Skip to content

Commit 3b14e9d

Browse files
MarcAstr0claude
andcommitted
Refresh deps: bump cdktn 0.23, Effect patches, +11 security overrides
Eliminates the new shell-quote critical (GHSA-58qx-3vcg-4xpx) and reduces total vulns 35->21 (0 critical, 10 high). All 398 tests passing across framework-types, -core, -provider-azure, and -provider-azure-infrastructure. - cdktn 0.22.1 -> 0.23.3 (providers azurerm v15->v16, null/time v12->v13) - Effect ecosystem patch bumps within @effect/platform-node <0.76 ceiling (effect 3.20.0->3.21.3, @effect/cli, @effect/printer*, @effect/typeclass, @effect/platform-node 0.75.0->0.75.4) - uuid 11.0.5 -> 11.1.1 - .pnpmfile.cjs: add overrides for shell-quote, tar, serialize-javascript, flatted, minimatch, brace-expansion, ws, nanoid, js-yaml, yaml, follow-redirects; tighten qs >=6.15.2 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 89055ff commit 3b14e9d

6 files changed

Lines changed: 830 additions & 1593 deletions

File tree

common/config/rush/.pnpmfile.cjs

Lines changed: 21 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -37,14 +37,27 @@ function readPackage(packageJson, context) {
3737
// Security overrides for transitive dependencies (high/critical vulnerabilities).
3838
// Each entry targets a specific major version line to avoid breaking cross-major deps.
3939
const securityOverrides = [
40-
{ pkg: 'form-data', major: '4', minSafe: '>=4.0.4 <5.0.0' }, // GHSA-fjxv-7rqg-78g4 (critical)
41-
{ pkg: 'axios', major: '1', minSafe: '>=1.12.0 <2.0.0' }, // GHSA-4hjh-wcwx-xvwj, GHSA-jr5f-v2jv-69x6 (high)
42-
{ pkg: 'tar-fs', major: '2', minSafe: '>=2.1.4 <3.0.0' }, // GHSA-vj76-c3g6-qr5v, GHSA-8cj5-5rvv-wf4v (high)
43-
{ pkg: 'glob', major: '10', minSafe: '>=10.5.0 <11.0.0' }, // GHSA-5j98-mcp5-4vw2 (high)
44-
{ pkg: 'qs', major: '6', minSafe: '>=6.14.1 <7.0.0' }, // GHSA-6rw7-vpxm-498p (high)
45-
{ pkg: 'jws', major: '3', minSafe: '>=3.2.3 <4.0.0' }, // GHSA-869p-cjfg-cm3x (high)
46-
{ pkg: 'jws', major: '4', minSafe: '>=4.0.1 <5.0.0' }, // GHSA-869p-cjfg-cm3x (high)
47-
{ pkg: 'undici', major: '7', minSafe: '>=7.24.0 <8.0.0' }, // GHSA-f269, GHSA-vrm6, GHSA-v9p9 (high)
40+
{ pkg: 'form-data', major: '4', minSafe: '>=4.0.4 <5.0.0' }, // GHSA-fjxv-7rqg-78g4 (critical)
41+
{ pkg: 'axios', major: '1', minSafe: '>=1.12.0 <2.0.0' }, // GHSA-4hjh-wcwx-xvwj, GHSA-jr5f-v2jv-69x6 (high)
42+
{ pkg: 'tar-fs', major: '2', minSafe: '>=2.1.4 <3.0.0' }, // GHSA-vj76-c3g6-qr5v, GHSA-8cj5-5rvv-wf4v (high)
43+
{ pkg: 'glob', major: '10', minSafe: '>=10.5.0 <11.0.0' }, // GHSA-5j98-mcp5-4vw2 (high)
44+
{ pkg: 'qs', major: '6', minSafe: '>=6.15.2 <7.0.0' }, // GHSA-q8mj-m7cp-5q26 (moderate)
45+
{ pkg: 'jws', major: '3', minSafe: '>=3.2.3 <4.0.0' }, // GHSA-869p-cjfg-cm3x (high)
46+
{ pkg: 'jws', major: '4', minSafe: '>=4.0.1 <5.0.0' }, // GHSA-869p-cjfg-cm3x (high)
47+
{ pkg: 'undici', major: '7', minSafe: '>=7.24.0 <8.0.0' }, // GHSA-f269, GHSA-vrm6, GHSA-v9p9 (high)
48+
{ pkg: 'shell-quote', major: '1', minSafe: '>=1.8.4 <2.0.0' }, // GHSA-58qx-3vcg-4xpx (critical)
49+
{ pkg: 'tar', major: '6', minSafe: '>=6.2.1 <7.0.0' }, // CVE-2024-28863 etc.
50+
{ pkg: 'tar', major: '7', minSafe: '>=7.5.11 <8.0.0' }, // GHSA series on tar 7.x (high)
51+
{ pkg: 'serialize-javascript',major: '6', minSafe: '>=6.0.2 <7.0.0' }, // GHSA-76p7-773f-r4q5 (moderate)
52+
{ pkg: 'serialize-javascript',major: '7', minSafe: '>=7.0.5 <8.0.0' }, // GHSA on 7.x (high)
53+
{ pkg: 'flatted', major: '3', minSafe: '>=3.4.2 <4.0.0' }, // GHSA on flatted (high)
54+
{ pkg: 'minimatch', major: '5', minSafe: '>=5.1.8 <6.0.0' }, // GHSA series on minimatch 5 (high)
55+
{ pkg: 'brace-expansion', major: '5', minSafe: '>=5.0.6 <6.0.0' }, // GHSA-jxxr-4gwj-5jf2 (moderate)
56+
{ pkg: 'ws', major: '8', minSafe: '>=8.20.1 <9.0.0' }, // GHSA on ws 8.x (moderate)
57+
{ pkg: 'nanoid', major: '3', minSafe: '>=3.3.8 <4.0.0' }, // GHSA on nanoid (moderate); replaces prior >=3.1.31 pin
58+
{ pkg: 'js-yaml', major: '4', minSafe: '>=4.1.1 <5.0.0' }, // GHSA on js-yaml (moderate)
59+
{ pkg: 'yaml', major: '1', minSafe: '>=1.10.3 <2.0.0' }, // GHSA on yaml 1.x (moderate)
60+
{ pkg: 'follow-redirects', major: '1', minSafe: '>=1.16.0 <2.0.0' }, // GHSA on follow-redirects (moderate)
4861
];
4962

5063
for (const { pkg, major, minSafe } of securityOverrides) {

0 commit comments

Comments
 (0)