fix: patch Dependabot critical/high alerts#330
Conversation
Direct bumps: - next 15.3.8 -> 15.5.19 (clears all 20 direct alerts incl. high) - kysely -> 0.28.17, eslint-config-next -> 15.5.19 pnpm overrides for vulnerable transitives, each pinned within its current major (security patch level, no breaking upgrades): - criticals: fast-xml-parser 5.5.6, sha.js 2.4.12, form-data 4.0.6 - highs: axios 1.18.1, ws 7.5.11/8.21.0, socket.io-parser 4.2.6, picomatch 2.3.2, minimatch 3.1.5/9.0.9, lodash 4.18.1, immutable 5.1.9, h3 1.15.11, flatted 3.4.2, defu 6.1.7, base-x 3.0.11, effect 3.21.4, hono 4.12.27, @hono/node-server 1.19.14 Not addressed (need upstream major upgrades, unsafe to force): - @libp2p/kad-dht (12.x -> 16.x, via @helia/verified-fetch) - vite (dev-only peer of vitest; needs vitest bump)
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Gaston Review
Verdict: Approved
Score: ███████░░░ 7/10
Pull Request Summary
This PR patches Dependabot critical/high alerts by bumping three direct dependencies (next 15.3→15.5, kysely 0.28.0→0.28.17, eslint-config-next 15.5.15→15.5.19) and adding 19 pnpm overrides to force patched versions of transitive dependencies like axios, ws, lodash, minimatch, picomatch, fast-xml-parser, and others.
Review Summary
🟡 Warning — Next.js minor version jump (15.3 → 15.5) bundled with security patches
Bumping Next.js by two minor versions is a bigger change than the other patches here. If this is driven by a specific CVE in Next.js, it's justified. But if it's just opportunistic, consider whether it should be a separate PR with its own verification. Either way, make sure the build and e2e suite pass.
The approach is solid — using pnpm overrides with version-range selectors (e.g. ws@7, ws@8) is the right way to pin transitive dependencies for security patches without waiting for upstream to update. The lockfile consolidation from multiple ws/axios/lodash versions down to single patched versions is clean. My only real concern is the Next.js minor version jump being bundled into what's otherwise a security-only patch PR.
🔍 Reviewed by Gaston
Addresses the open Dependabot alerts (3 critical, 57 high, plus mediums/lows). Almost all are transitive; only
nextandkyselyare direct.Direct dependency bumps
15.3.8→15.5.19— clears all 20 direct alerts, including every high-severity one (stays on the 15.x major, no v16 jump)^0.28.0→^0.28.17(3 high alerts)15.5.19to stay in sync with Nextpnpm.overridesfor vulnerable transitivesEach pinned to a security patch within its current major (no breaking upgrades). Where multiple majors coexisted, overrides are scoped per-major.
fast-xml-parser5.5.6 (AWS SDK),sha.js2.4.12 (Coinbase wallet SDK),form-data4.0.6 (Coinbase CDP SDK)axios1.18.1,ws7.5.11 / 8.21.0,socket.io-parser4.2.6,picomatch2.3.2,minimatch3.1.5 / 9.0.9,lodash4.18.1,immutable5.1.9,h31.15.11,flatted3.4.2,defu6.1.7,base-x3.0.11,effect3.21.4,hono4.12.27,@hono/node-server1.19.14Not addressed here (need upstream major upgrades, unsafe to force)
@helia/verified-fetch); forcing it would likely break IPFS fetchMost remaining transitives are deep in the web3 wallet stack (
wagmi→@wagmi/connectors→ porto / walletconnect / reown / coinbase); the overrides above cover the patchable ones.Verification
pnpm typecheck✅pnpm lint✅pnpm test:unit✅ (285 passed, 1 skipped)Note:
hono/h3sit in the wallet-connect runtime path (patch-level bumps within the same major), worth a quick wallet-connect smoke test on the preview deploy before merge.