Conversation
|
commit: |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM, straightforward npm audit fix on lockfile only.
Extended reasoning...
Overview
This PR runs npm audit fix on the v1.x branch, modifying only package-lock.json. The changes consist of version bumps for dev dependencies (rollup 4.53→4.60, typescript-eslint 8.48→8.57, eslint 9.39.1→9.39.4, ajv 6.12→6.14, etc.), removal of duplicate/unused entries (graphemer, picomatch duplicates), and addition of new optional platform entries (openbsd-x64, loong64-musl, ppc64-musl).
Security risks
No security risks. This is purely a lockfile update from npm audit fix — it addresses known vulnerabilities in transitive dependencies by bumping them to patched versions. No source code is changed.
Level of scrutiny
Low scrutiny is appropriate. This is a mechanical, tool-generated lockfile change with no source code modifications. The lockfile is not published to npm (the files field only includes dist/), so the impact is limited to the development/CI environment.
Other factors
The bug report identifies a cosmetic issue where npm audit fix incorrectly added "peer": true to several direct runtime dependencies (express, hono, zod) and dev dependencies (eslint, typescript, tsx, acorn, vite). This is a known npm quirk and is functionally harmless — npm ci and npm install both resolve dependencies correctly regardless of this flag. The only theoretical risk (npm ci --omit=peer) is an extremely uncommon invocation. While regenerating the lockfile cleanly would be ideal, this nit does not block the PR.
Clears all 37 open Dependabot alerts on main (v2). Sibling to #1780 which did the same for v1.x. Approach: pnpm overrides only — no catalog floor bumps. The ^-range floors are compatibility statements; consumers already get latest on fresh install, and our floors don't protect their lockfiles. Raising peer dep floors (hono) would be a soft breaking change that isn't ours to make. Changes: - Moved resolutions from package.json → pnpm-workspace.yaml overrides - Added 17 range-targeted overrides forcing patched versions of transitive deps in our lockfile (ajv, hono, @hono/node-server, minimatch, picomatch, brace-expansion, rollup, flatted, markdown-it, qs, yaml, undici, express-rate-limit) - Bumped better-auth ^1.4.17 → ^1.4.22 in examples (clears kysely/undici transitives) - Exempted 4 packages from 7-day minimumReleaseAge for fresh security patches Result: pnpm audit 44 → 0 vulnerabilities. No published-package API changes.
Clears all 37 open Dependabot alerts on main (v2). Sibling to #1780 which did the same for v1.x. Approach: pnpm overrides only — no catalog floor bumps. The ^-range floors are compatibility statements; consumers already get latest on fresh install, and our floors don't protect their lockfiles. Raising peer dep floors (hono) would be a soft breaking change that isn't ours to make. Changes: - Moved resolutions from package.json → pnpm-workspace.yaml overrides - Added 17 range-targeted overrides forcing patched versions of transitive deps in our lockfile (ajv, hono, @hono/node-server, minimatch, picomatch, brace-expansion, rollup, flatted, markdown-it, qs, yaml, undici, express-rate-limit) - Bumped better-auth ^1.4.17 → ^1.4.22 in examples (clears kysely/undici transitives) - Exempted 4 packages from 7-day minimumReleaseAge for fresh security patches Result: pnpm audit 44 → 0 vulnerabilities. No published-package API changes.
Clears all 37 open Dependabot alerts on main (v2). Sibling to #1780 which did the same for v1.x. Approach: pnpm overrides only — no catalog floor bumps. The ^-range floors are compatibility statements; consumers already get latest on fresh install, and our floors don't protect their lockfiles. Raising peer dep floors (hono) would be a soft breaking change that isn't ours to make. Changes: - Moved resolutions from package.json → pnpm-workspace.yaml overrides - Added 17 range-targeted overrides forcing patched versions of transitive deps in our lockfile (ajv, hono, @hono/node-server, minimatch, picomatch, brace-expansion, rollup, flatted, markdown-it, qs, yaml, undici, express-rate-limit) - Bumped better-auth ^1.4.17 → ^1.4.22 in examples (clears kysely/undici transitives) - Exempted 4 packages from 7-day minimumReleaseAge for fresh security patches Result: pnpm audit 44 → 0 vulnerabilities. No published-package API changes.
Address npm audit. Sibling to #1780. Lockfile-only regen — existing ^-ranges already allowed patched versions, the lockfile was just pinning stale resolutions. pnpm audit: 45 → 0 vulnerabilities.
Address npm audit. Sibling to #1780. Lockfile-only regen — existing ^-ranges already allowed patched versions, the lockfile was just pinning stale resolutions. pnpm audit: 45 → 0 vulnerabilities.
2 participants
Motivation and Context
How Has This Been Tested?
Breaking Changes
Types of changes
Checklist
Additional context