Skip to content

Commit f729f43

Browse files
committed
fix: resolve test-app dependabot alerts
The postcss/uuid overrides added in #464 stopped applying once test-app ended up nested under the repo-root pnpm-workspace.yaml: pnpm only honors overrides from a workspace root, so test-app's package.json `pnpm.overrides` were silently ignored and the lockfile drifted back to vulnerable versions. Move the overrides into a dedicated examples/test-app/pnpm-workspace.yaml so test-app is its own pnpm root and the overrides are honored, and add scoped overrides for the two remaining alerts: - postcss 8.4.49 -> 8.5.12 (XSS in CSS stringify) - uuid 7.0.3 -> 14.0.0 (missing buffer bounds check) - ws@8 8.20.0 -> 8.21.0 (uninitialized memory disclosure) - brace-expansion@5 5.0.5 -> 5.0.6 (ReDoS / max bypass) ws and brace-expansion overrides are scoped to the vulnerable majors so the non-vulnerable ws@7 / brace-expansion@1 copies in the tree are left untouched.
1 parent 5d2b2ed commit f729f43

3 files changed

Lines changed: 29 additions & 24 deletions

File tree

examples/test-app/package.json

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -26,12 +26,5 @@
2626
"devDependencies": {
2727
"@types/react": "~19.2.2",
2828
"typescript": "~5.9.2"
29-
},
30-
"pnpm": {
31-
"overrides": {
32-
"@xmldom/xmldom": "0.8.13",
33-
"postcss": "8.5.12",
34-
"uuid": "14.0.0"
35-
}
3629
}
3730
}

examples/test-app/pnpm-lock.yaml

Lines changed: 23 additions & 17 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
overrides:
2+
'@xmldom/xmldom': 0.8.13
3+
postcss: 8.5.12
4+
uuid: 14.0.0
5+
ws@8: ^8.20.1
6+
brace-expansion@5: ^5.0.6

0 commit comments

Comments
 (0)