deps: resolve open Dependabot security advisories#62
Open
ApiliumDevTeam wants to merge 2 commits into
Open
Conversation
Ignore the whole .claude/ directory plus superpowers/skill docs, and stop tracking the committed src/gateway/server-methods/CLAUDE.md so per-developer agent instructions stay local and never reach the public repo.
Bump direct dependencies and add bounded pnpm.overrides to force patched versions for all advisories that have an upstream fix. Cuts pnpm audit from 140 to 3. Direct deps: @whiskeysockets/baileys, hono, markdown-it, tar, undici, ws, vitest, @vitest/coverage-v8. Overrides (bounded to the safe major to avoid breaking jumps such as undici 8, vite 8, basic-ftp 6, fast-uri 4, @hono/node-server 2): axios, protobufjs, @protobufjs/utf8, dompurify, vite, ws, lodash, markdown-it, @grpc/grpc-js, @opentelemetry/core, @opentelemetry/sdk-node, @opentelemetry/exporter-prometheus, basic-ftp, defu, fast-uri, fast-xml-builder, fast-xml-parser, follow-redirects, ip-address, simple-git, hono, @hono/node-server, form-data, qs, tar, undici, brace-expansion, postcss, @whiskeysockets/baileys, and scoped overrides for uuid, vitest@3, esbuild@0.27, @vitest/browser@4. Extension manifests bumped: zalo (undici), matrix (markdown-it), diagnostics-otel (@opentelemetry/*), ui (vite, vitest, dompurify). Remaining 3 advisories (@mariozechner/pi-coding-agent) have no published fix (latest 0.73.1 is still in range) and cannot be resolved by a bump. Verified: pnpm install, pnpm tsgo (0 errors), pnpm lint (0 errors), oxfmt on changed files.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves the open Dependabot security advisories on the repository (171 alerts across 33 packages) by bumping direct dependencies and adding bounded
pnpm.overridesfor transitive packages. Also includes a small.gitignorechange to keep per-developer Claude Code / superpowers files out of the public repo.Result:
pnpm auditdrops from 140 → 3 vulnerabilities. The 3 remaining have no upstream fix (see below).What changed
Dependency security fixes
@whiskeysockets/baileys,hono,markdown-it,tar,undici,ws,vitest,@vitest/coverage-v8.pnpm.overridesadded/updated to force patched versions for transitive advisories. Ranges are bounded to the safe major to avoid breaking jumps that Dependabot would otherwise suggest:undici(<8),vite(<8),basic-ftp(<6),fast-uri(<4),@hono/node-server(<2).axios,protobufjs,@protobufjs/utf8,dompurify,lodash,@grpc/grpc-js,@opentelemetry/{core,sdk-node,exporter-prometheus},defu,fast-xml-builder,fast-xml-parser,follow-redirects,ip-address,simple-git,form-data,qs,brace-expansion,postcss, plus scoped overrides foruuid,vitest@3,esbuild@0.27,@vitest/browser@4.zalo(undici),matrix(markdown-it),diagnostics-otel(@opentelemetry/*),ui(vite, vitest, dompurify).Repo hygiene
.gitignore: ignore the whole.claude/directory andsuperpowers// skill docs; stop tracking the committedsrc/gateway/server-methods/CLAUDE.mdso agent instructions stay local.Not fixable (no upstream patch)
@mariozechner/pi-coding-agent— 3 advisories (1 high, 2 low). The latest published version (0.73.1) is still within the vulnerable range and there is no patched release, so these cannot be resolved by a version bump. They account for the remaining 3pnpm auditfindings (6 Dependabot alerts across the root + lockfile manifests).Verification
pnpm install— clean resolution (only pre-existing peer warnings).pnpm tsgo— 0 type errors.pnpm lint— 0 errors.oxfmt— changed manifests formatted.pnpm audit— 140 → 3 (only the unfixablepi-coding-agentadvisories remain).