fix: resolve security alerts#464
Merged
Merged
Conversation
|
thymikee
added a commit
that referenced
this pull request
Jun 1, 2026
* fix: resolve test-app dependabot alerts The postcss/uuid overrides added in #464 stopped applying once test-app ended up nested under the repo-root pnpm-workspace.yaml: pnpm only honors overrides from a workspace root, so test-app's package.json `pnpm.overrides` were silently ignored and the lockfile drifted back to vulnerable versions. Move the overrides into a dedicated examples/test-app/pnpm-workspace.yaml so test-app is its own pnpm root and the overrides are honored, and add scoped overrides for the two remaining alerts: - postcss 8.4.49 -> 8.5.12 (XSS in CSS stringify) - uuid 7.0.3 -> 14.0.0 (missing buffer bounds check) - ws@8 8.20.0 -> 8.21.0 (uninitialized memory disclosure) - brace-expansion@5 5.0.5 -> 5.0.6 (ReDoS / max bypass) ws and brace-expansion overrides are scoped to the vulnerable majors so the non-vulnerable ws@7 / brace-expansion@1 copies in the tree are left untouched. * chore: drop dead lodash-es override, document test-app workspace - Remove the no-op `lodash-es` override from the root package.json (leftover from #368). lodash-es is no longer in the dependency tree, so the override resolved to nothing; regenerating the root lockfile is a no-op. - Add a comment to examples/test-app/pnpm-workspace.yaml explaining why the file exists, so it isn't "tidied away" and the override drift reintroduced.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolve GitHub security alerts by updating vulnerable npm dependencies and disabling debugging on the Android snapshot helper.
fast-xml-parser, Vite/PostCSS resolution, Rspress/Unhead resolution, and isolated example-app transitive overrides for@xmldom/xmldom,postcss, anduuid.android:debuggable="false"while preservingadb install -tbehavior withandroid:testOnly="true".Touched files: 7. Scope stayed within dependency metadata/lockfiles and the Android snapshot helper manifest/docs.
Validation
pnpm audit --jsonpnpm --dir examples/test-app audit --ignore-workspace --jsonpnpm check:toolingpnpm --dir examples/test-app typecheckpnpm build:android-snapshot-helperaapt2 dump xmltree --file AndroidManifest.xml .tmp/android-snapshot-helper/agent-device-android-snapshot-helper-0.14.0.apk | rg -n "debuggable|testOnly|application"node -e "const { createRequire } = require('node:module'); const req = createRequire(process.cwd() + '/examples/test-app/node_modules/.pnpm/xcode@3.0.1/node_modules/xcode/lib/pbxProject.js'); const uuid = req('uuid'); console.log(typeof uuid.v4, uuid.v4().length)"