Skip to content

build(deps): override devalue to 5.8.1 (GHSA-77vg-94rm-hx3p)#112

Merged
theagenticguy merged 1 commit into
mainfrom
chore/override-devalue-cve
May 15, 2026
Merged

build(deps): override devalue to 5.8.1 (GHSA-77vg-94rm-hx3p)#112
theagenticguy merged 1 commit into
mainfrom
chore/override-devalue-cve

Conversation

@theagenticguy
Copy link
Copy Markdown
Owner

@theagenticguy theagenticguy commented May 15, 2026

Summary

Pins `devalue` to 5.8.1+ via pnpm-workspace.yaml overrides. Versions
5.6.3..5.8.0 are vulnerable to GHSA-77vg-94rm-hx3p (HIGH, 7.5) —
DoS via sparse-array deserialization. Advisory published 2026-05-14
20:23 UTC, ~3.5h after #103 (astro 6.3.1 → 6.3.3) merged.

Impact path

`devalue` is pulled in transitively by `astro@6.3.3` → consumed only
by `@opencodehub/docs` (`"private": true`, builds the static docs
site, never published). None of the 17 published `@opencodehub/*`
tarballs depend on devalue. Runtime exposure to the published
artifacts is zero.

Why this PR exists

The release pipeline (`release.yml`) does not run `pnpm audit`, so
the CVE wouldn't actually break a release. But the pre-release
gate on release-please PRs does run `pnpm audit --audit-level=high
--prod`, and that's currently failing on #97 (the release PR for
`root-v0.4.0` + `cli-v0.3.0`). Patching devalue cleanly is the
defensible engineering move:

  1. Eliminates the audit failure on chore: release main #97 without bypassing branch protection.
  2. Closes Dependabot alert build(deps): bump @bufbuild/protobuf from 2.11.0 to 2.12.0 #44.
  3. Auto-reverts once astro ships a version that already pins
    `devalue >= 5.8.1` (the override is keyed on `devalue@<5.8.1`).

Verified locally

  • `pnpm install --frozen-lockfile` → ok
  • `pnpm audit --audit-level=high --prod` → "No known vulnerabilities found"
  • `pnpm typecheck` → green across all 19 workspace projects
  • `pnpm --filter @opencodehub/docs build` → 63 pages, completes
  • `pnpm why devalue` → resolves to 5.8.1 (was 5.8.0)

Test plan

  • CI must surface `pnpm audit (high+)` and `osv` as PASSING on
    this branch (both are non-required but currently failing on
    chore: release main #97; this PR is the fix).
  • Typecheck and full test suite must remain green.

@theagenticguy
build(deps): override devalue to 5.8.1 (GHSA-77vg-94rm-hx3p)
cb52e3e 
Pins `devalue` to 5.8.1+ via pnpm-workspace.yaml overrides. Versions
5.6.3..5.8.0 are vulnerable to GHSA-77vg-94rm-hx3p (HIGH, 7.5) — DoS
via sparse-array deserialization. Advisory was published 2026-05-14
20:23 UTC, ~3.5h after #103 (astro 6.3.1 → 6.3.3) merged.

Impact path: devalue is pulled in transitively by astro@6.3.3, which
is consumed only by @opencodehub/docs — a private workspace package
that builds the static documentation site. None of the published
@opencodehub/* tarballs depend on devalue, so the runtime exposure is
zero. The override exists to keep `pnpm audit --audit-level=high`
clean on the release-please PR (otherwise the release pipeline gets
blocked behind a pre-release-gate failure that doesn't affect what
ships).

Verified locally:
- `pnpm install --frozen-lockfile` succeeds
- `pnpm audit --audit-level=high --prod` → "No known vulnerabilities found"
- `pnpm typecheck` → green across all 19 workspace projects
- `pnpm --filter @opencodehub/docs build` → 63 pages, completes
- `pnpm why devalue` → resolves to 5.8.1

The override is keyed on `devalue@<5.8.1` so it auto-disengages once
astro ships a transitive constraint that already pulls 5.8.1+.
@theagenticguy theagenticguy merged commit a8a0aa7 into main May 15, 2026
37 checks passed
@theagenticguy theagenticguy deleted the chore/override-devalue-cve branch May 15, 2026 00:48
@theagenticguy theagenticguy mentioned this pull request May 15, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@theagenticguy