From 22d26948e71720c06f01a7bb9451fdb08387e2a0 Mon Sep 17 00:00:00 2001 From: Aaron Reisman Date: Wed, 17 Jun 2026 16:56:13 +0700 Subject: [PATCH] Scope the transitive Dependabot overrides to their vulnerable chains The ws, js-yaml, and esbuild pins from #113 were global overrides, so they would silently apply to any future or runtime dependency path, not just the tooling chains that actually pull the vulnerable versions. Replace them with pnpm selector overrides targeting exactly the chains the lockfile reports: ws -> miniflare, storybook, @vitest/browser, @voidzero-dev/vite-plus-test js-yaml -> @changesets/parse, read-yaml-file esbuild -> storybook, @storybook/csf-plugin, vite, @voidzero-dev/vite-plus-core, wrangler The lockfile still resolves each package to a single patched version (ws@8.21.0, js-yaml@4.2.0, esbuild@0.28.1), so the security outcome is unchanged while the blast radius stays explicit and small. --- pnpm-lock.yaml | 14 +++++++++++--- pnpm-workspace.yaml | 18 +++++++++++++++--- 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index a414bde9..825632dc 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -11,11 +11,19 @@ catalogs: version: 0.1.24 overrides: - esbuild: 0.28.1 - js-yaml: 4.2.0 vite: npm:@voidzero-dev/vite-plus-core@latest vitest: npm:@voidzero-dev/vite-plus-test@latest - ws: 8.21.0 + miniflare>ws: 8.21.0 + storybook>ws: 8.21.0 + '@vitest/browser>ws': 8.21.0 + '@voidzero-dev/vite-plus-test>ws': 8.21.0 + '@changesets/parse>js-yaml': 4.2.0 + read-yaml-file>js-yaml: 4.2.0 + storybook>esbuild: 0.28.1 + '@storybook/csf-plugin>esbuild': 0.28.1 + vite>esbuild: 0.28.1 + '@voidzero-dev/vite-plus-core>esbuild': 0.28.1 + wrangler>esbuild: 0.28.1 importers: diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index f613d1c4..bd9403db 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -13,11 +13,23 @@ catalog: vite-plus: latest overrides: - esbuild: 0.28.1 - js-yaml: 4.2.0 vite: "catalog:" vitest: "catalog:" - ws: 8.21.0 + # Transitive Dependabot security pins, scoped to the specific chains that pull the + # vulnerable versions so the override can't silently apply to a future or runtime + # dependency path. Regenerate the lockfile after editing, and keep these in sync with + # the chains reported by the lockfile (search the snapshots for the package). + "miniflare>ws": 8.21.0 + "storybook>ws": 8.21.0 + "@vitest/browser>ws": 8.21.0 + "@voidzero-dev/vite-plus-test>ws": 8.21.0 + "@changesets/parse>js-yaml": 4.2.0 + "read-yaml-file>js-yaml": 4.2.0 + "storybook>esbuild": 0.28.1 + "@storybook/csf-plugin>esbuild": 0.28.1 + "vite>esbuild": 0.28.1 + "@voidzero-dev/vite-plus-core>esbuild": 0.28.1 + "wrangler>esbuild": 0.28.1 peerDependencyRules: allowAny: