Skip to content

fix(deps): add pnpm overrides to resolve security vulnerabilities#1101

Open
StevenWolfe wants to merge 3 commits into
Fission-AI:mainfrom
StevenWolfe:fix/security-audit-overrides
Open

fix(deps): add pnpm overrides to resolve security vulnerabilities#1101
StevenWolfe wants to merge 3 commits into
Fission-AI:mainfrom
StevenWolfe:fix/security-audit-overrides

Conversation

@StevenWolfe
Copy link
Copy Markdown

@StevenWolfe StevenWolfe commented May 19, 2026
edited by coderabbitai Bot
Loading

Summary

Adds pnpm.overrides to package.json to force minimum patched versions for transitive dependencies flagged by pnpm audit, and updates the lockfile accordingly.

Overrides added:

Package Min safe version Advisory
vite >=7.3.2 GHSA (ReDoS / path traversal)
rollup >=4.59.0 prototype pollution
flatted >=3.4.2 prototype pollution
postcss >=8.5.10 ReDoS
minimatch > brace-expansion >=2.0.3 ReDoS
@eslint/config-array > minimatch >=9.0.7 ReDoS
@typescript-eslint/typescript-estree > minimatch >=9.0.7 ReDoS
picomatch >=4.0.4 ReDoS

Also bumps the direct yaml dependency from ^2.8.2 to ^2.8.3 (patch), and updates the flake.nix hash to match the new lockfile.

Known gap — tmp@0.0.33 (low, GHSA-52f5-9888-hmc6):
Cannot be fixed via override. The path is @inquirer/prompts > @inquirer/editor > external-editor > tmp. external-editor@3.1.0 depends on the tmp@0.0.x API, which is incompatible with the patched >=0.2.4 (significant API break between 0.0.x and 0.2.x). Requires an upstream fix in external-editor or @inquirer/editor.

Test plan

  • pnpm audit — 8 advisories resolved; 1 low (tmp) remains, unfixable via override (documented above)
  • pnpm test — 76 test files, 1511 tests, all passing

Summary by CodeRabbit

  • Chores
    • Updated yaml dependency to the latest patch version for improved stability and bug fixes.
    • Updated internal build configuration for consistency.

Review Change Stack

@StevenWolfe
fix(deps): add pnpm overrides to resolve security vulnerabilities
9f4c6c5 
Add pnpm.overrides in package.json to force patched versions of
transitive dependencies flagged by npm audit:

- vite >=7.3.2 (path traversal, server.fs.deny bypass, file read)
- rollup >=4.59.0 (arbitrary file write)
- flatted >=3.4.2 (prototype pollution, recursion DoS)
- postcss >=8.5.10 (XSS via malformed CSS)
- yaml >=2.8.3 (stack overflow)
- minimatch >=9.0.7 via @eslint/config-array and typescript-estree (ReDoS)
- picomatch >=4.0.4 via micromatch (method injection, ReDoS)
- brace-expansion >=2.0.3 via minimatch (DoS)

One low-severity advisory remains (tmp <=0.2.3 via external-editor@3)
that requires a major version bump of @inquirer/editor to resolve.

Generated with Claude Code using claude-sonnet-4-6
@StevenWolfe
fix(deps): remove ineffective tmp override; update flake.nix hash
ba0a38d 
- Remove @inquirer/editor>tmp override: was a no-op (tmp resolved to
  0.0.33, incompatible with >=0.2.4 across series boundary). The
  advisory remains low-severity and requires @inquirer/editor to drop
  external-editor to fully resolve.
- Update flake.nix pnpm dep hash to match revised pnpm-lock.yaml.
@StevenWolfe
fix(deps): improve yaml and picomatch override strategy
9834385 
yaml: bump direct dep to ^2.8.3 (was ^2.8.2) and drop the override.
The advisory requires >=2.8.3; since yaml is a direct runtime dependency,
bumping it in `dependencies` propagates the fix to end-users via their
package managers. The override only protected the local dev environment.

picomatch: change scoped override (micromatch>picomatch) to a flat override.
fast-glob depends on picomatch directly in addition to via micromatch, so
the scoped override left a gap. A flat override covers all dep paths without
risk of breakage -- only one picomatch version (4.0.4) exists in the tree.
@StevenWolfe StevenWolfe requested a review from TabishB as a code owner May 19, 2026 02:51
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented May 19, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 271c7afe-1b5f-4438-9245-4afb69df87fa

📥 Commits

Reviewing files that changed from the base of the PR and between 8498042 and 9834385.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • flake.nix
  • package.json
📝 Walkthrough

Walkthrough

This PR updates the yaml npm package to a patch version and recalculates the corresponding Nix derivation cache hash to reflect the modified lockfile state after the dependency upgrade.

Changes

Dependency Update

Layer / File(s) Summary
YAML dependency version bump
package.json		 The yaml package constraint is updated from ^2.8.2 to ^2.8.3.
Nix PNPM cache hash update
flake.nix		 The pkgs.fetchPnpmDeps hash is recalculated to accept the modified lockfile produced by the yaml version change.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested reviewers

  • TabishB

Poem

A patch for yaml hops on by,
Version numbers reaching for the sky.
The Nix hash updates in kind,
Dependencies and caches aligned.
🐰 ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Title check ⚠️ Warning The PR title mentions 'add pnpm overrides to resolve security vulnerabilities', but the changeset primarily shows a yaml dependency bump (^2.8.2 → ^2.8.3) and a flake.nix hash update, not the addition of pnpm overrides which was the main focus of the PR objectives. Update the title to reflect the actual final changes: 'fix(deps): bump yaml and update lockfile for security patches' or similar, as the overrides work was done but the title should match the final committed changes.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@StevenWolfe
Copy link
Copy Markdown
Author

StevenWolfe commented May 19, 2026
edited
Loading

quick note on the warning, it appears to be a false-positive:

The title is accurate. The pnpm.overrides section is the primary change; the yaml bump and flake.nix hash are just consequences of it. Nothing needs to be changed — this is the bot reasoning from incomplete context because the lockfile was excluded.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TabishB TabishB Awaiting requested review from TabishB TabishB is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@StevenWolfe