Skip to content

chore(deps): resolve npm audit vulnerabilities#591

Merged
nicholasjjlim merged 1 commit into
mainfrom
chore/fix-vulnerable-dependencies
Jun 9, 2026
Merged

chore(deps): resolve npm audit vulnerabilities#591
nicholasjjlim merged 1 commit into
mainfrom
chore/fix-vulnerable-dependencies

Conversation

@nicholasjjlim

@nicholasjjlim nicholasjjlim commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

🚀 Summary

Ran pnpm audit and resolved 2 moderate vulnerabilities using scoped pnpm.overrides. Also added a minimumReleaseAge guardrail to prevent future installs of freshly-published packages.

✏️ Changes

  • pnpm.overrides["minimatch@10>brace-expansion"]: pins to ^5.0.6 to fix GHSA-jxxr-4gwj-5jf2 — scoped to minimatch v10 so minimatch@9 (vitest coverage) is unaffected
  • pnpm.overrides["exceljs>uuid"]: pins to ^11.1.1 to fix GHSA-w5hq-g745-h8pq — scoped to exceljs since it is already at latest and cannot be upgraded directly
  • pnpm-workspace.yaml: added minimumReleaseAge: 10080 (7-day minimum age) as a durable supply-chain guardrail

All 332 tests pass. pnpm audit reports no known vulnerabilities.

@nicholasjjlim nicholasjjlim self-assigned this Jun 9, 2026
@nicholasjjlim nicholasjjlim requested a review from santosral June 9, 2026 03:40
@nicholasjjlim @claude
chore(deps): resolve npm audit vulnerabilities
e59dfba 
Ran pnpm audit and resolved 2 moderate vulnerabilities using scoped
pnpm overrides. Added minimumReleaseAge to pnpm-workspace.yaml as a
durable supply-chain guardrail.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@nicholasjjlim nicholasjjlim force-pushed the chore/fix-vulnerable-dependencies branch from 6d57101 to e59dfba Compare June 9, 2026 03:52
@nicholasjjlim nicholasjjlim changed the title chore(deps): fix brace-expansion and uuid vulnerabilities chore(deps): resolve npm audit vulnerabilities Jun 9, 2026
@nicholasjjlim nicholasjjlim merged commit 1b95745 into main Jun 9, 2026
8 checks passed
@nicholasjjlim nicholasjjlim deleted the chore/fix-vulnerable-dependencies branch June 9, 2026 09:41
@santosral santosral mentioned this pull request Jun 11, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@santosral santosral santosral approved these changes

Assignees

@nicholasjjlim nicholasjjlim

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nicholasjjlim @santosral