Skip to content

build(deps): pin patched transitive dependency versions#36

Merged
dev-jodee merged 1 commit intomainfrom
fix/dependabot-transitive-remediation
Mar 27, 2026
Merged

build(deps): pin patched transitive dependency versions#36
dev-jodee merged 1 commit intomainfrom
fix/dependabot-transitive-remediation

Conversation

@dev-jodee
Copy link
Copy Markdown
Collaborator

@dev-jodee dev-jodee commented Mar 27, 2026

Summary

  • add targeted pnpm.overrides for vulnerable transitive packages (ajv, minimatch, flatted, lodash, h3, socket.io-parser, picomatch)
  • include additional lockfile hardening for handlebars and brace-expansion
  • regenerate pnpm-lock.yaml with patched resolutions and update Cargo.lock to quinn-proto 0.11.14

Test Plan

  • run pnpm install --lockfile-only
  • run pnpm audit --json (now only elliptic remains, with no upstream patched release)
  • run cargo update -p quinn-proto --precise 0.11.14
  • run cargo tree -i quinn-proto -p tests-escrow-program to verify resolved version
  • run cargo check -p tests-escrow-program (fails due to missing generated clients/rust/src/generated/* modules in repo setup, unrelated to this change)

Breaking Changes

  • none

@dev-jodee
build(deps): pin patched transitive dependency versions
9e017d7 
Add pnpm overrides for vulnerable transitive npm packages and regenerate\nlockfile resolution to patched versions.\n\nAlso update Cargo.lock to quinn-proto 0.11.14 to address the\nopen Rust Dependabot advisory path.\n\nValidation included pnpm audit (remaining: elliptic with no upstream\npatched version) and lockfile/version verification.
@dev-jodee dev-jodee requested a review from amilz March 27, 2026 15:41
@dev-jodee dev-jodee merged commit 2a22bc8 into main Mar 27, 2026
6 checks passed
@dev-jodee dev-jodee deleted the fix/dependabot-transitive-remediation branch March 27, 2026 17:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amilz amilz amilz approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dev-jodee @amilz