Skip to content

build(deps): batch Dependabot updates, patch undici CVEs, clean up pnpm overrides#110

Merged
BODMAT merged 3 commits into
masterfrom
chore/deps-bump-and-security-fixes
Jul 1, 2026
Merged

build(deps): batch Dependabot updates, patch undici CVEs, clean up pnpm overrides#110
BODMAT merged 3 commits into
masterfrom
chore/deps-bump-and-security-fixes

Conversation

@BODMAT

@BODMAT BODMAT commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

Description

Batches the four open Dependabot PRs into a single reviewable branch, patches the undici CVEs flagged by Trivy in the container images, and removes a dead pnpm.overrides block. Three commits:

  1. build(deps) — dependency bumps (supersedes Dependabot PRs build(deps-dev): bump the dev-dependencies group across 1 directory with 10 updates #105, build(deps): bump the production-dependencies group across 1 directory with 13 updates #101, build(deps): bump actions/checkout from 6 to 7 #94, build(deps-dev): bump concurrently from 9.2.1 to 10.0.3 #87)

    • prod group: google-auth-library, ioredis, mongoose, openai, stripe, @tanstack/react-query (+devtools), axios, framer-motion, i18next
    • dev group: doctoc, globals, lint-staged, turbo, typescript-eslint, nock, @vitejs/plugin-react, postcss, vite
    • concurrently 9 → 10 (dev-only; ESM-only, needs Node ≥ 22 — our runtime is Node 24)
    • actions/checkout v6 → v7 across all workflows — v7 blocks pwn-request by default; our workflows run on pull_request (not pull_request_target) and gate.yml performs no checkout, so there is no behavior impact
    • prettier deliberately held at 3.8.4 — 3.9 shipped days ago and its parser upgrades reformat the repo; deferred to avoid churn
  2. fix(docker) — patch npm-bundled undici to 6.27.0 (clears 4 CVEs)

    • Our own dependency tree already resolves undici to 7.28.0 (safe). The vulnerable 6.26.0 is the copy bundled inside npm in the base image — npm@latest still ships it, which is what Trivy flags.
    • Mirrors the existing brace-expansion patch pattern: install undici@^6.27.0 and copy it over npm's bundled module in the api/web/bot images (base + runner). Stays on the v6 line to avoid breaking npm.
  3. fix(deps) — drop the stale pnpm.overrides block from package.json

    • It was already superseded by pnpm-workspace.yaml (the sole source pnpm v10 reads), so it was silently ignored and emitted a warning on every install. Resolution is unchanged. Bumps the workspace postcss override ^8.5.10^8.5.15 so removing the old postcss@<8.5.15 pin does not lower the security floor.

Supersedes and closes Dependabot PRs #105, #101, #94, #87.
Resolves undici alerts #146, #147, #148, #149 (CVE-2026-12151, CVE-2026-9679, CVE-2026-6733, CVE-2026-11525).

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Refactoring (no functional changes)

How Has This Been Tested?

Full local suite green after each dependency/lockfile change, plus a targeted Docker build to verify the undici patch:

  • Unit tests (Jest/Vitest)

  • Integration tests

  • Manual testing (screenshots/screencasts encouraged)

  • pnpm run check-types — 4/4 packages pass

  • Web (vitest) 21/21 · Bot (jest) 6/6

  • API full suite 388/388 (unit 113, integration 260, e2e 4, stress 11)

  • Docker: built the bot image base stage and confirmed /usr/local/lib/node_modules/npm/node_modules/undici reports 6.27.0 inside the container

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have documented non-obvious behavior or constraints where necessary
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules
  • (If API) Database migrations have been created and tested
  • (If UI) Changes look good on mobile and desktop

BODMAT and others added 3 commits July 1, 2026 21:09
…ut v7

Batch the open Dependabot PRs into one commit (#101, #105, #94, #87),
holding prettier at 3.8.4 — 3.9 is days old and its parser upgrades
reformat the repo.

- prod group: google-auth-library, ioredis, mongoose, openai, stripe,
  @tanstack/react-query(+devtools), axios, framer-motion, i18next
- dev group: doctoc, globals, lint-staged, turbo, typescript-eslint,
  nock, @vitejs/plugin-react, postcss, vite
- concurrently 9 -> 10 (dev-only; ESM-only, needs Node >= 22)
- actions/checkout v6 -> v7 across all workflows: blocks pwn-request by
  default; our workflows run on pull_request (not pull_request_target),
  so no behavior impact

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
npm bundles undici 6.26.0 even at npm@latest, which Trivy flags in the
api/web/bot images. Our own dependency tree already resolves undici to
7.28.0 (safe), so this only affects npm's bundled copy inside the image.

Mirror the existing brace-expansion patch: install undici@^6.27.0 and
copy it over npm's bundled module. Stays on the v6 line to avoid
breaking npm.

Fixes CVE-2026-12151 (HIGH), CVE-2026-9679 (MEDIUM), CVE-2026-6733 (LOW),
CVE-2026-11525 (LOW).

Co-authored-by: Makar Dzhehur <100146104+dzhhem@users.noreply.github.com>
The pnpm.overrides block in package.json was a stale subset already
superseded by pnpm-workspace.yaml, which pnpm v10 treats as the sole
source — package.json's copy was silently ignored (emitting a warning on
every install). Removing it changes no resolution: the workspace file
already enforces those pins plus esbuild/form-data/@types/express/etc.

Bump the workspace postcss override from ^8.5.10 to ^8.5.15 so dropping
the package.json postcss@<8.5.15 pin does not lower the security floor.
@BODMAT BODMAT requested a review from dzhhem as a code owner July 1, 2026 18:24
@vercel

vercel Bot commented Jul 1, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
fintrack-web Ready Ready Preview, Comment Jul 1, 2026 6:24pm

@BODMAT BODMAT merged commit 91ebac2 into master Jul 1, 2026
14 checks passed
@BODMAT BODMAT deleted the chore/deps-bump-and-security-fixes branch July 1, 2026 18:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants