fix: patch transitive dep CVEs (same-major overrides)#49
Conversation
Adds pnpm overrides for vulnerable transitive deps (esbuild, grpc-js, etc.) to their nearest patched same-major release. Cleared/reduced trivy HIGH/CRIT findings; no major bumps.
|
The latest updates on your projects. Learn more about Vercel for GitHub. 1 Skipped Deployment
|
Qodo reviews are paused for this user.Troubleshooting steps vary by plan Learn more → On a Teams plan? Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center? |
|
Warning Review limit reached
More reviews will be available in 59 minutes and 15 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR updates pnpm overrides (and the generated lockfile) to mitigate CVEs in transitive dependencies by forcing resolution to patched versions without introducing major-version upgrades.
Changes:
- Tighten the
esbuildoverride to^0.28.1and propagate the resolved version across the dependency graph. - Add an override for
fast-urito^3.1.2(pulled in viaajv) and update the lockfile accordingly.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| package.json | Updates pnpm.overrides to enforce patched versions for esbuild and fast-uri. |
| pnpm-lock.yaml | Regenerates lockfile entries to reflect the new overrides and resolved versions. |
Files not reviewed (1)
- pnpm-lock.yaml: Generated file
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
🧪 E2E Test Results📝 Commit: 📊 SummaryStatus: ❌ FAILED Pass Rate: 25.0% (1/4) 📋 Test Results
Generated by Debugg AI 🤖 |
|
Superseded: CVE overrides re-applied directly on current main. |
pnpm overrides pinning vulnerable transitive deps to nearest patched same-major version. trivy HIGH/CRIT reduced. No major bumps. Auto-generated security sweep.