fix(security): dependabot follow-up — transitive overrides + remove stale npm lockfile#830
Merged
Merged
Conversation
…tale npm lockfile Add pnpm overrides to force transitive copies not covered by the direct-dep bumps in PRs #822/#823/#824: - axios >=1.18.1 (nx pulled vulnerable 1.8.4 transitively) - js-yaml >=4.2.0 (was >=4.1.1, still exposed to CVE-2026-53550 quadratic DoS) - fast-uri, tmp, got, follow-redirects, @opentelemetry/core, h3 Remove packages/shared-lib/package-lock.json — an unused npm lockfile in a pnpm workspace that Dependabot scanned as a separate project, producing duplicate alerts.
…-lib aws-cdk-lib to 2.260
…26x cloud-assembly schema
Ignacio Nistal (ignacionistal)
approved these changes
Jul 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Title
fix(security): Dependabot follow-up — transitive overrides + remove stale npm lockfile
Type of Change
Description
The three previous Dependabot PRs (#822 overrides batch, #823 nuxt + aws-cdk-lib, #824 axios) bumped direct dependencies, but ~58 alerts remained on
development. Investigation found three root causes those PRs didn't cover:nx@15.9.7(build tooling) still pulled the vulnerableaxios@1.8.4transitively. A direct-dep pin does not affect transitive copies — a pnpmoverrideis required.packages/shared-lib/package-lock.json(committed once in Sept 2024) is an npm lockfile inside a pnpm workspace. Nothing uses it — all CI runspnpm install --frozen-lockfile— but Dependabot scanned it as a separate project, producing duplicate alerts (minimatch, aws-cdk-lib, js-yaml, uuid, cdk).js-yamloverride was>=4.1.1, which still resolved to the vulnerable4.1.1(exposed to CVE-2026-53550, quadratic-complexity DoS, fixed in 4.2.0).This PR adds/bumps
pnpm.overridesin.projenrc.tsto force the remaining transitive copies to patched versions, and removes the stale lockfile.Overrides added/changed (all in
.projenrc.ts):axios>=1.18.1— forces nx's transitive1.8.4up (prototype-pollution + SSRF/proxy CVE cluster)js-yaml>=4.1.1→>=4.2.0— CVE-2026-53550 quadratic-complexity DoSfast-uri>=3.1.2— path traversal + host confusiontmp>=0.2.6— path traversal + symlink writegot>=11.8.5— redirect-to-UNIX-socketfollow-redirects>=1.16.0— auth-header leak on cross-domain redirect@opentelemetry/core>=2.8.0— unbounded memory allocation in W3C Baggage propagationh3>=1.15.9— request smuggling + path traversal + SSE injectionAlso removed a now-contradictory comment in
.projenrc.tsthat stated@opentelemetry/corewas excluded from overrides.Testing
pnpm exec projen+pnpm install --no-frozen-lockfile.pnpm-lock.yaml:axios@1.18.1(zero copies of1.8.4),js-yaml@5.2.1,h3@1.15.11,fast-uri@4.1.0,tmp@0.2.7,got@15.1.0,follow-redirects@1.16.0,@opentelemetry/core@2.9.0.Impact
packages/shared-lib/package-lock.jsonhas no build effect (it was never consumed) and eliminates a duplicate Dependabot scan target.Additional Information
Some remaining alerts are not resolved by this PR because they are not production-reachable and should be dismissed in the Dependabot UI rather than force-upgraded:
bufargument, so the buffer-bounds advisory is unreachable.ssr: false), so no SSR markup exists. No v2 patch exists (fix is v4-only).@useoptic/optic), deprecated, no fix available.The
@aws-amplify/storage>fast-xml-parserscoped override (4.x) was intentionally left in place: Amplify breaks on fast-xml-parser 5.x, and the XMLBuilder advisory affects XML building while Amplify only parses S3 responses — not reachable.Checklist