fix: resolve test-app dependabot alerts (#649)

thymikee · web-flow · commit 9e6537200abb · 2026-06-01T19:32:17.000+02:00
* fix: resolve test-app dependabot alerts The postcss/uuid overrides added in #464 stopped applying once test-app ended up nested under the repo-root pnpm-workspace.yaml: pnpm only honors overrides from a workspace root, so test-app's package.json `pnpm.overrides` were silently ignored and the lockfile drifted back to vulnerable versions. Move the overrides into a dedicated examples/test-app/pnpm-workspace.yaml so test-app is its own pnpm root and the overrides are honored, and add scoped overrides for the two remaining alerts: - postcss 8.4.49 -> 8.5.12 (XSS in CSS stringify) - uuid 7.0.3 -> 14.0.0 (missing buffer bounds check) - ws@8 8.20.0 -> 8.21.0 (uninitialized memory disclosure) - brace-expansion@5 5.0.5 -> 5.0.6 (ReDoS / max bypass) ws and brace-expansion overrides are scoped to the vulnerable majors so the non-vulnerable ws@7 / brace-expansion@1 copies in the tree are left untouched. * chore: drop dead lodash-es override, document test-app workspace - Remove the no-op `lodash-es` override from the root package.json (leftover from #368). lodash-es is no longer in the dependency tree, so the override resolved to nothing; regenerating the root lockfile is a no-op. - Add a comment to examples/test-app/pnpm-workspace.yaml explaining why the file exists, so it isn't "tidied away" and the override drift reintroduced.
diff --git a/examples/test-app/package.json b/examples/test-app/package.json
@@ -26,12 +26,5 @@
   "devDependencies": {
     "@types/react": "~19.2.2",
     "typescript": "~5.9.2"
-  },
-  "pnpm": {
-    "overrides": {
-      "@xmldom/xmldom": "0.8.13",
-      "postcss": "8.5.12",
-      "uuid": "14.0.0"
-    }
   }
 }
diff --git a/examples/test-app/pnpm-lock.yaml b/examples/test-app/pnpm-lock.yaml
diff --git a/examples/test-app/pnpm-workspace.yaml b/examples/test-app/pnpm-workspace.yaml
@@ -0,0 +1,14 @@
+# This file exists so examples/test-app is treated as its own pnpm workspace
+# root. pnpm only honors `overrides` from a workspace root, and because this
+# app is nested under the repo-root pnpm-workspace.yaml (without being a member)
+# its overrides were silently ignored when declared in package.json, letting the
+# lockfile drift back to vulnerable transitive versions (see PR #649). Keeping
+# them here ensures they actually apply. These pin transitive deps to versions
+# that clear Dependabot security alerts; ws/brace-expansion are scoped to the
+# vulnerable major so the non-vulnerable ws@7 / brace-expansion@1 copies stay.
+overrides:
+  '@xmldom/xmldom': 0.8.13
+  postcss: 8.5.12
+  uuid: 14.0.0
+  ws@8: ^8.20.1
+  brace-expansion@5: ^5.0.6
diff --git a/package.json b/package.json
@@ -163,11 +163,6 @@
     "README.md",
     "LICENSE"
   ],
-  "pnpm": {
-    "overrides": {
-      "lodash-es": "4.18.1"
-    }
-  },
   "keywords": [
     "agent",
     "device",

Original file line number	Diff line number	Diff line change
`@@ -26,12 +26,5 @@`
`26`	`26`	`"devDependencies": {`
`27`	`27`	`"@types/react": "~19.2.2",`
`28`	`28`	`"typescript": "~5.9.2"`
`29`		`- },`
`30`		`- "pnpm": {`
`31`		`- "overrides": {`
`32`		`- "@xmldom/xmldom": "0.8.13",`
`33`		`- "postcss": "8.5.12",`
`34`		`- "uuid": "14.0.0"`
`35`		`- }`
`36`	`29`	`}`
`37`	`30`	`}`