Add pnpm dependency overrides for security vulnerabilities#3
Conversation
Add pnpm.overrides to force patched versions of vulnerable transitive dependencies: fast-xml-parser, node-forge, undici, tar, minimatch, picomatch, and brace-expansion. https://claude.ai/code/session_01YLnaP1E1tMzpnACcD3A6nN
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a pnpm.overrides section in package.json and updates pnpm-lock.yaml to enforce minimum versions for several dependencies, including fast-xml-parser, node-forge, and undici. The reviewer suggested sorting the overrides list alphabetically in package.json to improve maintainability.
| "fast-xml-parser": ">=4.5.5", | ||
| "node-forge": ">=1.4.0", | ||
| "undici": ">=6.24.1", | ||
| "tar": ">=7.5.13", | ||
| "minimatch": ">=10.2.4", | ||
| "picomatch": ">=4.0.4", | ||
| "brace-expansion": ">=2.0.2" |
There was a problem hiding this comment.
For better maintainability and readability, it's a good practice to keep dependency lists and other similar key-value mappings sorted alphabetically. Please sort the packages in the overrides section.
| "fast-xml-parser": ">=4.5.5", | |
| "node-forge": ">=1.4.0", | |
| "undici": ">=6.24.1", | |
| "tar": ">=7.5.13", | |
| "minimatch": ">=10.2.4", | |
| "picomatch": ">=4.0.4", | |
| "brace-expansion": ">=2.0.2" | |
| "brace-expansion": ">=2.0.2", | |
| "fast-xml-parser": ">=4.5.5", | |
| "minimatch": ">=10.2.4", | |
| "node-forge": ">=1.4.0", | |
| "picomatch": ">=4.0.4", | |
| "tar": ">=7.5.13", | |
| "undici": ">=6.24.1" |
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
| "fast-xml-parser": ">=4.5.5", | ||
| "node-forge": ">=1.4.0", | ||
| "undici": ">=6.24.1", | ||
| "tar": ">=7.5.13", | ||
| "minimatch": ">=10.2.4", | ||
| "picomatch": ">=4.0.4", | ||
| "brace-expansion": ">=2.0.2" | ||
| } |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: de1b79d4c2
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| undici@7.24.6: | ||
| resolution: {integrity: sha512-Xi4agocCbRzt0yYMZGMA6ApD7gvtUFaxm4ZmeacWI4cZxaF6C+8I8QfofC20NAePiB/IcvZmzkJ7XPa471AEtA==} | ||
| engines: {node: '>=20.18.1'} |
There was a problem hiding this comment.
This change upgrades undici to 7.24.6, which raises the engine requirement to node >=20.18.1 (previously undici@6.23.0 required >=18.17). In setups still on Node 18 or older Node 20 patch levels—especially with engine-strict enabled—installing or running the Expo CLI dependency chain can fail, so the security override unintentionally increases the project’s effective Node minimum. Constrain the override to the secure 6.x line (for example ^6.24.1) to avoid this compatibility regression.
Useful? React with 👍 / 👎.
The previous unbounded overrides caused CI failures: - minimatch v10 broke test-exclude@6 (removed default export) - undici v7 raised Node minimum to >=20.18.1 (breaks Node 18) - brace-expansion v5 broke minimatch@5 (different API) Use bounded version ranges (e.g. ">=3.1.5 <4") to keep each consumer on its compatible major line while bumping to patched versions. Remove brace-expansion override as no same-major fix exists. https://claude.ai/code/session_01YLnaP1E1tMzpnACcD3A6nN
2 participants
Summary
This PR adds pnpm dependency overrides to enforce minimum versions of several packages with known security vulnerabilities, ensuring that transitive dependencies are resolved to secure versions.
Key Changes
pnpm.overridesconfiguration inpackage.jsonwith minimum version constraints for:fast-xml-parser(>=4.5.5)node-forge(>=1.4.0)undici(>=6.24.1)tar(>=7.5.13)minimatch(>=10.2.4)picomatch(>=4.0.4)brace-expansion(>=2.0.2)Details
These overrides ensure that even if dependencies specify older versions of these packages, pnpm will resolve them to the specified minimum versions, mitigating known security vulnerabilities in transitive dependencies. This is a common practice for maintaining security posture without requiring direct dependency updates.
https://claude.ai/code/session_01YLnaP1E1tMzpnACcD3A6nN