build(deps): batch Dependabot updates, patch undici CVEs, clean up pnpm overrides#110
Merged
Merged
Conversation
…ut v7 Batch the open Dependabot PRs into one commit (#101, #105, #94, #87), holding prettier at 3.8.4 — 3.9 is days old and its parser upgrades reformat the repo. - prod group: google-auth-library, ioredis, mongoose, openai, stripe, @tanstack/react-query(+devtools), axios, framer-motion, i18next - dev group: doctoc, globals, lint-staged, turbo, typescript-eslint, nock, @vitejs/plugin-react, postcss, vite - concurrently 9 -> 10 (dev-only; ESM-only, needs Node >= 22) - actions/checkout v6 -> v7 across all workflows: blocks pwn-request by default; our workflows run on pull_request (not pull_request_target), so no behavior impact Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
npm bundles undici 6.26.0 even at npm@latest, which Trivy flags in the api/web/bot images. Our own dependency tree already resolves undici to 7.28.0 (safe), so this only affects npm's bundled copy inside the image. Mirror the existing brace-expansion patch: install undici@^6.27.0 and copy it over npm's bundled module. Stays on the v6 line to avoid breaking npm. Fixes CVE-2026-12151 (HIGH), CVE-2026-9679 (MEDIUM), CVE-2026-6733 (LOW), CVE-2026-11525 (LOW). Co-authored-by: Makar Dzhehur <100146104+dzhhem@users.noreply.github.com>
The pnpm.overrides block in package.json was a stale subset already superseded by pnpm-workspace.yaml, which pnpm v10 treats as the sole source — package.json's copy was silently ignored (emitting a warning on every install). Removing it changes no resolution: the workspace file already enforces those pins plus esbuild/form-data/@types/express/etc. Bump the workspace postcss override from ^8.5.10 to ^8.5.15 so dropping the package.json postcss@<8.5.15 pin does not lower the security floor.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
dzhhem
approved these changes
Jul 1, 2026
This was referenced Jul 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Batches the four open Dependabot PRs into a single reviewable branch, patches the undici CVEs flagged by Trivy in the container images, and removes a dead
pnpm.overridesblock. Three commits:build(deps)— dependency bumps (supersedes Dependabot PRs build(deps-dev): bump the dev-dependencies group across 1 directory with 10 updates #105, build(deps): bump the production-dependencies group across 1 directory with 13 updates #101, build(deps): bump actions/checkout from 6 to 7 #94, build(deps-dev): bump concurrently from 9.2.1 to 10.0.3 #87)google-auth-library,ioredis,mongoose,openai,stripe,@tanstack/react-query(+devtools),axios,framer-motion,i18nextdoctoc,globals,lint-staged,turbo,typescript-eslint,nock,@vitejs/plugin-react,postcss,viteconcurrently9 → 10 (dev-only; ESM-only, needs Node ≥ 22 — our runtime is Node 24)actions/checkoutv6 → v7 across all workflows — v7 blocks pwn-request by default; our workflows run onpull_request(notpull_request_target) andgate.ymlperforms no checkout, so there is no behavior impactprettierdeliberately held at 3.8.4 — 3.9 shipped days ago and its parser upgrades reformat the repo; deferred to avoid churnfix(docker)— patch npm-bundledundicito 6.27.0 (clears 4 CVEs)undicito 7.28.0 (safe). The vulnerable 6.26.0 is the copy bundled inside npm in the base image —npm@lateststill ships it, which is what Trivy flags.brace-expansionpatch pattern: installundici@^6.27.0and copy it over npm's bundled module in the api/web/bot images (base + runner). Stays on the v6 line to avoid breaking npm.fix(deps)— drop the stalepnpm.overridesblock frompackage.jsonpnpm-workspace.yaml(the sole source pnpm v10 reads), so it was silently ignored and emitted a warning on every install. Resolution is unchanged. Bumps the workspacepostcssoverride^8.5.10→^8.5.15so removing the oldpostcss@<8.5.15pin does not lower the security floor.Supersedes and closes Dependabot PRs #105, #101, #94, #87.
Resolves undici alerts #146, #147, #148, #149 (CVE-2026-12151, CVE-2026-9679, CVE-2026-6733, CVE-2026-11525).
Type of change
How Has This Been Tested?
Full local suite green after each dependency/lockfile change, plus a targeted Docker build to verify the undici patch:
Unit tests (Jest/Vitest)
Integration tests
Manual testing (screenshots/screencasts encouraged)
pnpm run check-types— 4/4 packages passWeb (vitest) 21/21 · Bot (jest) 6/6
API full suite 388/388 (unit 113, integration 260, e2e 4, stress 11)
Docker: built the bot image
basestage and confirmed/usr/local/lib/node_modules/npm/node_modules/undicireports6.27.0inside the containerChecklist: