Skip to content

fix(ts): dedupe overrides block in package.json (restore undici pin)#275

Open
v1r3n wants to merge 1 commit into
mainfrom
fix/dedupe-ts-overrides
Open

fix(ts): dedupe overrides block in package.json (restore undici pin)#275
v1r3n wants to merge 1 commit into
mainfrom
fix/dedupe-ts-overrides

Conversation

@v1r3n

@v1r3n v1r3n commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

Summary

Follow-up to #270. The merge of #270 left two "overrides" keys in sdk/typescript/package.json (lines 49 and 103) — one from the HITL/audit branch, one from main. JSON keeps only the last duplicate key, so the undici pin was silently shadowed.

The high-severity undici audit fix from #270 is currently surviving only because the transitive ^7.x range happens to resolve to the patched 7.28.0 — there is no actual pin guarding it. A future undici 7.x release with a new advisory would re-break the npm audit --omit=dev --audit-level=high gate with nothing to hold it.

Fix

Consolidate into a single valid overrides block that includes undici alongside the existing esbuild / ws / uuid overrides. No resolved-version changes — the lockfile is unchanged.

Verification

  • grep -c '"overrides"' → 1 (was 2); valid JSON; undici pin present
  • npm ci + npm run build + npx vitest run tests/unit/ (823 tests) — pass
  • npm audit --workspaces=false --omit=dev --audit-level=high — exit 0
  • Resolved: undici 7.28.0, esbuild 0.28.1, ws 8.21.0

The #270 merge left two "overrides" keys in sdk/typescript/package.json
(one from the HITL/audit branch, one from main). JSON parsers keep only
the last, so the undici pin in the first block was silently shadowed —
the high-severity undici audit fix was surviving only because the
transitive range happened to resolve to the patched 7.28.0, with no
actual pin guarding it.

Consolidate into a single valid overrides block that includes undici
alongside esbuild/ws/uuid. No resolved-version changes (lockfile
unchanged); npm ci + build + 823 unit tests + the
`npm audit --omit=dev --audit-level=high` gate all pass.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant