Skip to content

feat(ci): add pnpm audit --prod check #2204

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: next
Choose a base branch
from
Open

feat(ci): add pnpm audit --prod check #2204

wants to merge 1 commit into from

Conversation

@jkomyno
Copy link
Collaborator

@jkomyno jkomyno commented Nov 24, 2025
edited by cursor bot
Loading

This PR:

  • adds pnpm audit --prod check to test suite
  • fixes existing 14 vulnerabilities in composio's dev repository

Note

Adds a production pnpm audit CI step and enforces upgraded, secure dependency versions via pnpm overrides and lockfile updates (including ai, next, hono, js-yaml, form-data, sharp), with examples and workspace catalog aligned.

  • CI:
    • Add pnpm audit --prod step to TS SDK workflow (.github/workflows/ts.test.yml).
  • Dependencies/Security:
    • Add pnpm.overrides in package.json to enforce secure versions of form-data, js-yaml, hono, next, ai, and transitive @mastra/core>ai.
    • Bump/resolve packages across lockfile: ai, @ai-sdk/*, @openrouter/ai-sdk-provider, next (to 16.x), hono (4.10.x), js-yaml (4.1.1), form-data (4.0.5), sharp (0.34.5) and related platform artifacts.
    • Update workspace catalog (pnpm-workspace.yaml) and example apps (ts/examples/*) to align with new versions (e.g., hono ≥4.10.3, @mastra/core ^0.24.5).

Written by Cursor Bugbot for commit b61bb0c. This will update automatically on new commits. Configure here.

@jkomyno jkomyno marked this pull request as ready for review November 24, 2025 20:41
@jkomyno jkomyno requested a review from haxzie as a code owner November 24, 2025 20:41
cursor[bot]
cursor bot reviewed Nov 24, 2025
View reviewed changes
pnpm-workspace.yaml
'@cloudflare/workers-types': ^4.20250917.0
'@composio/client': 0.1.0-alpha.40
ai: 5.0.44
ai: 5.0.52
Copy link

@cursor cursor bot Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Catalog version mismatch with pnpm overrides

The catalog defines ai as exact version 5.0.52, but the pnpm overrides use range >=5.0.52. This creates inconsistent version resolution where packages using catalog: get exactly 5.0.52, while transitive dependencies can resolve to newer versions. For vulnerability fixes requiring minimum versions, the catalog should use ^5.0.52 or >=5.0.52 to match the override behavior and allow security patches.

Additional Locations (1)

Fix in Cursor Fix in Web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@haxzie haxzie haxzie approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jkomyno @haxzie