Skip to content

fix: resolve all pnpm audit vulnerabilities#350

Merged
saltenasl merged 4 commits into
mainfrom
fix/audit-vulnerabilities
Mar 26, 2026
Merged

fix: resolve all pnpm audit vulnerabilities#350
saltenasl merged 4 commits into
mainfrom
fix/audit-vulnerabilities

Conversation

@jamesbhobbs

@jamesbhobbs jamesbhobbs commented Mar 26, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Contributor

Summary

Test plan

  • pnpm audit returns no vulnerabilities
  • pnpm audit --prod returns no vulnerabilities
  • All tests pass (2112 tests)
  • Lint, typecheck, and spell-check pass

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Released patch versions across all application modules with enhanced dependency management.
    • Updated core package dependencies to improve overall system stability, security, and compatibility.
    • Refined dependency version constraints to ensure consistent and reliable integration across the entire project.

@jamesbhobbs @claude
fix: resolve hono and yaml audit vulnerabilities
7ce7523 
Bump hono override to >=4.12.7 (GHSA-v8w9-8mx6-g223) and yaml to
^2.8.3 (GHSA-48c2-rrv3-qjmp) across all workspace packages.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
@coderabbitai

coderabbitai Bot commented Mar 26, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 94580794-74d0-417d-a41b-b6e97e2ab4ec

📥 Commits

Reviewing files that changed from the base of the PR and between 4492b56 and 71cedcb.

📒 Files selected for processing (4)
  • packages/blocks/package.json
  • packages/cli/package.json
  • packages/convert/package.json
  • packages/mcp/package.json
📝 Walkthrough

Walkthrough

This PR updates dependency constraints and package versions. The root package.json expands pnpm.overrides with minimum versions for flatted (>=3.4.2), picomatch (>=4.0.4), smol-toml (>=1.6.1), and yaml (>=2.8.3), and updates hono from >=4.12.4 to >=4.12.7 while keeping the existing rollup override. Four workspace packages—packages/blocks, packages/cli, packages/convert, and packages/mcp—bump their package versions and update yaml to ^2.8.3 (mcp from ^2.8.0, others from ^2.8.1). cspell.json adds the word "smol".

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and directly describes the main change: resolving pnpm audit vulnerabilities through dependency updates across the codebase.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Updates Docs ✅ Passed This PR is a security fix resolving audit vulnerabilities through dependency updates, not a feature implementation, so documentation updates are not required.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov

codecov Bot commented Mar 26, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.70%. Comparing base (72a25a6) to head (71cedcb).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #350   +/-   ##
=======================================
  Coverage   82.70%   82.70%           
=======================================
  Files         126      126           
  Lines        7616     7616           
  Branches     2054     2054           
=======================================
  Hits         6299     6299           
  Misses       1316     1316           
  Partials        1        1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

coderabbitai[bot]
coderabbitai Bot previously approved these changes Mar 26, 2026
View reviewed changes
jamesbhobbs and others added 2 commits March 26, 2026 12:44
@jamesbhobbs @claude
fix: resolve flatted, picomatch, smol-toml, and yaml audit vulnerabil…
3e3f60d 
…ities

Add pnpm overrides for transitive devDependency vulnerabilities:
- flatted >=3.4.2 (GHSA-25h7-pfq9-p65f, GHSA-rf6f-7fwh-wjgh)
- picomatch >=4.0.4 (GHSA-c2c7-rcm5-vvqj, GHSA-3v7f-55p6-f55p)
- smol-toml >=1.6.1 (GHSA-v3rj-xjv7-4jmq)
- yaml >=2.8.3 (GHSA-48c2-rrv3-qjmp via lint-staged)

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
@jamesbhobbs @claude
fix: resolve flatted, picomatch, smol-toml, and yaml audit vulnerabil…
4492b56 
…ities

Add pnpm overrides for transitive devDependency vulnerabilities:
- flatted >=3.4.2 (GHSA-25h7-pfq9-p65f, GHSA-rf6f-7fwh-wjgh)
- picomatch >=4.0.4 (GHSA-c2c7-rcm5-vvqj, GHSA-3v7f-55p6-f55p)
- smol-toml >=1.6.1 (GHSA-v3rj-xjv7-4jmq)
- yaml >=2.8.3 (GHSA-48c2-rrv3-qjmp via lint-staged)

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
@jamesbhobbs jamesbhobbs changed the title fix: resolve hono and yaml audit vulnerabilities fix: resolve all pnpm audit vulnerabilities Mar 26, 2026
coderabbitai[bot]
coderabbitai Bot previously approved these changes Mar 26, 2026
View reviewed changes
@jamesbhobbs jamesbhobbs marked this pull request as ready for review March 26, 2026 12:51
@jamesbhobbs jamesbhobbs requested a review from a team as a code owner March 26, 2026 12:51
@jamesbhobbs jamesbhobbs mentioned this pull request Mar 26, 2026
Merged
3 tasks
@saltenasl saltenasl merged commit b4c78a5 into main Mar 26, 2026
21 checks passed
@saltenasl saltenasl deleted the fix/audit-vulnerabilities branch March 26, 2026 13:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

+1 more reviewer

@saltenasl saltenasl saltenasl approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jamesbhobbs @saltenasl