fix(deps): apply 4 security advisories via pnpm overrides (TIM-16)#152
Conversation
The parent dependency audit (TIM-15) identified five advisories across four transitive dependencies. Add pnpm overrides to clear them all and keep 'pnpm audit --audit-level=high' green: - esbuild >=0.28.1 — fixes GHSA-gv7w-rqvm-qjhr (high; RCE via NPM_CONFIG_REGISTRY in the Deno module) and GHSA-g7r4-m6w7-qqqr (low; arbitrary file read on Windows dev server). esbuild is pulled in transitively by vite. - form-data >=4.0.6 — fixes GHSA-hmw2-7cc7-3qxx (high; CRLF injection in multipart field names and filenames). Pulled in transitively by @vscode/vsce. - js-yaml >=4.2.0 — fixes GHSA-h67p-54hq-rp68 (moderate; quadratic- complexity DoS in merge key handling via repeated aliases). Pulled in transitively by @vscode/vsce > @secretlint/node > @secretlint/ config-loader > rc-config-loader. - @babel/core >=7.29.6 — fixes GHSA-4x5r-pxfx-6jf8 (low; arbitrary file read via sourceMappingURL comment). Pulled in transitively by @vitejs/plugin-react. All four are build-time / tooling-only dependencies with no runtime exposure, so pnpm overrides (not direct bumps) are the right tool — they pin every transitive path without churning package.json or risking a major-version regression. Pattern matches the previous overrides-driven fixes in PR #150 and PR #144. Scope note: vite 7->8, typescript 5->6, and webpack-cli 6->7 major bumps remain tracked separately per the parent issue. Verification: - pnpm audit --audit-level=high: 0 advisories (was 2 high). - pnpm audit: 0 advisories (was 2 low, 1 moderate, 2 high). - pnpm test: 201/201 pass (15 files, fast-check fuzz included). - pnpm lint: clean. - pnpm run compile: tsc clean. - pnpm run webpack: production bundle builds successfully (media/main.css regenerated by Tailwind purge; no semantic change).
|
Warning Review limit reached
More reviews will be available in 40 minutes and 16 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (2)
📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
No React Doctor issues found. 🎉 Reviewed by React Doctor for commit |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #152 +/- ##
=======================================
Coverage 94.13% 94.13%
=======================================
Files 10 10
Lines 290 290
Branches 105 105
=======================================
Hits 273 273
Misses 1 1
Partials 16 16 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
🎉 This PR is included in version 1.2.46 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
1 participant
Summary
Resolves TIM-16 by applying the 4 advisory bumps (covering 5 GHSAs) called out in the parent dependency audit (TIM-15). All four are transitive dependencies with no runtime exposure, so pnpm overrides — not direct dep bumps — are the right tool.
esbuildoverride >=0.28.1form-dataoverride >=4.0.6js-yamloverride >=4.2.0@babel/coreoverride >=7.29.6Why pnpm overrides, not direct dep bumps
All four packages are transitive:
vite(pinning esbuild at 0.27.3 in vite 7.3.5). The vulnerable code path is the Deno entry point of esbuild, which the extension build never touches; the Node.js path used by vite is unchanged in 0.28.1, so the override is safe and avoids waiting for a vite upstream release.@vscode/vsce, used only at publish time to talk to the VSCode Marketplace. It never builds multipart bodies from untrusted input, so the CRLF-injection path is unreachable. Override forces the patched version without waiting for a vsce release.@vscode/vsce > @secretlint/node > @secretlint/config-loader > rc-config-loader. The patched 4.2.0 line is API-compatible.@vitejs/plugin-react. The patched 7.29.6 line is API-compatible; esbuild (also a transitive of vite) already pins>=7.29.0, so 7.29.7 fits cleanly.None of the four reach the extension runtime — the extension bundles only
@actions/workflow-parser, the@codemirror/*packages,@xyflow/react,react,react-dom,react-icons, andyaml(the maintained fork, notjs-yaml). The overrides only affect build/test/publish tooling.Pattern mirrors the previous overrides-driven fixes in PR #150 (TIM-14) and the in-flight PR #151 (now closed as superseded by this one — same
esbuildandform-dataoverrides plus the two new ones below).Verification
pnpm audit --audit-level=high: exit 0, 0 advisories (was 2 high).pnpm audit(full): 0 advisories (was 2 low + 1 moderate + 2 high).pnpm test: 201/201 pass (15 files, fast-check property-based fuzz included).pnpm lint: clean.pnpm run compile: tsc clean.pnpm run webpack: production bundle builds successfully. (media/main.cssregenerated by Tailwind purge as a side effect of the lockfile change; no semantic change.)Scope note
The
vite7→8,typescript5→6, andwebpack-cli6→7 major bumps called out in TIM-15 are tracked separately per the parent issue and are not addressed here.Closes TIM-16.