chore(deps): resolve Dependabot security advisories via pnpm overrides#13441
chore(deps): resolve Dependabot security advisories via pnpm overrides#13441Bekacru wants to merge 3 commits into
Conversation
Clears the large majority of open Dependabot alerts across the repo by pinning vulnerable (mostly transitive) dependencies to patched versions. - Add per-major pnpm `overrides` to the root workspace and to each standalone example/tooling project (apps/examples/*, broken-link-checker) so every flagged transitive dep resolves to a non-vulnerable version. Per-major keys (e.g. minimatch@3 / minimatch@9) avoid forcing incompatible major upgrades. - Bump direct devDependencies of published packages to patched versions: next-auth (next, nodemailer), @auth/core (postcss), @auth/drizzle-adapter (drizzle-orm), @auth/typeorm-adapter (typeorm), and the root vitest/playwright toolchain. - Regenerate all affected lockfiles. No runtime `dependencies` of the published packages were vulnerable; all fixes are in devDependencies, peerDependencies, transitive deps, or the non-published example apps. Verified: `turbo run build` passes for next-auth and all @auth/* packages (qwik example excluded — its build is broken independently of this change on Node 24). Not addressed (require breaking major upgrades or have no fix): @mikro-orm/core v5->v6, @builder.io/qwik 1.7->1.19 toolchain, and the EOL request/useragent/tsup/vue-template-compiler chains. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
2 Skipped Deployments
|
github-actions
Bot
added
adapters
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub. |
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #13441 +/- ##
==========================================
+ Coverage 39.18% 40.29% +1.10%
==========================================
Files 200 190 -10
Lines 32353 31463 -890
Branches 1404 1395 -9
==========================================
Hits 12678 12678
+ Misses 19675 18785 -890 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
…ro-orm) - Override @builder.io/qwik to 1.19.1 (GHSA-p9x5-jp3h-96mm, unauthenticated RCE via server$ deserialization) and @builder.io/qwik-city to 1.19.2 (GHSA-xqg6-98cw-gxhq prototype pollution, GHSA-qr9h-j6xg-2j72 DoS) - Bump @mikro-orm/core override to 6.6.14 and move the mikro-orm adapter dev deps from v5 to v6.6.14 (GHSA-gwhv-j974-6fxm SQL injection affects < 6.6.10); widen peer range to ^5 || ^6 - Adapt adapter source/tests to MikroORM v6 API (driver option instead of type, onDelete -> deleteRule, mergeObjects -> mergeObjectProperties) while keeping v5-compatible options at runtime - Use @mikro-orm/better-sqlite in tests (v6 @mikro-orm/sqlite depends on the native sqlite3 package, which no longer builds on Python 3.12+) - Ignore vitest .snap files in .prettierignore so the pre-commit format hook does not fail on them
drizzle-kit 0.23 cannot read schemas with drizzle-orm 0.45.2 (forced by the security override), so generate/migrate silently produced no tables and the adapter tests failed with ER_NO_SUCH_TABLE in CI.
1 participant
Summary
Clears the large majority of the repo's open Dependabot alerts (317 unique advisories / ~700 alert paths) by pinning vulnerable dependencies to patched versions.
Key point: none of the alerts are in runtime
dependenciesthat ship to npm consumers. Every flagged dependency in a published package is adevDependency, apeerDependency(consumer-provided), or a transitive build/test dep — and the bulk live in the non-published example apps, docs, and CI tooling. So this is dashboard hygiene, not a fix to the installed library's attack surface.Approach
pnpm.overridesadded to the root workspace and to each standalone project (apps/examples/*,.github/broken-link-checker). Keys are scoped by major version (e.g.minimatch@3→3.1.4,minimatch@9→9.0.7) so security patches are applied within each major rather than forcing incompatible major upgrades.next-auth(next,nodemailer),@auth/core(postcss),@auth/drizzle-adapter(drizzle-orm),@auth/typeorm-adapter(typeorm), plus the rootvitest/@vitest/*/@playwright/testtoolchain (kept version-aligned to avoid peer breakage).--lockfile-onlyper project).Verification
turbo run buildpasses fornext-authand all 30@auth/*packages (incl.@auth/sveltekit,svelte-check: 0 errors). The@auth/qwikbuild is excluded — it fails identically onmainin this environment (Node 24 native/vite issue), independent of this change.Not addressed (intentionally)
These require breaking changes or have no fix, so they're out of scope for a mechanical security PR:
@mikro-orm/core5.x → 6.6.10@auth/mikro-orm-adapteris built/peered against v5@builder.io/qwik1.7→1.19,@builder.io/qwik-city,vite-plugin-static-copy1→2@auth/qwikbuild; needs a separate framework upgraderequest,useragent,tsup,vue-template-compiler,ip, onevm2advisory🤖 Generated with Claude Code