chore: drop dead lodash-es override, document test-app workspace

thymikee · thymikee · commit 217e19022e15 · 2026-06-01T19:19:04.000+02:00
- Remove the no-op `lodash-es` override from the root package.json (leftover from #368). lodash-es is no longer in the dependency tree, so the override resolved to nothing; regenerating the root lockfile is a no-op. - Add a comment to examples/test-app/pnpm-workspace.yaml explaining why the file exists, so it isn't "tidied away" and the override drift reintroduced.
diff --git a/examples/test-app/pnpm-workspace.yaml b/examples/test-app/pnpm-workspace.yaml
@@ -1,3 +1,11 @@
+# This file exists so examples/test-app is treated as its own pnpm workspace
+# root. pnpm only honors `overrides` from a workspace root, and because this
+# app is nested under the repo-root pnpm-workspace.yaml (without being a member)
+# its overrides were silently ignored when declared in package.json, letting the
+# lockfile drift back to vulnerable transitive versions (see PR #649). Keeping
+# them here ensures they actually apply. These pin transitive deps to versions
+# that clear Dependabot security alerts; ws/brace-expansion are scoped to the
+# vulnerable major so the non-vulnerable ws@7 / brace-expansion@1 copies stay.
 overrides:
   '@xmldom/xmldom': 0.8.13
   postcss: 8.5.12
diff --git a/package.json b/package.json
@@ -163,11 +163,6 @@
     "README.md",
     "LICENSE"
   ],
-  "pnpm": {
-    "overrides": {
-      "lodash-es": "4.18.1"
-    }
-  },
   "keywords": [
     "agent",
     "device",
