md",
164164
"LICENSE"
165165
],
166-
"pnpm": {
167-
"overrides": {
168-
"lodash-es": "4.18.1"
169-
}
170-
},
171166
"keywords": [
172167
"agent",
173168
"device",

0 commit comments

Comments
 (0)