Skip to content

fix(deps): patch transitive security vulnerabilities via overrides#86

Merged
vineethkrishnan merged 1 commit into
mainfrom
fix/security-deps
May 31, 2026
Merged

fix(deps): patch transitive security vulnerabilities via overrides#86
vineethkrishnan merged 1 commit into
mainfrom
fix/security-deps

Conversation

@vineethkrishnan

@vineethkrishnan vineethkrishnan commented May 31, 2026

Copy link
Copy Markdown
Owner

Resolves open Dependabot security alerts for transitive npm packages using scoped overrides. No direct-dependency or major version bumps; minimal security-only change.

Alerts fixed

Package Sev Patched to GHSA Scope
qs medium 6.15.2 GHSA-q8mj-m7cp-5q26 runtime (transitive)
fast-uri high 3.1.2 GHSA-v39h-62p7-jpjc, GHSA-q3j6-qgpj-74h6 dev (transitive)
postcss medium 8.5.10 GHSA-qx2v-qp2m-jg93 dev (transitive)
picomatch medium 2.3.2 GHSA-3v7f-55p6-f55p dev (transitive)
brace-expansion medium 2.0.3 GHSA-f886-m6hf-6m8v runtime (transitive, under typeorm)

picomatch and brace-expansion overrides are scoped to the vulnerable consumers (anymatch/jest-util/micromatch, and typeorm) so the safe higher major versions (picomatch 4.x, brace-expansion 5.x) elsewhere in the tree are untouched.

Not fixed here (require major upgrades, left for review)

  • vite (GHSA-4w7w-66w2-5vf9, patched 6.4.2) and esbuild (GHSA-67mh-4wv8-2f99, patched 0.25.0) are dev-only, pulled transitively by vitepress 1.x which pins vite ^5.x / esbuild ^0.21. Forcing the patched versions requires a vitepress major upgrade and is out of scope for a minimal security patch.

Verification (local)

  • npm install clean
  • npm run build passes
  • npm run lint:check passes
  • npm test passes (569 tests, 65 suites)

Do not merge without human review.

@vineethkrishnan
fix(deps): patch transitive security vulnerabilities via overrides
60a64b6 
Add npm overrides to resolve open Dependabot security alerts for
transitive packages:

- qs to 6.15.2 (GHSA-q8mj-m7cp-5q26)
- fast-uri to 3.1.2 (GHSA-v39h-62p7-jpjc, GHSA-q3j6-qgpj-74h6)
- postcss to 8.5.10 (GHSA-qx2v-qp2m-jg93)
- picomatch to 2.3.2 under anymatch/jest-util/micromatch
  (GHSA-3v7f-55p6-f55p)
- brace-expansion to 2.0.3 under typeorm (GHSA-f886-m6hf-6m8v)

Overrides are scoped to the vulnerable instances so safe higher
major versions (picomatch 4.x, brace-expansion 5.x) are untouched.
Build, lint, and the full test suite pass.
@vineethkrishnan vineethkrishnan merged commit 87a2114 into main May 31, 2026
12 checks passed
@vineethkrishnan vineethkrishnan deleted the fix/security-deps branch May 31, 2026 10:37
@vinelabs-release-manager vinelabs-release-manager Bot mentioned this pull request May 31, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vineethkrishnan