Context
PR #XX added pnpm.overrides in the root package.json to patch transitive dependency vulnerabilities (Dependabot alerts #1–#6).
These overrides are a workaround, not a permanent fix. They should be removed once the direct dependencies ship versions that pull in the patched transitive deps naturally.
Overrides to track
| Override |
Patched version |
Upstream dependency |
Remove when |
picomatch@<2.3.2 → 2.3.2 |
2.3.2 |
@changesets/cli → micromatch |
micromatch depends on picomatch@>=2.3.2 |
picomatch@>=4.0.0 <4.0.4 → 4.0.4 |
4.0.4 |
Various (tinyglobby, fdir) |
Upstream deps require picomatch@>=4.0.4 |
brace-expansion@>=5.0.0 <5.0.5 → 5.0.5 |
5.0.5 |
ultracite → glob → minimatch |
minimatch depends on brace-expansion@>=5.0.5 |
yaml@>=2.0.0 <2.8.3 → 2.8.3 |
2.8.3 |
vitest → vite |
vite depends on yaml@>=2.8.3 |
Action
Periodically check if upstream has caught up. When all four are resolved:
- Remove the
pnpm.overrides block from root package.json
- Run
pnpm install and verify no Dependabot alerts remain
- Close this issue
Labels
maintenance, dependencies
Context
PR #XX added
pnpm.overridesin the rootpackage.jsonto patch transitive dependency vulnerabilities (Dependabot alerts #1–#6).These overrides are a workaround, not a permanent fix. They should be removed once the direct dependencies ship versions that pull in the patched transitive deps naturally.
Overrides to track
picomatch@<2.3.2→2.3.2@changesets/cli→micromatchmicromatchdepends onpicomatch@>=2.3.2picomatch@>=4.0.0 <4.0.4→4.0.4picomatch@>=4.0.4brace-expansion@>=5.0.0 <5.0.5→5.0.5ultracite→glob→minimatchminimatchdepends onbrace-expansion@>=5.0.5yaml@>=2.0.0 <2.8.3→2.8.3vitest→vitevitedepends onyaml@>=2.8.3Action
Periodically check if upstream has caught up. When all four are resolved:
pnpm.overridesblock from rootpackage.jsonpnpm installand verify no Dependabot alerts remainLabels
maintenance, dependencies