Skip to content

fix(security): add pnpm overrides for esbuild and fast-uri#1467

Open
fro-bot wants to merge 2 commits into
mainfrom
pr-1463-rebased
Open

fix(security): add pnpm overrides for esbuild and fast-uri#1467
fro-bot wants to merge 2 commits into
mainfrom
pr-1463-rebased

Conversation

@fro-bot

@fro-bot fro-bot commented Jun 16, 2026

Copy link
Copy Markdown

Summary

Rebased version of #1463 (now CONFLICTING due to Renovate lock-file churn). Same intent: add pnpm overrides in pnpm-workspace.yaml for transitive esbuild and fast-uri. Freshly regenerated pnpm-lock.yaml.

Alerts Fixed

Alert Severity Package Vulnerable Range Patched
#86 HIGH fast-uri <= 3.1.0 3.1.2
#87 HIGH fast-uri <= 3.1.1 3.1.2
#89 LOW esbuild >= 0.27.3, < 0.28.1 0.28.1
#90 HIGH esbuild >= 0.17.0, < 0.28.1 0.28.1

Details

Both esbuild and fast-uri are transitive dependencies:

  • esbuild: via vite, vitest, @eslint/config-inspector, bundle-require, tsup
  • fast-uri: via ajv (used by eslint)

The overrides follow the same pattern as bfra-me/.github#2292 (esbuild override).

overrides:
  esbuild@>=0.17.0 <0.28.1: '>=0.28.1'
  fast-uri: '>=3.1.2'

Verification

  • pnpm install regenerates lock with esbuild 0.28.1 and fast-uri 3.1.2
  • pnpm-lock.yaml diff: 4 insertions
  • No source code changes — only overrides + lockfile

Notes

This is a minimal security fix. No bulk dependency updates. Only the esbuild + fast-uri overrides were added to resolve the confirmed high-severity advisories.

#1463 should be closed in favor of this PR. Note that #1466 covers the separate vite HIGH/MODERATE alerts (#91, #92) and is independent.

@fro-bot
fix(security): add pnpm overrides for esbuild and fast-uri
c983c36 
Remediates Dependabot HIGH/LOW security alerts by adding pnpm overrides
that pin transitive esbuild and fast-uri to non-vulnerable versions.

Alerts:
- #86 (HIGH) fast-uri<=3.1.0 host confusion
- #87 (HIGH) fast-uri<=3.1.1 path traversal
- #89 (LOW)  esbuild>=0.27.3 <0.28.1
- #90 (HIGH) esbuild>=0.17.0 <0.28.1

This is the rebased version of #1463 (now CONFLICTING due to Renovate
lock-file churn). Same intent, freshly regenerated lockfile.

Refs:
- https://github.com/bfra-me/github-action/security/dependabot/86
- https://github.com/bfra-me/github-action/security/dependabot/87
- https://github.com/bfra-me/github-action/security/dependabot/89
- https://github.com/bfra-me/github-action/security/dependabot/90

<!-- fro-bot-agent -->
@fro-bot fro-bot requested a review from a team as a code owner June 16, 2026 10:29
@fro-bot fro-bot mentioned this pull request Jun 16, 2026
Open
@fro-bot
fix(security): regenerate lockfile with esbuild/fast-uri overrides
21b7f3e 
Updates pnpm-lock.yaml to apply the security overrides from #1467
(esbuild@>=0.28.1, fast-uri@>=3.1.2) against current main.

Resolves the merge conflict caused by main adding pnpm-workspace.yaml
with different content (#1472) after the security fix branch was opened.

Refs: #1467
@fro-bot

fro-bot commented Jun 25, 2026

Copy link
Copy Markdown
Author

fro-bot: lockfile regenerated against current main

The structural add/add conflict on pnpm-workspace.yaml is unchanged (both this branch and main originally created that file from an empty base in their first commit), so the GitHub merge button will still report CONFLICTING.

File content is now correct: pnpm-workspace.yaml on this branch already contains main's configuration plus the overrides: section (esbuild@>=0.28.1, fast-uri@>=3.1.2).

Lockfile regenerated: This push adds 21b7f3e fix(security): regenerate lockfile with esbuild/fast-uri overrides, which:

Recommended manual merge step: When the GitHub merge button is clicked, choose Use the pull request's version for pnpm-workspace.yaml (since this branch's version already matches main's content + the security overrides). The lockfile merge should auto-resolve since this branch's lockfile is derived from main.

Verification:

@fro-bot fro-bot mentioned this pull request Jun 25, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fro-bot