build(deps): pin patched transitive dependency versions

[dev-jodee]

Summary

• Remediated all currently open lockfile-resolvable Dependabot alerts for sdks/pnpm-lock.yaml by pinning patched transitives via pnpm.overrides in sdks/package.json.
• Added explicit multi-major pins for picomatch:
  • picomatch@^2 -> 2.3.2
  • picomatch@^4 -> 4.0.4
• Updated transitive pins:
  • brace-expansion@^2 -> 2.0.3
  • yaml@^2 -> 2.8.3
• Regenerated sdks/pnpm-lock.yaml with pnpm install --lockfile-only.

Dependabot Alerts In Scope

• bump: privy version #89 picomatch (npm, transitive, patched: 4.0.4)
• add: tx updates (and fix privy initialization) #90 picomatch (npm, transitive, patched: 4.0.4)
• bump: 1.0.3 for lib, privy, rpc #91 yaml (npm, transitive, patched: 2.8.3)
• CLAUDE.md file for Claude Code #92 picomatch (npm, transitive, patched: 2.3.2)
• Optimize token validation to eliminate redundant RPC calls and fix token program bug #93 picomatch (npm, transitive, patched: 2.3.2)
• Fix transaction decoding to support versioned transactions #94 brace-expansion (npm, transitive, patched: 2.0.3)

Test Plan

• gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" '/repos/solana-foundation/kora/dependabot/alerts?state=open&per_page=100'
  • Verified alerts bump: privy version #89-Fix transaction decoding to support versioned transactions #94 are open and each has a first_patched_version.
• pnpm install --lockfile-only (run in sdks/)
  • Succeeded; lockfile regenerated with override pins.
• rg -n "brace-expansion@2\\.0\\.2|picomatch@2\\.3\\.1|picomatch@4\\.0\\.3|yaml@2\\.8\\.1" sdks/pnpm-lock.yaml
  • No matches (vulnerable versions removed).
• rg -n "brace-expansion@2\\.0\\.3|picomatch@2\\.3\\.2|picomatch@4\\.0\\.4|yaml@2\\.8\\.3" sdks/pnpm-lock.yaml
  • Matches found for all patched versions.
• pnpm audit --json (run in sdks/)
  • Command exits non-zero due existing advisories outside this Dependabot alert set; output captured for follow-up.

Remaining Unresolved Alerts

• No unpatchable alerts in this Dependabot remediation set (bump: privy version #89-Fix transaction decoding to support versioned transactions #94 are all patchable and addressed in this branch).
• Repository-level Dependabot alert status on main remains open until this branch is merged and GitHub refreshes dependency alert state.

---

[github-actions]

📊 TypeScript Coverage Report

Coverage: 33.1%

View detailed report

Coverage artifacts have been uploaded to this workflow run.
View Artifacts

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 1 additional finding.

[greptile-apps]

Greptile Summary

This PR remediates six open Dependabot alerts (#89–#94) in sdks/pnpm-lock.yaml by pinning patched transitive dependency versions via pnpm.overrides in sdks/package.json, then regenerating the lockfile.\n\nKey changes:\n- Replaces the previous broad \"brace-expansion\": \">=2.0.2\" override with the correctly-scoped \"brace-expansion@^2\": \"2.0.3\", so consumers requesting ^1.x (e.g. minimatch@3.x) and ^5.x (e.g. minimatch@10.x) are no longer incorrectly forced onto the v2 branch.\n- Adds \"picomatch@^2\": \"2.3.2\" and \"picomatch@^4\": \"4.0.4\" to address the multi-major picomatch alerts.\n- Adds \"yaml@^2\": \"2.8.3\" to address the yaml alert.\n- The lockfile correctly reflects these pins — all previously vulnerable versions (picomatch@2.3.1, picomatch@4.0.3, brace-expansion@2.0.2, yaml@2.8.1) have been replaced.\n- As a side-effect of the now-scoped brace-expansion override, brace-expansion@1.1.13 and brace-expansion@5.0.5 appear as new entries for consumers in those semver ranges. These are the latest versions in their respective ranges and are not flagged by any of the in-scope Dependabot alerts.\n- A residual pnpm audit non-zero exit is acknowledged in the PR description as out-of-scope and tracked for follow-up.

Confidence Score: 5/5

Safe to merge — all in-scope Dependabot alerts are addressed with exact patched version pins and a correctly regenerated lockfile.

No P0 or P1 issues found. The overrides are correctly scoped to their semver ranges, all six patched versions are present in the lockfile, and the new brace-expansion v1/v5 entries are latest-in-range releases with no associated alerts. The change is narrowly scoped to dependency pinning with no application code modifications.

No files require special attention.

Important Files Changed

Filename	Overview
sdks/package.json	Replaces broad brace-expansion override with correctly-scoped semver overrides for picomatch, brace-expansion, and yaml; all pins target the exact patched versions from Dependabot alerts #89–#94.
sdks/pnpm-lock.yaml	Lockfile regenerated to reflect new pinned versions; vulnerable versions removed, patched versions installed, and previously-masked brace-expansion@1.x and @5.x consumers now resolve to their natural (non-overridden) latest releases (1.1.13 and 5.0.5 respectively).

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    OV["pnpm.overrides (sdks/package.json)"]
    OV -->|"brace-expansion@^2 → 2.0.3"| BE2["brace-expansion@2.0.3\n(minimatch@5, minimatch@9)"]
    OV -->|"picomatch@^2 → 2.3.2"| PM2["picomatch@2.3.2\n(anymatch, micromatch, jest-haste-map)"]
    OV -->|"picomatch@^4 → 4.0.4"| PM4["picomatch@4.0.4\n(fdir, tinyglobby)"]
    OV -->|"yaml@^2 → 2.8.3"| YML["yaml@2.8.3\n(typedoc-plugin-markdown)"]
    OV -. "unaffected (scoped override)" .-> BE1["brace-expansion@1.1.13\n(minimatch@3 — natural ^1 resolution)"]
    OV -. "unaffected (scoped override)" .-> BE5["brace-expansion@5.0.5\n(minimatch@10 — natural ^5 resolution)"]

Loading

_{Reviews (1): Last reviewed commit: "build(deps): pin patched transitive depe..." | Re-trigger Greptile}