fix(ts): dedupe overrides block in package.json (restore undici pin)#275
Open
v1r3n wants to merge 1 commit into
Open
fix(ts): dedupe overrides block in package.json (restore undici pin)#275v1r3n wants to merge 1 commit into
v1r3n wants to merge 1 commit into
Conversation
The #270 merge left two "overrides" keys in sdk/typescript/package.json (one from the HITL/audit branch, one from main). JSON parsers keep only the last, so the undici pin in the first block was silently shadowed — the high-severity undici audit fix was surviving only because the transitive range happened to resolve to the patched 7.28.0, with no actual pin guarding it. Consolidate into a single valid overrides block that includes undici alongside esbuild/ws/uuid. No resolved-version changes (lockfile unchanged); npm ci + build + 823 unit tests + the `npm audit --omit=dev --audit-level=high` gate all pass.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up to #270. The merge of #270 left two
"overrides"keys insdk/typescript/package.json(lines 49 and 103) — one from the HITL/audit branch, one from main. JSON keeps only the last duplicate key, so theundicipin was silently shadowed.The high-severity
undiciaudit fix from #270 is currently surviving only because the transitive^7.xrange happens to resolve to the patched7.28.0— there is no actual pin guarding it. A futureundici7.x release with a new advisory would re-break thenpm audit --omit=dev --audit-level=highgate with nothing to hold it.Fix
Consolidate into a single valid
overridesblock that includesundicialongside the existingesbuild/ws/uuidoverrides. No resolved-version changes — the lockfile is unchanged.Verification
grep -c '"overrides"'→ 1 (was 2); valid JSON;undicipin presentnpm ci+npm run build+npx vitest run tests/unit/(823 tests) — passnpm audit --workspaces=false --omit=dev --audit-level=high— exit 0