Skip to content
.github/workflows/check-stale-overrides.yml

Potential fix for code scanning alert no. 78: Workflow does not conta… #3

Sign in to view logs

Potential fix for code scanning alert no. 78: Workflow does not conta…

Potential fix for code scanning alert no. 78: Workflow does not conta… #3

Workflow file for this run

.github/workflows/check-stale-overrides.yml at 1166578
name: Check Stale Overrides
permissions:
contents: read
issues: write
on:
schedule:
- cron: '0 6 * * 1' # Weekly on Monday 6 AM UTC
workflow_dispatch: # Manual trigger
jobs:
check-overrides:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: pnpm/action-setup@v4
with:
version: 10
- uses: actions/setup-node@v4
with:
node-version: '22'
cache: 'pnpm'
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Check for stale overrides
id: check
run: |
# Extract overrides from package.json
OVERRIDES=$(node -e "
const pkg = require('./package.json');
const overrides = pkg.pnpm?.overrides || {};
Object.entries(overrides).forEach(([name, version]) => {
console.log(name + '@' + version);
});
")
if [ -z "$OVERRIDES" ]; then
echo "No pnpm overrides configured"
echo "has_overrides=false" >> $GITHUB_OUTPUT
exit 0
fi
echo "has_overrides=true" >> $GITHUB_OUTPUT
echo "## Current pnpm.overrides" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "The following overrides are pinned in package.json:" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "$OVERRIDES" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Action Required" >> $GITHUB_STEP_SUMMARY
echo "Check if parent packages have been updated to use fixed versions of these dependencies." >> $GITHUB_STEP_SUMMARY
echo "If so, remove the override from \`package.json\` and run \`pnpm install\`." >> $GITHUB_STEP_SUMMARY
- name: Create issue if overrides exist
if: steps.check.outputs.has_overrides == 'true'
uses: actions/github-script@v7
with:
script: |
const pkg = require('./package.json');
const overrides = pkg.pnpm?.overrides || {};
if (Object.keys(overrides).length === 0) return;
// Check if issue already exists
const issues = await github.rest.issues.listForRepo({
owner: context.repo.owner,
repo: context.repo.repo,
labels: 'stale-overrides',
state: 'open'
});
if (issues.data.length > 0) {
console.log('Issue already exists, skipping');
return;
}
const overrideList = Object.entries(overrides)
.map(([name, version]) => `- \`${name}\`: ${version}`)
.join('\n');
await github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: 'Review pnpm.overrides for stale security fixes',
labels: ['stale-overrides', 'dependencies'],
body: `## Stale Override Check
The following subdependency overrides are configured in \`package.json\`:
${overrideList}

Check failure on line 97 in .github/workflows/check-stale-overrides.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/check-stale-overrides.yml

Invalid workflow file 

You have an error in your yaml syntax on line 97
### Action Required
1. Check if the parent packages have been updated to include fixed versions
2. Remove any overrides that are no longer needed:
- Edit \`package.json\` and remove the override from \`pnpm.overrides\`
- Run \`pnpm install\` to update the lockfile
- Verify the vulnerability is resolved with \`pnpm audit\`
### Why This Matters
Overrides pin subdependencies to specific versions. Once upstream packages are fixed, these overrides become stale and may:
- Prevent you from getting newer fixes
- Create version conflicts
- Make \`pnpm audit\` report false negatives
---
*This issue was automatically created by the stale-overrides workflow.*`
});