fix(security): widen Dependabot scope and pin patched Next for webpack plugin

thomasrockhu-codecov · thomasrockhu-codecov · commit cef3a3dc58f7 · 2026-04-03T05:04:36.000+09:00
Remove dependabot.yml allow list so security updates are not limited to
@codecov/rollup-plugin.

Add next ^14.2.25 as a devDependency of @codecov/nextjs-webpack-plugin so
pnpm resolves a patched 14.x for the peer range instead of vulnerable 14.2.10.

Made-with: Cursor
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -7,5 +7,3 @@ updates:
     directory: "/" # Location of package manifests
     schedule:
       interval: "daily"
-    allow:
-      - dependency-name: "@codecov/rollup-plugin"
diff --git a/packages/nextjs-webpack-plugin/package.json b/packages/nextjs-webpack-plugin/package.json
@@ -57,6 +57,7 @@
     "@vitest/coverage-v8": "^2.1.9",
     "codecovProdRollupPlugin": "npm:@codecov/rollup-plugin@1.5.0",
     "msw": "^2.7.0",
+    "next": "^14.2.25",
     "ts-node": "^10.9.2",
     "typedoc": "^0.27.5",
     "typescript": "^5.3.3",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
