security: add transitive vulnerability overrides#7742
Draft
wtfiwtz wants to merge 1 commit into
Draft
Conversation
Add pnpm overrides for transitive dependencies to address multiple security vulnerabilities throughout the dependency tree. Changes: - package.json: Add comprehensive pnpm.overrides for transitive deps: * cookie ^0.7.2 * tough-cookie ^4.1.3 * qs ^6.15.2 * tar ^7.5.11, tar-fs ^3.1.1 * serialize-javascript ^7.0.5 * nth-check ^2.0.1 * js-yaml ^4.1.1 * tmp ^0.2.6 * bn.js ^5.2.3 * ip-address ^10.1.1 * protocol-buffers-schema ^3.6.1 * path-to-regexp@0.1.12 → 0.1.13 * fast-uri ^3.1.2 * postcss ^8.5.10, autoprefixer ^10.4.20 * form-data ^4.0.5, basic-ftp ^5.3.0 * flatted ^3.4.2, follow-redirects ^1.16.0 - Regenerate pnpm-lock.yaml CVEs Addressed: - CVE-2026-6321, CVE-2026-6322: fast-uri vulnerabilities - CVE-2026-41305, CVE-2023-44270: postcss vulnerabilities - Multiple transitive dependency CVEs across cookie handling, path parsing, YAML parsing, compression, serialization, and network request libraries Note: Glob pattern matching overrides (minimatch, picomatch, micromatch, braces) were excluded due to compatibility issues with Babel traverse. These packages will be addressed through direct dependency upgrades in consuming packages. Test Results: - Frontend tests: ✓ All 15 test suites passed (90 tests) - TypeScript compilation: ✓ Type checking passed Co-authored-by: Cursor <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add pnpm overrides for transitive dependencies to address multiple security vulnerabilities throughout the dependency tree.
Changes
Add comprehensive
pnpm.overridestopackage.jsonfor transitive dependencies:Network & HTTP
Compression & Serialization
Parsers & Utilities
Build Tools
CVEs Addressed
Specific CVE IDs vary by nested package depth and consuming packages, but these overrides force secure versions throughout the entire dependency tree.
Notes
Glob pattern matching overrides excluded: The overrides for
minimatch,picomatch,micromatch, andbraceswere excluded from this PR due to compatibility issues with Babel traverse that caused test failures. These packages will be addressed through direct dependency upgrades in consuming packages or in future PRs when compatibility improves.Test Results
Related PRs
Part of the frontend security upgrade series split from #7720:
This completes the frontend security upgrade series.
Made with Cursor