fix(deps): address Dependabot security vulnerabilities#761
Merged
Conversation
- Remove `rimraf`, `@types/rimraf`, and `@sentry/typescript` dev deps:
- Replace `rimraf()` call in `files.ts` with Node 22 built-in `fs.rm()`
- Update `clean` script to use `rm -rf` directly
- Inline `@sentry/typescript/tsconfig.json` settings into `tsconfig.build.json`
to eliminate the `tslint` transitive dependency tree
- Add `pnpm.overrides` to force patched versions of vulnerable transitive deps:
- `minimatch >= 10.2.1` (CVE-2026-26996, High, ReDoS — alerts #111-114)
- `ajv@<6.14.0 → ^6.14.0` (CVE-2025-69873, Medium, ReDoS — alert #110)
- Add `devalue >= 5.6.3` override in `docs/` (GHSA-33hq/8qm3, Low — alerts #108-109)
Documents gotchas discovered during this work: - pnpm overrides with >= can cross major versions (use ^ to constrain) - pnpm version-range override keys don't force already-compatible resolutions - tsconfig.build.json is now self-contained (no @sentry/typescript base)
Contributor
|
- Add `force: true` to `fs.rm()` to match `rimraf`'s silent-ENOENT behavior and align with the established pattern in test files - Constrain `minimatch` override to `^10.2.1` (was `>=10.2.1`) to prevent accidental resolution to a future major version with breaking API changes
Same pattern as minimatch/ajv overrides — use ^ not >= to avoid accidentally pulling a future breaking major version.
Contributor
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
- Remove orphaned `diff` and `@isaacs/brace-expansion` pnpm overrides: `diff` was only needed by tslint (removed with @sentry/typescript), `@isaacs/brace-expansion` is no longer in the resolved tree since minimatch@10.2.4 uses the unscoped `brace-expansion` package - Remove off-topic lore entries from AGENTS.md (React useState, TypeScript strict mode, Kubernetes) — generic seed content unrelated to this codebase
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes 7 open Dependabot alerts by eliminating vulnerable transitive dependencies where possible, and using
pnpm.overridesto force patched versions otherwise.Changes
Removed legacy dev dependencies (eliminating entire vulnerable sub-trees):
@sentry/typescript— only used for itstsconfig.json; dragged intslint→minimatch 3.x(CVE-2026-26996). Settings inlined directly intotsconfig.build.json.rimraf+@types/rimraf— single call site infiles.tsreplaced withfs.rm()(Node 22 built-in);@types/rimrafwas pulling@types/glob→glob@13→minimatch 10.x(vulnerable).Added
pnpm.overridesto force patched transitive deps:"minimatch": ">=10.2.1"— fixes alerts bug: GitHub status check does not wait for builds to start #111–114 (CVE-2026-26996, High, ReDoS). After removing the above deps, all remaining minimatch consumers are on 10.x, making a blanket override safe."ajv@<6.14.0": "^6.14.0"— fixes alert build(ci): Have better defaults for CI environments #110 (CVE-2025-69873, Medium, ReDoS). Pulled in byeslint→@eslint/eslintrc. Using^6(not>=) to stay within the v6 API boundary that eslint requires."devalue": ">=5.6.3"indocs/package.json— fixes alerts fix(gha): Use single quotes for string literals #108–109 (Low, DoS + prototype pollution via Astro/Starlight transitive dep).Verification
pnpm build: ✓pnpm lint: ✓pnpm test: 884 passing (6 pre-existing e2e failures unrelated to this change — requireEDITORenv var for git commits)