Skip to content

fix: pnpm lock #145

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sergiofilhowz wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: pnpm lock #145

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7179095
fix: pnpm lock
sergiofilhowz May 15, 2026
61da8ed
chore: playground
sergiofilhowz May 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ pnpm-lock.yaml
yarn.lock
!iii-database/tests/e2e/workers/harness/package-lock.json
!shell/tests/e2e/workers/harness/package-lock.json
!console/web/pnpm-lock.yaml

# Python
.venv/
Expand Down Expand Up @@ -46,7 +47,6 @@ engine.pid
/config.yaml
# harness/config.yaml is generated by `make engine` via `iii worker add .`
harness/config.yaml
playground/

# Tooling / agent scratch
.claude/
Expand Down
1 change: 1 addition & 0 deletions console/web/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
"private": true,
"version": "0.0.0",
"type": "module",
"packageManager": "pnpm@10.18.2",
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify pnpm version exists and check for latest stable version

# Check if version 10.18.2 exists on npm
echo "=== Checking if pnpm@10.18.2 exists ==="
npm view pnpm@10.18.2 version 2>/dev/null || echo "Version not found"

# Get latest pnpm version
echo -e "\n=== Latest pnpm version ==="
npm view pnpm version

# Check for security advisories
echo -e "\n=== Security advisories for pnpm ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: NPM, package: "pnpm") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: iii-hq/workers

Length of output: 1427

Upgrade pnpm to version 11.1.2 (or minimum 10.28.2) to address multiple security vulnerabilities.

pnpm@10.18.2 contains five known MODERATE severity path traversal vulnerabilities that allow arbitrary file writes/creation via ZIP extraction, permission modification, and symlink traversal. Fixed in 10.28.1 (for some) and 10.28.2 (for others). Latest stable is 11.1.2, which should be used instead.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@console/web/package.json` at line 6, The package.json's packageManager field
currently pins pnpm@10.18.2 which has known security vulnerabilities; update the
"packageManager" value (the packageManager key in package.json) to "pnpm@11.1.2"
(or at minimum "pnpm@10.28.2") to pull a fixed pnpm version, then regenerate any
lockfiles / run the install (pnpm install) to ensure the updated manager/version
is used across the project.

"scripts": {
"dev": "vite",
"build": "tsc -b && vite build",
Expand Down
Loading
Loading