Scope the transitive Dependabot overrides to their vulnerable chains#114
Merged
Conversation
The ws, js-yaml, and esbuild pins from #113 were global overrides, so they would silently apply to any future or runtime dependency path, not just the tooling chains that actually pull the vulnerable versions. Replace them with pnpm selector overrides targeting exactly the chains the lockfile reports: ws -> miniflare, storybook, @vitest/browser, @voidzero-dev/vite-plus-test js-yaml -> @changesets/parse, read-yaml-file esbuild -> storybook, @storybook/csf-plugin, vite, @voidzero-dev/vite-plus-core, wrangler The lockfile still resolves each package to a single patched version (ws@8.21.0, js-yaml@4.2.0, esbuild@0.28.1), so the security outcome is unchanged while the blast radius stays explicit and small.
|
📚 Storybook preview: https://pr-114-propel-storybook.vamsi-906.workers.dev |
There was a problem hiding this comment.
Pull request overview
This PR narrows previously-global pnpm overrides for transitive security pins (ws, js-yaml, esbuild) so they apply only to the specific dependency chains that currently pull vulnerable versions, reducing the chance of unintended future/runtime impact.
Changes:
- Replaced global overrides with pnpm selector overrides (e.g.
miniflare>ws) forws,js-yaml, andesbuild. - Added inline guidance in
pnpm-workspace.yamlon keeping scoped pins aligned with the lockfile’s reported chains. - Regenerated
pnpm-lock.yamlso the lockfileoverridesmetadata matches the scoped selectors (no dependency graph churn).
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| pnpm-workspace.yaml | Replaces global overrides with selector-scoped transitive security pins and documents maintenance guidance. |
| pnpm-lock.yaml | Updates the lockfile overrides block to reflect the new selector-scoped overrides. |
Files not reviewed (1)
- pnpm-lock.yaml: Generated file
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to #113. Copilot's review there flagged that the
ws,js-yaml, andesbuildpins were added as global pnpmoverrides, which is broader than intended: a global override silently applies to any future or runtime dependency path, not just the tooling chains that actually pull the vulnerable versions today.This scopes each pin to the specific transitive chains the lockfile reports, using pnpm selector overrides:
ws8.21.0miniflare,storybook,@vitest/browser,@voidzero-dev/vite-plus-testjs-yaml4.2.0@changesets/parse,read-yaml-fileesbuild0.28.1storybook,@storybook/csf-plugin,vite,@voidzero-dev/vite-plus-core,wranglerThe chains were derived from the current lockfile (the direct dependents of each package), not guessed.
Verification
After regenerating the lockfile, each package still resolves to a single patched version with no vulnerable version reintroduced:
ws→ only8.21.0js-yaml→ only4.2.0esbuild→ only0.28.1The lockfile diff is just the overrides metadata block (no snapshot/version churn), since the scoped overrides resolve identically to the global ones. Same security outcome, smaller and explicit blast radius.