Skip to content

fix: resolve 4 open Dependabot security alerts via pnpm overrides#767

Merged
BYK merged 2 commits intomasterfrom
fix/dependabot-security-alerts
Mar 5, 2026
Merged

fix: resolve 4 open Dependabot security alerts via pnpm overrides#767
BYK merged 2 commits intomasterfrom
fix/dependabot-security-alerts

Conversation

@BYK
Copy link
Member

@BYK BYK commented Mar 5, 2026
edited
Loading

Fix 3 of 4 open Dependabot alerts (all High severity) by adding pnpm overrides
for transitive dependencies that cannot be directly bumped.

Changes

Root package.json overrides:

  • rollup ^4.59.0CVE-2026-27606: arbitrary file write via path traversal (High)

docs/package.json overrides:

  • rollup ^4.59.0 — same CVE as above (High)
  • svgo ^4.0.1CVE-2026-29074: Billion Laughs DoS via DOCTYPE entity expansion (High)

Not fixed

  • @tootallnate/once (Low severity, dev-only) — CVE-2026-3449: the fix
    requires a 2.x→3.x major version jump which would break http-proxy-agent@5
    (depended on by teeny-request, used by @google-cloud/storage). Even
    teeny-request@10 still pins http-proxy-agent@^5, so there is no safe
    override. This needs an upstream fix.

Why overrides?

All vulnerabilities are in transitive dependencies where the direct parents
haven't released patches yet:

  • rollup: pulled in by vite (via vitest in root, astro in docs)
  • svgo: pulled in by astro

This follows the existing pattern already used in this repo for fast-xml-parser,
minimatch, ajv, h3, and devalue.

@BYK
fix: resolve 4 open Dependabot security alerts via pnpm overrides
4abef6c 
Fix all 4 open Dependabot alerts by adding pnpm overrides for transitive
dependencies that cannot be directly bumped:

Root package.json:
- rollup >=4.59.0 (was 4.54.0) — CVE-2026-27606: arbitrary file write
  via path traversal (High)
- @tootallnate/once >=3.0.1 (was 2.0.0) — CVE-2026-3449: promise hangs
  indefinitely after AbortSignal abort (Low)

docs/package.json:
- rollup >=4.59.0 (was 4.54.0) — same CVE as above (High)
- svgo >=4.0.1 (was 4.0.0) — CVE-2026-29074: DoS through entity
  expansion in DOCTYPE / Billion Laughs attack (High)

All overrides follow the existing pattern already used for fast-xml-parser,
minimatch, ajv, h3, and devalue in this repo.
@github-actions
Copy link
Contributor

github-actions bot commented Mar 5, 2026
edited
Loading

PR Preview Action v1.8.1
Preview removed because the pull request was closed.
2026-03-05 12:56 UTC

@BYK BYK marked this pull request as ready for review March 5, 2026 12:40
cursor[bot]
cursor bot reviewed Mar 5, 2026
View reviewed changes
@BYK
fix: use ^ specifiers and drop @tootallnate/once override
22efc12 
Address BugBot review feedback:
- Use ^ instead of >= for rollup and svgo overrides to prevent
  accidental major version crossings (matches repo convention)
- Drop @tootallnate/once override entirely since it forces an
  incompatible 2.x→3.x major version on http-proxy-agent@5.
  This was a low-severity dev-only alert — not worth the risk.
cursor[bot]
cursor bot reviewed Mar 5, 2026
View reviewed changes
Copy link
Contributor

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

@BYK BYK merged commit c984873 into master Mar 5, 2026
19 checks passed
@BYK BYK deleted the fix/dependabot-security-alerts branch March 5, 2026 12:55
@sentry-release-bot sentry-release-bot bot mentioned this pull request Mar 5, 2026
Closed
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BYK