Skip to content

fix: patch Dependabot transitive dep advisories via pnpm overrides#26

Merged
nodrel-dev merged 1 commit into
mainfrom
fix/dependabot-transitive-deps
Jun 24, 2026
Merged

fix: patch Dependabot transitive dep advisories via pnpm overrides#26
nodrel-dev merged 1 commit into
mainfrom
fix/dependabot-transitive-deps

Conversation

@nodrel-dev

Copy link
Copy Markdown
Owner

Summary

Remedies all 13 open Dependabot alerts. Every flagged package is a dev/build-chain transitive dependency (under @n8n/node-cli and release-it) — nothing ships to npm since the package publishes only dist (files: ["dist"]). Fixed by extending the existing pnpm.overrides block, pinning each advisory's patched version within its current major so the toolchain isn't bumped across a breaking boundary.

Alerts resolved

Package Was Now Advisories
undici 6.26.0 / 7.24.5 6.27.0 / 7.28.0 Set-Cookie SameSite downgrade, Set-Cookie header injection, SOCKS5 cross-origin routing + TLS bypass (high), cache whitespace disclosure, keep-alive queue poisoning
uuid 10.0.0 11.1.1 Missing buffer bounds check (no 10.x patch exists; 11.1.1 already in tree)
lodash 4.17.23 4.18.1 _.template code injection (high), prototype pollution in _.unset/_.omit
minimatch 9.0.3 9.0.7 matchOne() ReDoS (high); 3.x/5.x/10.x lines untouched

Test plan

  • pnpm install clean
  • pnpm build
  • pnpm lint ✓ (exit 0)
  • pnpm test ✓ 16/16
  • Lockfile diff confirms vulnerable versions gone; only package.json + pnpm-lock.yaml changed

…ides

Resolves 13 open Dependabot alerts plus a high-severity form-data
advisory caught by Snyk, all in dev/build-chain transitive deps
(nothing ships — files: ["dist"]). Pinned via pnpm.overrides, staying
within each existing major to avoid breaking the toolchain:

- undici 6.26.0 -> 6.27.0, 7.24.5 -> 7.28.0 (Set-Cookie SameSite/header
  injection, SOCKS5 routing/TLS bypass, cache + queue poisoning)
- uuid 10.0.0 -> 11.1.1 (missing buffer bounds check; no 10.x patch
  exists, so bumped to the patched 11.x already in the tree)
- lodash 4.17.23 -> 4.18.1 (_.template code injection, prototype
  pollution in _.unset/_.omit)
- minimatch 9.0.3 -> 9.0.7 (matchOne ReDoS); 3.x/5.x/10.x untouched
- form-data 4.0.4 -> 4.0.6 (CRLF injection via unescaped multipart
  field names, GHSA-hmw2-7cc7-3qxx)

pnpm audit clean; build, lint, and test (16/16) all green.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@nodrel-dev nodrel-dev force-pushed the fix/dependabot-transitive-deps branch from aca272c to 9bb81ff Compare June 24, 2026 21:52
@nodrel-dev nodrel-dev merged commit baca923 into main Jun 24, 2026
2 checks passed
@nodrel-dev nodrel-dev deleted the fix/dependabot-transitive-deps branch June 24, 2026 21:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants