Fix Dependabot transitive security updates#22
Conversation
Co-authored-by: Andrea Mazzucchelli <andrmaz@users.noreply.github.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
CI Autofix Automation
Failure logs: https://github.com/andrmaz/cortex/actions/runs/27463460309/job/81181436325
Broken by: #21 (cc @coderabbitai)
Reason: PR #21 regenerated the pnpm lockfile while adding test dependencies, leaving vulnerable transitive versions of brace-expansion, flatted, @hono/node-server, postcss, and picomatch. Dependabot's security-update jobs were configured for direct updates, so each advisory failed with security_update_not_possible instead of updating the transitive package.
Fixed by: Added targeted root pnpm.overrides for the five vulnerable transitive ranges and regenerated pnpm-lock.yaml. Verified with pnpm install --lockfile-only --frozen-lockfile and pnpm --filter db db:generate && pnpm check-types.
Sent by Cursor Automation: Fix CI failures
Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Andrea Mazzucchelli <andrmaz@users.noreply.github.com>
2 participants
Adds targeted pnpm overrides for vulnerable transitive dependencies that Dependabot could not update automatically, then regenerates the lockfile.
Validation:
pnpm install --lockfile-only --frozen-lockfilepnpm --filter db db:generate && pnpm check-types