fix(security): add yarn resolutions for transitive dependency vulnerabilities#2881
Merged
enoch85 merged 1 commit intoMay 12, 2026
Conversation
maintainerr-automation Bot
added a commit
that referenced
this pull request
May 12, 2026
* build(deps): bump the react group with 2 updates (#2871) Bumps the react group with 2 updates: [react](https://github.com/facebook/react/tree/HEAD/packages/react) and [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom). Updates `react` from 19.2.5 to 19.2.6 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.6/packages/react) Updates `react-dom` from 19.2.5 to 19.2.6 - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.6/packages/react-dom) --- updated-dependencies: - dependency-name: react dependency-version: 19.2.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: react - dependency-name: react-dom dependency-version: 19.2.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: react ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump @tanstack/react-query from 5.100.6 to 5.100.10 (#2872) Bumps [@tanstack/react-query](https://github.com/TanStack/query/tree/HEAD/packages/react-query) from 5.100.6 to 5.100.10. - [Release notes](https://github.com/TanStack/query/releases) - [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query/CHANGELOG.md) - [Commits](https://github.com/TanStack/query/commits/HEAD/packages/react-query) --- updated-dependencies: - dependency-name: "@tanstack/react-query" dependency-version: 5.100.10 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump react-konva from 19.2.3 to 19.2.4 (#2873) Bumps [react-konva](https://github.com/konvajs/react-konva) from 19.2.3 to 19.2.4. - [Release notes](https://github.com/konvajs/react-konva/releases) - [Commits](konvajs/react-konva@v19.2.3...v19.2.4) --- updated-dependencies: - dependency-name: react-konva dependency-version: 19.2.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump yaml from 2.8.4 to 2.9.0 (#2874) Bumps [yaml](https://github.com/eemeli/yaml) from 2.8.4 to 2.9.0. - [Release notes](https://github.com/eemeli/yaml/releases) - [Commits](eemeli/yaml@v2.8.4...v2.9.0) --- updated-dependencies: - dependency-name: yaml dependency-version: 2.9.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps): bump typeorm from 0.3.28 to 0.3.29 (#2875) Bumps [typeorm](https://github.com/typeorm/typeorm) from 0.3.28 to 0.3.29. - [Release notes](https://github.com/typeorm/typeorm/releases) - [Changelog](https://github.com/typeorm/typeorm/blob/0.3.29/CHANGELOG.md) - [Commits](typeorm/typeorm@0.3.28...0.3.29) --- updated-dependencies: - dependency-name: typeorm dependency-version: 0.3.29 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * build(deps-dev): bump vitest from 4.1.5 to 4.1.6 (#2876) Bumps [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) from 4.1.5 to 4.1.6. - [Release notes](https://github.com/vitest-dev/vitest/releases) - [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.6/packages/vitest) --- updated-dependencies: - dependency-name: vitest dependency-version: 4.1.6 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(security): add yarn resolutions for transitive dependency vulnerabilities (#2881) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * fix(ci): add environment gate to close TOCTOU in release_pr workflow (#2879) * fix(ci): add environment gate to close TOCTOU in release_pr workflow * fix(ci): add missing newline at end of release_pr.yml * fix(ui): clarify custom-collection terminology and warn on disable (#2882) * fix(rules,jellyfin): close collection add/remove loop (#2554, #1446) (#2870) * fix(rules,jellyfin): close collection add/remove loop from BoxSet hiding and transient getter failures Jellyfin libraries with "Group films into collections" hide BoxSet members from library listings unless `collapseBoxSetItems: false` is set, which made Maintainerr-managed BoxSets flip movies in and out of rule results between runs (#2554). Plex/Seerr getters return `undefined` on transport failure (documented contract, distinct from `null` definitive absence) and the removal loop treated the resulting drop-out as a confirmed mismatch, restarting the deleteAfterDays countdown on every blip (#1446). Apply a shared library-query default in the Jellyfin adapter, and gate rule-driven removal on a strict-`undefined` transient-failure set tracked inside the comparator and unioned across executor chunks. Also tighten unary EXISTS/NOT_EXISTS so a transient `undefined` does not resolve to `!hasExistsValue(undefined) === true` and spuriously add items. Closes #2554 Closes #1446 * refactor(rules): tighten transient-failure gate in executor Switch transientFailureMediaIds to a field initializer, replace the info-level preserved-removal log with a debug breadcrumb that notes the retry on the next pass, and consolidate the removal-gate loop behind a single continue-driven path. Comparator return shape and strict-undefined semantics are unchanged; the unary EXISTS regression remains pinned by the existing NOT_EXISTS tests. * chore(ci,tools): add one-off Fider mirror for enhancement issues Mirrors open `label:enhancement` issues (excluding CODEOWNER-authored ones) to the Fider feature board, then closes the source issue with a link to the new post. Manual workflow_dispatch only, dry-run by default. Delete both files once the migration is run. * chore(tools): warmer closing comment, drop not_planned reason These are real feature requests being routed to Fider, not declined — let GitHub close them with no state_reason and use a friendlier comment that explains where the conversation continues. * chore(ci): convert Fider enhancement mirror to weekly job Renames the one-off mirror to "Fider - Move enhancements", schedules it weekly (Sun 06:00 UTC, matches fider-invite-codeowners), and switches from GITHUB_TOKEN to the maintainerr-automation App token via MERGE_APP so closing comments are attributed to the bot identity used by the release and docs-drift workflows. * fix(plex): improve error message when library section ID is invalid (#2883) * fix(ci): add explicit token permissions to fider move job CodeQL flagged the move job for not limiting GITHUB_TOKEN permissions. Write operations use a GitHub App token, so the default token only needs contents: read for checkout. --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: maintainerr-automation[bot] <261505141+maintainerr-automation[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Anders Eriksson <36226327+blixten85@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: enoch85 <mailto@danielhansson.nu>
Contributor
|
🎉 This PR is included in version 3.11.1 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
doonga
pushed a commit
to greyrock-labs/home-ops
that referenced
this pull request
May 13, 2026
…11.1 ) (#29) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [ghcr.io/maintainerr/maintainerr](https://github.com/Maintainerr/Maintainerr) | minor | `3.10.1` → `3.11.1` | --- ### Release Notes <details> <summary>Maintainerr/Maintainerr (ghcr.io/maintainerr/maintainerr)</summary> ### [`v3.11.1`](https://github.com/Maintainerr/Maintainerr/blob/HEAD/CHANGELOG.md#3111-2026-05-12) [Compare Source](Maintainerr/Maintainerr@v3.11.0...v3.11.1) #### Highlights - Fixed an issue where Jellyfin libraries with "Group films into collections" enabled caused BoxSet members to incorrectly toggle in and out of rule results ([#​2870](Maintainerr/Maintainerr#2870)). - Improved error message for invalid Plex library section IDs to better guide users in resolving configuration issues ([#​2883](Maintainerr/Maintainerr#2883)). - Enhanced custom collection UX by renaming tags for clarity and adding tooltips to explain collection handling options ([#​2882](Maintainerr/Maintainerr#2882)). #### Fixes - Validated Jellyfin IDs before refresh to prevent errors ([#​2853](Maintainerr/Maintainerr#2853)). - Improved error message when Plex library section ID is invalid ([#​2883](Maintainerr/Maintainerr#2883)). - Resolved Jellyfin collection add/remove loop for BoxSet items ([#​2870](Maintainerr/Maintainerr#2870)). - Clarified custom collection terminology and added warnings for disabling collection handling ([#​2882](Maintainerr/Maintainerr#2882)). - Added explicit token permissions to the Fider move job to address CodeQL findings. - Added environment gate to mitigate TOCTOU vulnerability in the release\_pr workflow ([#​2879](Maintainerr/Maintainerr#2879)). - Addressed transitive dependency vulnerabilities by adding Yarn resolutions for specific packages ([#​2881](Maintainerr/Maintainerr#2881)). #### Dependencies - Updated 10 dependencies, including notable packages: vite, typeorm, and [@​typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/eslint-plugin). #### New Contributors - [@​blixten85](https://github.com/blixten85) made their first contribution in [#​2881](Maintainerr/Maintainerr#2881) ### [`v3.11.0`](https://github.com/Maintainerr/Maintainerr/blob/HEAD/CHANGELOG.md#3110-2026-05-11) [Compare Source](Maintainerr/Maintainerr@v3.10.2...v3.11.0) #### Highlights - Added support for force-processing overlays and gated reset operations against concurrent processing runs ([#​2827](Maintainerr/Maintainerr#2827)). - Improved collection sorting: collections now apply sort order on save and synchronize with the media server ([#​2860](Maintainerr/Maintainerr#2860)). - Enhanced storage metrics: potential reclaimable storage is now split into movie, show, season, and episode panels ([#​2854](Maintainerr/Maintainerr#2854)). #### Breaking Changes - None. #### Features - Added force-processing support for overlay operations and gated reset operations against concurrent processing runs ([#​2827](Maintainerr/Maintainerr#2827)). - Improved storage metrics by splitting potential reclaimable storage into movie, show, season, and episode panels ([#​2854](Maintainerr/Maintainerr#2854)). #### Fixes - Fixed collection sorting to apply on save and synchronize with the media server ([#​2860](Maintainerr/Maintainerr#2860)). - Resolved issue where excluding a single episode incorrectly excluded all episodes of the same show ([#​2867](Maintainerr/Maintainerr#2867)). - Fixed storage metrics to merge shared volumes across hosts when byte-exact ([#​2852](Maintainerr/Maintainerr#2852)). - Fixed Jellyfin retry ID check to align with pre-filter logic ([#​2853](Maintainerr/Maintainerr#2853)). - Addressed issue where reclaimed bytes were not credited when `sizeBytes` was not yet cached ([#​2855](Maintainerr/Maintainerr#2855)). #### Performance - None. #### Database migrations - Added a new `mediaServerSort` column to the `collection` table to support media server-specific sorting. #### Internal - Added typed TanStack Query test helpers and migrated UI spec mocks to use typed builders ([#​2863](Maintainerr/Maintainerr#2863)). - Added an architecture overview document detailing the monorepo structure, runtime flow, and core components ([#​2817](Maintainerr/Maintainerr#2817)). #### Dependencies - Updated 5 dependencies, including notable updates to TypeScript and typescript-eslint. ### [`v3.10.2`](https://github.com/Maintainerr/Maintainerr/blob/HEAD/CHANGELOG.md#3102-2026-05-08) [Compare Source](Maintainerr/Maintainerr@v3.10.1...v3.10.2) #### Highlights - Fixed incorrect version comparison logic that caused update notifications to fail for multi-digit version segments ([#​2838](Maintainerr/Maintainerr#2838)). - Improved storage metrics by deduplicating reclaimable bytes and adding per-type cleanup byte counters ([#​2833](Maintainerr/Maintainerr#2833)). </details> --- ### Configuration 📅 **Schedule**: (in timezone America/New_York) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNjAuNyIsInVwZGF0ZWRJblZlciI6IjQzLjE2MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJyZW5vdmF0ZS9jb250YWluZXIiLCJ0eXBlL21pbm9yIl19--> Reviewed-on: https://git.greyrock.io/greyrock-labs/home-ops/pulls/29
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Several transitive dependencies are pinned to vulnerable versions by packages with exact version constraints that cannot be updated directly.
_.template_.templateFix
Adds yarn
resolutionsto rootpackage.jsonto force patched minimum versions regardless of what parent packages request. Regeneratesyarn.lockwithyarn install --mode=update-lockfile.Not fixed here (require major version bumps)