build(deps): fix audit vulnerabilities via bumps and overrides#625
Merged
Conversation
Resolve all pnpm audit and trivy findings (3 critical, 27 high, 32 moderate, 7 low) by combining direct dependency bumps with a small set of transitive overrides. Direct bumps: - turbo / @turbo/gen 2.6.1 -> 2.9.16: the new release drops node-plop, inquirer, ts-node and handlebars entirely, eliminating the tmp / diff / ip-address / handlebars / minimatch@3/@9 / brace-expansion @1/@2 vulnerability chains in a single move. - testcontainers 11.11.0 -> 12.0.1: pulls dockerode@5 (which drops the uuid dependency) and tightens tmp / undici / archiver to patched ranges, eliminating uuid / undici / tmp / protobufjs / @protobufjs/utf8 / minimatch@5 chains. - vitest family 4.0.8 -> 4.1.8 (catalog): patches the critical Vitest UI server CVE. Added vitest and @vitest/* to minimumReleaseAgeExclude so future security bumps are not blocked by the 24h release-age gate. Overrides retained (7, all caret-bounded to the parent's major): - @hono/node-server@1, ajv@8, defu@6, effect@3, hono@4: pinned by prisma@7.8.0's bundled @prisma/dev / @prisma/config / @prisma/streams-local. - lodash@4: chevrotain@10.5.0 hard-pins lodash 4.17.21 (reached via prisma-kysely -> @mrleebo/prisma-ast). - postcss@8: next@16.2.7 still ships postcss 8.4.31. Naturally resolved by the bumps above (no override needed): ws, yaml, fast-uri, qs, path-to-regexp, brace-expansion@5. Dependabot groups: add vitest, playwright, t3-env to mirror the existing catalogs; broaden tailwindcss from @tailwindcss/postcss to @tailwindcss/* so @tailwindcss/vite groups with it.
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the monorepo’s Node.js dependency set to address audit-reported vulnerabilities by bumping key direct dependencies, adding/retaining a small set of transitive pnpm overrides, and aligning Dependabot grouping so these security-related packages update together.
Changes:
- Bump Vitest (and related
@vitest/*) to 4.1.8 and exempt Vitest from the minimum release age gate for faster security response. - Bump Turbo tooling and Testcontainers to newer major/minor versions.
- Add/adjust Dependabot groups (Vitest, Playwright, T3 env) and broaden Tailwind group patterns; add security-focused
pnpmoverrides for selected transitive dependencies.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| pnpm-workspace.yaml | Updates Vitest catalog versions, excludes Vitest from release-age gating, and adds transitive security overrides. |
| package.json | Bumps root dev tooling versions (Turbo, Vitest). |
| apps/web/package.json | Bumps testcontainers major version used by web app test setup. |
| .github/dependabot.yml | Adds new dependency update groups and broadens Tailwind patterns to improve update hygiene. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+123
to
+124
| # Pinned by chevrotain (prisma-kysely -> @mrleebo/prisma-ast) to lodash 4.17.21: | ||
| 'lodash@4': '^4.17.24' |
Comment on lines
+125
to
+126
| # Pinned by next@16.2.7 which still ships postcss 8.4.31: | ||
| 'postcss@8': '^8.5.10' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves all
pnpm auditandtrivyfindings (3 critical, 27 high, 32 moderate, 7 low) by combining direct dependency bumps with a small set of caret-bounded transitive overrides.Direct bumps
2.6.1→2.9.16: the new release dropsnode-plop,inquirer,ts-nodeandhandlebarsentirely, eliminating the tmp / diff / ip-address / handlebars / minimatch@3/@9 / brace-expansion@1/@2 vulnerability chains in one move.11.11.0→12.0.1: pullsdockerode@5(drops theuuiddependency) and tightenstmp/undici/archiverto patched ranges, eliminating uuid / undici / tmp / protobufjs / @protobufjs/utf8 / minimatch@5 chains.4.0.8→4.1.8(catalog): patches the critical Vitest UI server CVE (GHSA-5xrq-8626-4rwp). Addedvitestand@vitest/*tominimumReleaseAgeExcludeso future security bumps are not blocked by the 24h release-age gate.Overrides retained (7, all
^-bounded to the parent's major)@hono/node-server@1,ajv@8,defu@6,effect@3,hono@4prisma@7.8.0's bundled@prisma/dev/@prisma/config/@prisma/streams-locallodash@4chevrotain@10.5.0hard-pins4.17.21(viaprisma-kysely→@mrleebo/prisma-ast)postcss@8next@16.2.7still shipspostcss@8.4.31Naturally resolved by the bumps above, no override needed:
ws,yaml,fast-uri,qs,path-to-regexp,brace-expansion@5.Dependabot
Added
vitest,playwright,t3-envgroups to mirror the existing catalogs; broadenedtailwindcssfrom@tailwindcss/postcssto@tailwindcss/*so@tailwindcss/vitegroups with it.Verification
pnpm audit→ No known vulnerabilities foundtrivy fs --scanners vuln --include-dev-deps→ 0 vulnerabilities