From 3290366c787b9457cabe405bd2c8494f5e389c1d Mon Sep 17 00:00:00 2001 From: Alex Villarreal <716334+alexvy86@users.noreply.github.com> Date: Tue, 14 Apr 2026 22:09:49 +0000 Subject: [PATCH] Move pnpm overrides from package.json to pnpm-workspace.yaml pnpm v10 supports overrides natively in pnpm-workspace.yaml, which is their canonical location going forward. This moves all `pnpm.overrides` entries and their associated comment arrays from package.json to the corresponding pnpm-workspace.yaml across all 14 workspaces. YAML comments replace the JSON comment arrays (comments, commentsOverrides, overrideComments, overridesComments) so the documentation for each override is preserved inline next to the override it describes. Where onlyBuiltDependencies was already duplicated between package.json and pnpm-workspace.yaml, the package.json copy is removed since the yaml is the authoritative source. Co-Authored-By: Claude Opus 4.6 --- build-tools/package.json | 46 ---------- build-tools/pnpm-workspace.yaml | 73 ++++++++++++++++ common/build/eslint-config-fluid/package.json | 23 ----- .../eslint-config-fluid/pnpm-workspace.yaml | 28 ++++++ common/build/eslint-plugin-fluid/package.json | 30 +------ .../eslint-plugin-fluid/pnpm-workspace.yaml | 34 ++++++++ common/lib/common-utils/package.json | 35 -------- common/lib/common-utils/pnpm-workspace.yaml | 51 +++++++++++ common/lib/protocol-definitions/package.json | 33 ------- .../protocol-definitions/pnpm-workspace.yaml | 48 +++++++++++ docs/package.json | 51 ----------- docs/pnpm-workspace.yaml | 62 ++++++++++++- package.json | 53 ------------ pnpm-workspace.yaml | 85 ++++++++++++++++++ server/gitrest/package.json | 50 +---------- server/gitrest/pnpm-workspace.yaml | 63 +++++++++++++- server/historian/package.json | 58 +------------ server/historian/pnpm-workspace.yaml | 74 +++++++++++++++- server/routerlicious/package.json | 73 +--------------- server/routerlicious/pnpm-workspace.yaml | 86 ++++++++++++++++++- tools/api-markdown-documenter/package.json | 30 ------- .../pnpm-workspace.yaml | 33 ++++++- tools/benchmark/package.json | 29 +------ tools/benchmark/pnpm-workspace.yaml | 30 ++++++- tools/getkeys/package.json | 24 +----- tools/getkeys/pnpm-workspace.yaml | 24 +++++- tools/test-tools/package.json | 28 +----- tools/test-tools/pnpm-workspace.yaml | 28 +++++- 28 files changed, 702 insertions(+), 580 deletions(-) diff --git a/build-tools/package.json b/build-tools/package.json index 61fd302aec4b..ea71f9328b2f 100644 --- a/build-tools/package.json +++ b/build-tools/package.json @@ -145,52 +145,6 @@ "@aws-sdk/*" ] }, - "overrideComments": [ - "eslint: jssm-viz-cli brings in ESLint 8.x as a transitive dependency. Force ESLint 9.x to ensure consistent version across the workspace.", - "oclif includes some AWS-related features, but we don't use them, so we drop those dependencies. This helps reduce lockfile churn since the deps release very frequently.", - "@types/node: To avoid duplicating the oclif package and adding a bunch of dependencies, force @types/node to a single version. For some reason version 22.8.0 can't be overridden, so use that to ensure a single version", - "@types/minimatch: @types/glob@7.x uses minimatch.IOptions and minimatch.IMinimatch interfaces. Force @types/minimatch@5 which includes these legacy type definitions.", - "mdast-util-gfm-footnote: mdast-util-gfm@3.1.0 has a type definition bug where it imports ToMarkdownOptions from mdast-util-gfm-footnote, but version 2.0.0 doesn't export it. Override to 2.1.0 which includes the missing export.", - "qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.", - "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", - "mdast-util-to-hast: overridden to ^13.2.1 to fix a known vulnerability (unsanitized class attribute injection).", - "simple-git: overridden to ^3.32.3 to resolve a CG alert.", - "diff: overridden to patched versions to resolve a known ReDoS vulnerability. diff@7.x has no fix so it is bumped to 8.0.3.", - "tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport).", - "serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support).", - "picomatch: overridden to patched versions to resolve a known security vulnerability." - ], - "overrides": { - "@types/glob>@types/minimatch": "~5.1.2", - "diff@>=4 <5": "^4.0.4", - "diff@>=7 <8": "^8.0.3", - "diff@>=8 <9": "^8.0.3", - "@types/node": "~22.19.17", - "eslint": "~9.39.2", - "json5@<1.0.2": "^1.0.2", - "json5@>=2.0.0 <2.2.2": "^2.2.2", - "mdast-util-gfm-footnote": "^2.1.0", - "js-yaml@<4": "^3.14.2", - "js-yaml@>=4": "^4.1.1", - "jws": "^3.2.3", - "mdast-util-to-hast": "^13.2.1", - "oclif>@aws-sdk/client-cloudfront": "-", - "oclif>@aws-sdk/client-s3": "-", - "qs": "^6.15.0", - "simple-git": "^3.32.3", - "sharp": "^0.34.5", - "tar": "^7.5.11", - "minimatch@>=3 <4": "^3.1.5", - "minimatch@>=5 <6": "^5.1.9", - "minimatch@>=6 <7": "^6.2.3", - "minimatch@>=7 <8": "^7.4.9", - "minimatch@>=8 <9": "^8.0.7", - "minimatch@>=9 <10": "^9.0.9", - "minimatch@>=10 <11": "^10.2.4", - "serialize-javascript@>=6 <7": "^7.0.4", - "picomatch@>=2 <3": "^2.3.2", - "picomatch@>=4 <5": "^4.0.4" - }, "updateConfig": { "ignoreDependencies": [ "latest-version", diff --git a/build-tools/pnpm-workspace.yaml b/build-tools/pnpm-workspace.yaml index 69cbc40ee56b..2b491669ff48 100644 --- a/build-tools/pnpm-workspace.yaml +++ b/build-tools/pnpm-workspace.yaml @@ -17,3 +17,76 @@ resolutionMode: highest blockExoticSubdeps: true trustPolicy: no-downgrade strictDepBuilds: true + +overrides: + # @types/minimatch: @types/glob@7.x uses minimatch.IOptions and minimatch.IMinimatch interfaces. + # Force @types/minimatch@5 which includes these legacy type definitions. + "@types/glob>@types/minimatch": "~5.1.2" + + # diff: overridden to patched versions to resolve a known ReDoS vulnerability. diff@7.x has no fix + # so it is bumped to 8.0.3. + "diff@>=4 <5": "^4.0.4" + "diff@>=7 <8": "^8.0.3" + "diff@>=8 <9": "^8.0.3" + + # @types/node: To avoid duplicating the oclif package and adding a bunch of dependencies, force + # @types/node to a single version. For some reason version 22.8.0 can't be overridden, so use that + # to ensure a single version. + "@types/node": "~22.19.17" + + # eslint: jssm-viz-cli brings in ESLint 8.x as a transitive dependency. Force ESLint 9.x to ensure + # consistent version across the workspace. + eslint: "~9.39.2" + + "json5@<1.0.2": "^1.0.2" + "json5@>=2.0.0 <2.2.2": "^2.2.2" + + # mdast-util-gfm-footnote: mdast-util-gfm@3.1.0 has a type definition bug where it imports + # ToMarkdownOptions from mdast-util-gfm-footnote, but version 2.0.0 doesn't export it. Override to + # 2.1.0 which includes the missing export. + mdast-util-gfm-footnote: "^2.1.0" + + # js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys). + "js-yaml@<4": "^3.14.2" + "js-yaml@>=4": "^4.1.1" + + jws: "^3.2.3" + + # mdast-util-to-hast: overridden to ^13.2.1 to fix a known vulnerability (unsanitized class + # attribute injection). + mdast-util-to-hast: "^13.2.1" + + # oclif includes some AWS-related features, but we don't use them, so we drop those dependencies. + # This helps reduce lockfile churn since the deps release very frequently. + "oclif>@aws-sdk/client-cloudfront": "-" + "oclif>@aws-sdk/client-s3": "-" + + # qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions. + qs: "^6.15.0" + + # simple-git: overridden to ^3.32.3 to resolve a CG alert. + simple-git: "^3.32.3" + + sharp: "^0.34.5" + + # tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no + # backport). + tar: "^7.5.11" + + # minimatch: overridden to patched versions to resolve known security vulnerabilities across all + # major version ranges. + "minimatch@>=3 <4": "^3.1.5" + "minimatch@>=5 <6": "^5.1.9" + "minimatch@>=6 <7": "^6.2.3" + "minimatch@>=7 <8": "^7.4.9" + "minimatch@>=8 <9": "^8.0.7" + "minimatch@>=9 <10": "^9.0.9" + "minimatch@>=10 <11": "^10.2.4" + + # serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; + # 7.x is API-compatible (only drops Node <20 support). + "serialize-javascript@>=6 <7": "^7.0.4" + + # picomatch: overridden to patched versions to resolve a known security vulnerability. + "picomatch@>=2 <3": "^2.3.2" + "picomatch@>=4 <5": "^4.0.4" diff --git a/common/build/eslint-config-fluid/package.json b/common/build/eslint-config-fluid/package.json index 94072628fbaf..12f4a7c63966 100644 --- a/common/build/eslint-config-fluid/package.json +++ b/common/build/eslint-config-fluid/package.json @@ -75,29 +75,6 @@ } }, "pnpm": { - "commentsOverrides": [ - "js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys).", - "diff: overridden to patched version to resolve a known ReDoS vulnerability.", - "minimatch: overridden to patched versions to resolve known security vulnerabilities across all major version ranges.", - "serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq and CVE-2024-11831. No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support).", - "brace-expansion: overridden to ^1.1.12 to resolve CVE-2025-5889.", - "picomatch: overridden to patched versions to resolve a known security vulnerability." - ], - "overrides": { - "brace-expansion@>=1 <2": "^1.1.12", - "diff@>=5 <6": "^5.2.2", - "js-yaml": "^4.1.1", - "minimatch@>=3 <4": "^3.1.5", - "minimatch@>=5 <6": "^5.1.9", - "minimatch@>=6 <7": "^6.2.3", - "minimatch@>=7 <8": "^7.4.9", - "minimatch@>=8 <9": "^8.0.7", - "minimatch@>=9 <10": "^9.0.9", - "minimatch@>=10 <11": "^10.2.4", - "serialize-javascript@>=6 <7": "^7.0.4", - "picomatch@>=2 <3": "^2.3.2", - "picomatch@>=4 <5": "^4.0.4" - }, "onlyBuiltDependencies": [ "esbuild", "unrs-resolver" diff --git a/common/build/eslint-config-fluid/pnpm-workspace.yaml b/common/build/eslint-config-fluid/pnpm-workspace.yaml index 1bace34bc721..14135e4d25f4 100644 --- a/common/build/eslint-config-fluid/pnpm-workspace.yaml +++ b/common/build/eslint-config-fluid/pnpm-workspace.yaml @@ -14,3 +14,31 @@ resolutionMode: highest blockExoticSubdeps: true trustPolicy: no-downgrade strictDepBuilds: true + +overrides: + # brace-expansion: overridden to ^1.1.12 to resolve CVE-2025-5889. + "brace-expansion@>=1 <2": "^1.1.12" + + # diff: overridden to patched version to resolve a known ReDoS vulnerability. + "diff@>=5 <6": "^5.2.2" + + # js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys). + js-yaml: "^4.1.1" + + # minimatch: overridden to patched versions to resolve known security vulnerabilities across all + # major version ranges. + "minimatch@>=3 <4": "^3.1.5" + "minimatch@>=5 <6": "^5.1.9" + "minimatch@>=6 <7": "^6.2.3" + "minimatch@>=7 <8": "^7.4.9" + "minimatch@>=8 <9": "^8.0.7" + "minimatch@>=9 <10": "^9.0.9" + "minimatch@>=10 <11": "^10.2.4" + + # serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq and CVE-2024-11831. + # No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support). + "serialize-javascript@>=6 <7": "^7.0.4" + + # picomatch: overridden to patched versions to resolve a known security vulnerability. + "picomatch@>=2 <3": "^2.3.2" + "picomatch@>=4 <5": "^4.0.4" diff --git a/common/build/eslint-plugin-fluid/package.json b/common/build/eslint-plugin-fluid/package.json index 24564a50aa80..dab4423e0187 100644 --- a/common/build/eslint-plugin-fluid/package.json +++ b/common/build/eslint-plugin-fluid/package.json @@ -47,33 +47,5 @@ "peerDependencies": { "eslint": "^8.57.0 || ^9.37.0" }, - "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319", - "pnpm": { - "commentsOverrides": [ - "validator: overridden to ^13.15.0 to resolve a known vulnerability in older versions (transitive via swagger-tools).", - "qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.", - "js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys).", - "diff: overridden to patched version to resolve a known ReDoS vulnerability.", - "minimatch: overridden to patched versions to resolve known security vulnerabilities across all major version ranges.", - "serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support).", - "brace-expansion: overridden to ^1.1.12 to resolve CVE-2025-5889.", - "picomatch: overridden to patched versions to resolve a known security vulnerability." - ], - "overrides": { - "brace-expansion@>=1 <2": "^1.1.12", - "diff@>=5 <6": "^5.2.2", - "js-yaml": "^4.1.1", - "qs": "^6.15.0", - "validator": "^13.15.0", - "minimatch@>=3 <4": "^3.1.5", - "minimatch@>=5 <6": "^5.1.9", - "minimatch@>=6 <7": "^6.2.3", - "minimatch@>=7 <8": "^7.4.9", - "minimatch@>=8 <9": "^8.0.7", - "minimatch@>=9 <10": "^9.0.9", - "minimatch@>=10 <11": "^10.2.4", - "serialize-javascript@>=6 <7": "^7.0.4", - "picomatch@>=2 <3": "^2.3.2" - } - } + "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319" } diff --git a/common/build/eslint-plugin-fluid/pnpm-workspace.yaml b/common/build/eslint-plugin-fluid/pnpm-workspace.yaml index 1bace34bc721..561c86ad305d 100644 --- a/common/build/eslint-plugin-fluid/pnpm-workspace.yaml +++ b/common/build/eslint-plugin-fluid/pnpm-workspace.yaml @@ -14,3 +14,37 @@ resolutionMode: highest blockExoticSubdeps: true trustPolicy: no-downgrade strictDepBuilds: true + +overrides: + # brace-expansion: overridden to ^1.1.12 to resolve CVE-2025-5889. + "brace-expansion@>=1 <2": "^1.1.12" + + # diff: overridden to patched version to resolve a known ReDoS vulnerability. + "diff@>=5 <6": "^5.2.2" + + # js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys). + js-yaml: "^4.1.1" + + # qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions. + qs: "^6.15.0" + + # validator: overridden to ^13.15.0 to resolve a known vulnerability in older versions (transitive + # via swagger-tools). + validator: "^13.15.0" + + # minimatch: overridden to patched versions to resolve known security vulnerabilities across all + # major version ranges. + "minimatch@>=3 <4": "^3.1.5" + "minimatch@>=5 <6": "^5.1.9" + "minimatch@>=6 <7": "^6.2.3" + "minimatch@>=7 <8": "^7.4.9" + "minimatch@>=8 <9": "^8.0.7" + "minimatch@>=9 <10": "^9.0.9" + "minimatch@>=10 <11": "^10.2.4" + + # serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; + # 7.x is API-compatible (only drops Node <20 support). + "serialize-javascript@>=6 <7": "^7.0.4" + + # picomatch: overridden to patched versions to resolve a known security vulnerability. + "picomatch@>=2 <3": "^2.3.2" diff --git a/common/lib/common-utils/package.json b/common/lib/common-utils/package.json index 5f6f591f67b9..047e062e5f98 100644 --- a/common/lib/common-utils/package.json +++ b/common/lib/common-utils/package.json @@ -151,41 +151,6 @@ "puppeteer", "unrs-resolver" ], - "overridesComments": [ - "sharp <0.32.6 has a vulnerability that Component Governance flags (https://github.com/advisories/GHSA-54xq-cgqr-rpm3). It's a transitive dependency through jssm-viz-cli, which hasn't updated to a version with the fix", - "oclif includes some AWS-related features, but we don't use them, so we drop those dependencies entirely via pnpm overrides. This helps reduce lockfile churn since the deps release very frequently.", - "qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.", - "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", - "simple-git: overridden to ^3.32.3 to resolve a CG alert.", - "diff: overridden to patched versions to resolve a known ReDoS vulnerability.", - "tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport).", - "serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support).", - "picomatch: overridden to patched versions to resolve a known security vulnerability." - ], - "overrides": { - "diff@>=4 <5": "^4.0.4", - "diff@>=5 <6": "^5.2.2", - "diff@>=8 <9": "^8.0.3", - "js-yaml@<4": "^3.14.2", - "js-yaml@>=4": "^4.1.1", - "jws": "^3.2.3", - "oclif>@aws-sdk/client-cloudfront": "-", - "oclif>@aws-sdk/client-s3": "-", - "qs": "^6.15.0", - "simple-git": "^3.32.3", - "sharp": "^0.33.2", - "tar": "^7.5.11", - "minimatch@>=3 <4": "^3.1.5", - "minimatch@>=5 <6": "^5.1.9", - "minimatch@>=6 <7": "^6.2.3", - "minimatch@>=7 <8": "^7.4.9", - "minimatch@>=8 <9": "^8.0.7", - "minimatch@>=9 <10": "^9.0.9", - "minimatch@>=10 <11": "^10.2.4", - "serialize-javascript@>=6 <7": "^7.0.4", - "picomatch@>=2 <3": "^2.3.2", - "picomatch@>=4 <5": "^4.0.4" - }, "patchedDependencies": { "@microsoft/api-extractor@7.58.1": "../../../patches/@microsoft__api-extractor@7.58.1.patch" } diff --git a/common/lib/common-utils/pnpm-workspace.yaml b/common/lib/common-utils/pnpm-workspace.yaml index 1bace34bc721..20f473057291 100644 --- a/common/lib/common-utils/pnpm-workspace.yaml +++ b/common/lib/common-utils/pnpm-workspace.yaml @@ -14,3 +14,54 @@ resolutionMode: highest blockExoticSubdeps: true trustPolicy: no-downgrade strictDepBuilds: true + +overrides: + # diff: overridden to patched versions to resolve a known ReDoS vulnerability. + "diff@>=4 <5": "^4.0.4" + "diff@>=5 <6": "^5.2.2" + "diff@>=8 <9": "^8.0.3" + + # js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys). + "js-yaml@<4": "^3.14.2" + "js-yaml@>=4": "^4.1.1" + + jws: "^3.2.3" + + # oclif includes some AWS-related features, but we don't use them, so we drop those dependencies + # entirely via pnpm overrides. This helps reduce lockfile churn since the deps release very + # frequently. + "oclif>@aws-sdk/client-cloudfront": "-" + "oclif>@aws-sdk/client-s3": "-" + + # qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions. + qs: "^6.15.0" + + # simple-git: overridden to ^3.32.3 to resolve a CG alert. + simple-git: "^3.32.3" + + # sharp <0.32.6 has a vulnerability that Component Governance flags + # (https://github.com/advisories/GHSA-54xq-cgqr-rpm3). It's a transitive dependency through + # jssm-viz-cli, which hasn't updated to a version with the fix. + sharp: "^0.33.2" + + # tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no + # backport). + tar: "^7.5.11" + + # minimatch: overridden to patched versions to resolve known security vulnerabilities across all + # major version ranges. + "minimatch@>=3 <4": "^3.1.5" + "minimatch@>=5 <6": "^5.1.9" + "minimatch@>=6 <7": "^6.2.3" + "minimatch@>=7 <8": "^7.4.9" + "minimatch@>=8 <9": "^8.0.7" + "minimatch@>=9 <10": "^9.0.9" + "minimatch@>=10 <11": "^10.2.4" + + # serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; + # 7.x is API-compatible (only drops Node <20 support). + "serialize-javascript@>=6 <7": "^7.0.4" + + # picomatch: overridden to patched versions to resolve a known security vulnerability. + "picomatch@>=2 <3": "^2.3.2" + "picomatch@>=4 <5": "^4.0.4" diff --git a/common/lib/protocol-definitions/package.json b/common/lib/protocol-definitions/package.json index 2773e7f57a59..d855ca9b21d6 100644 --- a/common/lib/protocol-definitions/package.json +++ b/common/lib/protocol-definitions/package.json @@ -112,18 +112,6 @@ } }, "pnpm": { - "commentsOverrides": [ - "sharp <0.32.6 has a vulnerability that Component Governance flags (https://github.com/advisories/GHSA-54xq-cgqr-rpm3). It's a transitive dependency through jssm-viz-cli, which hasn't updated to a version with the fix", - "oclif includes some AWS-related features, but we don't use them, so we drop those transitive dependencies entirely from the dependency graph. This helps reduce lockfile churn since the deps release very frequently.", - "qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.", - "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", - "simple-git: overridden to ^3.32.3 to resolve a CG alert.", - "diff: overridden to patched version to resolve a known ReDoS vulnerability.", - "tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport).", - "minimatch: overridden to patched versions to resolve known security vulnerabilities across all major version ranges.", - "serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support).", - "picomatch: overridden to patched versions to resolve a known security vulnerability." - ], "onlyBuiltDependencies": [ "core-js", "sharp", @@ -137,27 +125,6 @@ "@types/node" ] }, - "overrides": { - "diff@>=8 <9": "^8.0.3", - "js-yaml@<4": "^3.14.2", - "jws": "^3.2.3", - "oclif>@aws-sdk/client-cloudfront": "-", - "oclif>@aws-sdk/client-s3": "-", - "qs": "^6.15.0", - "simple-git": "^3.32.3", - "sharp": "^0.33.2", - "tar": "^7.5.11", - "minimatch@>=3 <4": "^3.1.5", - "minimatch@>=5 <6": "^5.1.9", - "minimatch@>=6 <7": "^6.2.3", - "minimatch@>=7 <8": "^7.4.9", - "minimatch@>=8 <9": "^8.0.7", - "minimatch@>=9 <10": "^9.0.9", - "minimatch@>=10 <11": "^10.2.4", - "serialize-javascript@>=6 <7": "^7.0.4", - "picomatch@>=2 <3": "^2.3.2", - "picomatch@>=4 <5": "^4.0.4" - }, "patchedDependencies": { "@microsoft/api-extractor@7.58.1": "../../../patches/@microsoft__api-extractor@7.58.1.patch" } diff --git a/common/lib/protocol-definitions/pnpm-workspace.yaml b/common/lib/protocol-definitions/pnpm-workspace.yaml index 1bace34bc721..57b9bb0bbffd 100644 --- a/common/lib/protocol-definitions/pnpm-workspace.yaml +++ b/common/lib/protocol-definitions/pnpm-workspace.yaml @@ -14,3 +14,51 @@ resolutionMode: highest blockExoticSubdeps: true trustPolicy: no-downgrade strictDepBuilds: true + +overrides: + # diff: overridden to patched version to resolve a known ReDoS vulnerability. + "diff@>=8 <9": "^8.0.3" + + # js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys). + "js-yaml@<4": "^3.14.2" + + jws: "^3.2.3" + + # oclif includes some AWS-related features, but we don't use them, so we drop those transitive + # dependencies entirely from the dependency graph. This helps reduce lockfile churn since the deps + # release very frequently. + "oclif>@aws-sdk/client-cloudfront": "-" + "oclif>@aws-sdk/client-s3": "-" + + # qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions. + qs: "^6.15.0" + + # simple-git: overridden to ^3.32.3 to resolve a CG alert. + simple-git: "^3.32.3" + + # sharp <0.32.6 has a vulnerability that Component Governance flags + # (https://github.com/advisories/GHSA-54xq-cgqr-rpm3). It's a transitive dependency through + # jssm-viz-cli, which hasn't updated to a version with the fix. + sharp: "^0.33.2" + + # tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no + # backport). + tar: "^7.5.11" + + # minimatch: overridden to patched versions to resolve known security vulnerabilities across all + # major version ranges. + "minimatch@>=3 <4": "^3.1.5" + "minimatch@>=5 <6": "^5.1.9" + "minimatch@>=6 <7": "^6.2.3" + "minimatch@>=7 <8": "^7.4.9" + "minimatch@>=8 <9": "^8.0.7" + "minimatch@>=9 <10": "^9.0.9" + "minimatch@>=10 <11": "^10.2.4" + + # serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; + # 7.x is API-compatible (only drops Node <20 support). + "serialize-javascript@>=6 <7": "^7.0.4" + + # picomatch: overridden to patched versions to resolve a known security vulnerability. + "picomatch@>=2 <3": "^2.3.2" + "picomatch@>=4 <5": "^4.0.4" diff --git a/docs/package.json b/docs/package.json index b4064b0965ff..21c22bfacc89 100644 --- a/docs/package.json +++ b/docs/package.json @@ -113,56 +113,5 @@ "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319", "engines": { "node": ">=18.0" - }, - "pnpm": { - "commentsOverrides": [ - "@types/react: pinned to v18 to prevent pnpm re-resolution from pulling in v19, which is incompatible with the React 18 docs site.", - "jws: overridden to ^3.2.3 to resolve a known vulnerability in jws 3.2.2 (transitive via jsonwebtoken). Stays within jsonwebtoken's declared ^3.2.2 range.", - "validator: overridden to ^13.15.0 to resolve a known vulnerability in older versions (transitive via swagger-tools).", - "qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.", - "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", - "mdast-util-to-hast: overridden to ^13.2.1 to fix a known vulnerability (unsanitized class attribute injection).", - "node-forge: overridden to ^1.4.0 to resolve known security vulnerabilities.", - "simple-git: overridden to ^3.32.3 to resolve a CG alert.", - "diff: overridden to patched version to resolve a known ReDoS vulnerability.", - "minimatch: overridden to patched versions to resolve known security vulnerabilities across all major version ranges.", - "serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support).", - "express: overridden to ^4.22.1 to resolve a known vulnerability in express 4.21.2.", - "@azure/identity: overridden to ^4.13.0 to pull a patched @azure/msal-browser (no patched 3.x exists). Transitive dep of @azure/static-web-apps-cli; ^4.13.0 is API-compatible within the ^4.3.0 range it declares.", - "picomatch: overridden to patched versions to resolve a known security vulnerability." - ], - "overrides": { - "@azure/identity": "^4.13.0", - "@types/react": "^18.3.12", - "diff@>=5 <6": "^5.2.2", - "js-yaml@<4": "^3.14.2", - "js-yaml@>=4": "^4.1.1", - "jws": "^3.2.3", - "mdast-util-to-hast": "^13.2.1", - "node-forge": "^1.4.0", - "qs": "^6.15.0", - "simple-git": "^3.32.3", - "validator": "^13.15.0", - "minimatch@>=3 <4": "^3.1.5", - "minimatch@>=5 <6": "^5.1.9", - "minimatch@>=6 <7": "^6.2.3", - "minimatch@>=7 <8": "^7.4.9", - "minimatch@>=8 <9": "^8.0.7", - "minimatch@>=9 <10": "^9.0.9", - "minimatch@>=10 <11": "^10.2.4", - "serialize-javascript@>=6 <7": "^7.0.4", - "express@>=4 <5": "^4.22.1", - "picomatch@>=2 <3": "^2.3.2", - "picomatch@>=4 <5": "^4.0.4" - }, - "onlyBuiltDependencies": [ - "@parcel/watcher", - "core-js", - "core-js-pure", - "keytar", - "linkcheck-bin", - "typesense-instantsearch-adapter", - "unrs-resolver" - ] } } diff --git a/docs/pnpm-workspace.yaml b/docs/pnpm-workspace.yaml index a53757d3c124..5818758e8f9b 100644 --- a/docs/pnpm-workspace.yaml +++ b/docs/pnpm-workspace.yaml @@ -8,9 +8,6 @@ packages: - . -# These entries must be duplicated from package.json due to a pnpm bug where onlyBuiltDependencies -# in package.json is not respected when the workspace has its own lockfile. -# See: https://github.com/pnpm/pnpm/issues/9082 onlyBuiltDependencies: - '@parcel/watcher' - core-js @@ -26,3 +23,62 @@ resolutionMode: highest blockExoticSubdeps: true trustPolicy: no-downgrade strictDepBuilds: true + +overrides: + # @azure/identity: overridden to ^4.13.0 to pull a patched @azure/msal-browser (no patched 3.x + # exists). Transitive dep of @azure/static-web-apps-cli; ^4.13.0 is API-compatible within the + # ^4.3.0 range it declares. + "@azure/identity": "^4.13.0" + + # @types/react: pinned to v18 to prevent pnpm re-resolution from pulling in v19, which is + # incompatible with the React 18 docs site. + "@types/react": "^18.3.12" + + # diff: overridden to patched version to resolve a known ReDoS vulnerability. + "diff@>=5 <6": "^5.2.2" + + # js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys). + "js-yaml@<4": "^3.14.2" + "js-yaml@>=4": "^4.1.1" + + # jws: overridden to ^3.2.3 to resolve a known vulnerability in jws 3.2.2 (transitive via + # jsonwebtoken). Stays within jsonwebtoken's declared ^3.2.2 range. + jws: "^3.2.3" + + # mdast-util-to-hast: overridden to ^13.2.1 to fix a known vulnerability (unsanitized class + # attribute injection). + mdast-util-to-hast: "^13.2.1" + + # node-forge: overridden to ^1.4.0 to resolve known security vulnerabilities. + node-forge: "^1.4.0" + + # qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions. + qs: "^6.15.0" + + # simple-git: overridden to ^3.32.3 to resolve a CG alert. + simple-git: "^3.32.3" + + # validator: overridden to ^13.15.0 to resolve a known vulnerability in older versions (transitive + # via swagger-tools). + validator: "^13.15.0" + + # minimatch: overridden to patched versions to resolve known security vulnerabilities across all + # major version ranges. + "minimatch@>=3 <4": "^3.1.5" + "minimatch@>=5 <6": "^5.1.9" + "minimatch@>=6 <7": "^6.2.3" + "minimatch@>=7 <8": "^7.4.9" + "minimatch@>=8 <9": "^8.0.7" + "minimatch@>=9 <10": "^9.0.9" + "minimatch@>=10 <11": "^10.2.4" + + # serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; + # 7.x is API-compatible (only drops Node <20 support). + "serialize-javascript@>=6 <7": "^7.0.4" + + # express: overridden to ^4.22.1 to resolve a known vulnerability in express 4.21.2. + "express@>=4 <5": "^4.22.1" + + # picomatch: overridden to patched versions to resolve a known security vulnerability. + "picomatch@>=2 <3": "^2.3.2" + "picomatch@>=4 <5": "^4.0.4" diff --git a/package.json b/package.json index b4ab197922af..845cbb05f589 100644 --- a/package.json +++ b/package.json @@ -354,59 +354,6 @@ } }, "pnpm": { - "comments": [ - "biome is overridden to make review of the upgrade easier. This can be removed once merged.", - "node types are forced to a consistent version to avoid conflicts between globals.", - "nodegit is replaced with an empty package here because it's currently only used by good-fences for features we do not need, and has issues building when changing node versions. See https://github.com/smikula/good-fences/issues/105 for details. Note that using '-' to completely drop it, results in build failures complaining about nodegit not being there.", - "codemirror and marked overrides are because simplemde use * versions, and the fully up to date versions of its deps do not work. packageExtensions was tried to fix this, but did not work.", - "@fluentui/react-positioning's dependency on @floating-ui/dom causes a peer dependency violation, so overriding it forces a version that meets peer dependency requirements is installed.", - "oclif includes some AWS-related features, but we don't use them, so we drop those dependencies. This helps reduce lockfile churn since the deps release very frequently.", - "axios pre-1.0 needs an override to stay current on a version with no reported CVEs. Caret dependencies aren't enough on a pre-1.0 package.", - "Security overrides: tar is overridden to address path traversal CVEs (GHSA-8qq5-rm4j-mr97, GHSA-r6q2-hw4h-h46w, GHSA-34x7-hfp2-rc4v). The existing axios@<0.30.0 override resolves to 0.30.2 which is also affected by GHSA-43fc-jf86-j433 (DoS via __proto__), but updating that pre-1.0 override is out of scope here.", - "qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.", - "fast-xml-parser: overridden to ^4.5.4 to resolve multiple CVEs in 4.5.3 (entity encoding bypass, DoS via entity expansion, stack overflow). Stays within @langchain/anthropic's declared ^4.4.1 range.", - "systeminformation: overridden to ^5.31.0 to resolve command injection vulnerabilities.", - "simple-git: overridden to ^3.32.3 to resolve a CG alert.", - "diff: overridden to patched versions to resolve a known ReDoS vulnerability. diff@3.x and diff@7.x have no fix in their major range so they are bumped to the nearest patched major.", - "serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support).", - "express: overridden to ^4.22.1 to resolve a known vulnerability in express 4.21.2.", - "picomatch: overridden to patched versions to resolve a known security vulnerability.", - "node-forge: overridden to ^1.4.0 to resolve known security vulnerabilities.", - "langsmith: overridden to ^0.5.15 to resolve a known security vulnerability. The consumer declares ^0.3.x so the override is needed to cross the minor version boundary." - ], - "overrides": { - "@biomejs/biome": "~2.4.5", - "@types/node": "catalog:types", - "diff@>=3 <4": "^4.0.4", - "diff@>=5 <6": "^5.2.2", - "diff@>=7 <8": "^8.0.3", - "diff@>=8 <9": "^8.0.3", - "fast-xml-parser": "^4.5.4", - "node-forge": "^1.4.0", - "good-fences>nodegit": "npm:empty-npm-package@1.0.0", - "qs": "^6.15.0", - "simple-git": "^3.32.3", - "systeminformation": "^5.31.0", - "simplemde>codemirror": "^5.65.11", - "simplemde>marked": "^4.3.0", - "@fluentui/react-positioning>@floating-ui/dom": "~1.5.4", - "oclif>@aws-sdk/client-cloudfront": "-", - "oclif>@aws-sdk/client-s3": "-", - "axios@<0.30.0": "^0.30.0", - "tar": "^7.5.11", - "minimatch@>=3 <4": "^3.1.5", - "minimatch@>=5 <6": "^5.1.9", - "minimatch@>=6 <7": "^6.2.3", - "minimatch@>=7 <8": "^7.4.9", - "minimatch@>=8 <9": "^8.0.7", - "minimatch@>=9 <10": "^9.0.9", - "minimatch@>=10 <11": "^10.2.4", - "serialize-javascript@>=6 <7": "^7.0.4", - "express@>=4 <5": "^4.22.1", - "picomatch@>=2 <3": "^2.3.2", - "picomatch@>=4 <5": "^4.0.4", - "langsmith": "^0.5.15" - }, "peerDependencyComments": [ "The react-split-pane package used by devtools-view has a peer dependency on React 16, but it doesn't seem to be maintained and it works fine with React 18. TODO: AB#18876", "@types/node is ignored because it is usually not needed by packages, and if it is, then the package will hit a compilation failure.", diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index 7c7f27e2c37c..0e08cba1cb20 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -45,3 +45,88 @@ catalogs: # Type definitions types: "@types/node": "~22.19.17" + +overrides: + # biome is overridden to make review of the upgrade easier. This can be removed once merged. + "@biomejs/biome": "~2.4.5" + + # node types are forced to a consistent version to avoid conflicts between globals. + "@types/node": "catalog:types" + + # diff: overridden to patched versions to resolve a known ReDoS vulnerability. diff@3.x and diff@7.x + # have no fix in their major range so they are bumped to the nearest patched major. + "diff@>=3 <4": "^4.0.4" + "diff@>=5 <6": "^5.2.2" + "diff@>=7 <8": "^8.0.3" + "diff@>=8 <9": "^8.0.3" + + # fast-xml-parser: overridden to ^4.5.4 to resolve multiple CVEs in 4.5.3 (entity encoding bypass, + # DoS via entity expansion, stack overflow). Stays within @langchain/anthropic's declared ^4.4.1 range. + fast-xml-parser: "^4.5.4" + + # node-forge: overridden to ^1.4.0 to resolve known security vulnerabilities. + node-forge: "^1.4.0" + + # nodegit is replaced with an empty package here because it's currently only used by good-fences for + # features we do not need, and has issues building when changing node versions. See + # https://github.com/smikula/good-fences/issues/105 for details. Note that using '-' to completely + # drop it, results in build failures complaining about nodegit not being there. + "good-fences>nodegit": "npm:empty-npm-package@1.0.0" + + # qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions. + qs: "^6.15.0" + + # simple-git: overridden to ^3.32.3 to resolve a CG alert. + simple-git: "^3.32.3" + + # systeminformation: overridden to ^5.31.0 to resolve command injection vulnerabilities. + systeminformation: "^5.31.0" + + # codemirror and marked overrides are because simplemde use * versions, and the fully up to date + # versions of its deps do not work. packageExtensions was tried to fix this, but did not work. + "simplemde>codemirror": "^5.65.11" + "simplemde>marked": "^4.3.0" + + # @fluentui/react-positioning's dependency on @floating-ui/dom causes a peer dependency violation, + # so overriding it forces a version that meets peer dependency requirements is installed. + "@fluentui/react-positioning>@floating-ui/dom": "~1.5.4" + + # oclif includes some AWS-related features, but we don't use them, so we drop those dependencies. + # This helps reduce lockfile churn since the deps release very frequently. + "oclif>@aws-sdk/client-cloudfront": "-" + "oclif>@aws-sdk/client-s3": "-" + + # axios pre-1.0 needs an override to stay current on a version with no reported CVEs. Caret + # dependencies aren't enough on a pre-1.0 package. + "axios@<0.30.0": "^0.30.0" + + # Security overrides: tar is overridden to address path traversal CVEs (GHSA-8qq5-rm4j-mr97, + # GHSA-r6q2-hw4h-h46w, GHSA-34x7-hfp2-rc4v). The existing axios@<0.30.0 override resolves to 0.30.2 + # which is also affected by GHSA-43fc-jf86-j433 (DoS via __proto__), but updating that pre-1.0 + # override is out of scope here. + tar: "^7.5.11" + + # minimatch: overridden to patched versions to resolve known security vulnerabilities across all + # major version ranges. + "minimatch@>=3 <4": "^3.1.5" + "minimatch@>=5 <6": "^5.1.9" + "minimatch@>=6 <7": "^6.2.3" + "minimatch@>=7 <8": "^7.4.9" + "minimatch@>=8 <9": "^8.0.7" + "minimatch@>=9 <10": "^9.0.9" + "minimatch@>=10 <11": "^10.2.4" + + # serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; + # 7.x is API-compatible (only drops Node <20 support). + "serialize-javascript@>=6 <7": "^7.0.4" + + # express: overridden to ^4.22.1 to resolve a known vulnerability in express 4.21.2. + "express@>=4 <5": "^4.22.1" + + # picomatch: overridden to patched versions to resolve a known security vulnerability. + "picomatch@>=2 <3": "^2.3.2" + "picomatch@>=4 <5": "^4.0.4" + + # langsmith: overridden to ^0.5.15 to resolve a known security vulnerability. The consumer declares + # ^0.3.x so the override is needed to cross the minor version boundary. + langsmith: "^0.5.15" diff --git a/server/gitrest/package.json b/server/gitrest/package.json index 72c7193af21f..1d723debb7ea 100644 --- a/server/gitrest/package.json +++ b/server/gitrest/package.json @@ -73,53 +73,5 @@ "supertest": "^3.4.2", "typescript": "~5.1.6" }, - "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319", - "pnpm": { - "commentsOverrides": [ - "sharp <0.32.6 has a vulnerability that Component Governance flags (https://github.com/advisories/GHSA-54xq-cgqr-rpm3). It's a transitive dependency through jssm-viz-cli, which hasn't updated to a version with the fix", - "eslint is overridden to v9 for flat config support across all packages", - "oclif includes some AWS-related features, but we don't use them, so we drop those dependencies entirely via overrides. This helps reduce lockfile churn since the deps release very frequently.", - "qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.", - "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", - "simple-git: overridden to ^3.32.3 to resolve a CG alert.", - "diff: overridden to patched versions to resolve a known ReDoS vulnerability. diff@7.x has no fix so it is bumped to 8.0.3.", - "tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport).", - "minimatch: overridden to patched versions to resolve known security vulnerabilities across all major version ranges.", - "serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support).", - "express: overridden to ^4.22.1 to resolve a known vulnerability in express 4.21.2.", - "picomatch: overridden to patched versions to resolve a known security vulnerability." - ], - "overrides": { - "diff@>=5 <6": "^5.2.2", - "diff@>=7 <8": "^8.0.3", - "diff@>=8 <9": "^8.0.3", - "@types/node": "~22.19.17", - "eslint": "~9.39.2", - "jws": "^3.2.3", - "nanoid": "^3.3.9", - "oclif>@aws-sdk/client-cloudfront": "-", - "oclif>@aws-sdk/client-s3": "-", - "js-yaml@<4": "^3.14.2", - "js-yaml@>=4": "^4.1.1", - "qs": "^6.15.0", - "simple-git": "^3.32.3", - "sharp": "^0.33.2", - "tar": "^7.5.11", - "minimatch@>=3 <4": "^3.1.5", - "minimatch@>=5 <6": "^5.1.9", - "minimatch@>=6 <7": "^6.2.3", - "minimatch@>=7 <8": "^7.4.9", - "minimatch@>=8 <9": "^8.0.7", - "minimatch@>=9 <10": "^9.0.9", - "minimatch@>=10 <11": "^10.2.4", - "serialize-javascript@>=6 <7": "^7.0.4", - "express@>=4 <5": "^4.22.1", - "picomatch@>=2 <3": "^2.3.2", - "picomatch@>=4 <5": "^4.0.4" - }, - "onlyBuiltDependencies": [ - "core-js", - "unrs-resolver" - ] - } + "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319" } diff --git a/server/gitrest/pnpm-workspace.yaml b/server/gitrest/pnpm-workspace.yaml index e2acd905a387..a8af98385f0a 100644 --- a/server/gitrest/pnpm-workspace.yaml +++ b/server/gitrest/pnpm-workspace.yaml @@ -11,9 +11,6 @@ packages: - "packages/*" -# These entries must be duplicated from package.json due to a pnpm bug where onlyBuiltDependencies -# in package.json is not respected when the workspace has its own lockfile. -# See: https://github.com/pnpm/pnpm/issues/9082 onlyBuiltDependencies: - core-js - unrs-resolver @@ -24,3 +21,63 @@ resolutionMode: highest blockExoticSubdeps: true trustPolicy: no-downgrade strictDepBuilds: true + +overrides: + # diff: overridden to patched versions to resolve a known ReDoS vulnerability. diff@7.x has no fix + # so it is bumped to 8.0.3. + "diff@>=5 <6": "^5.2.2" + "diff@>=7 <8": "^8.0.3" + "diff@>=8 <9": "^8.0.3" + + "@types/node": "~22.19.17" + + # eslint is overridden to v9 for flat config support across all packages. + eslint: "~9.39.2" + + jws: "^3.2.3" + nanoid: "^3.3.9" + + # oclif includes some AWS-related features, but we don't use them, so we drop those dependencies + # entirely via overrides. This helps reduce lockfile churn since the deps release very frequently. + "oclif>@aws-sdk/client-cloudfront": "-" + "oclif>@aws-sdk/client-s3": "-" + + # js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys). + "js-yaml@<4": "^3.14.2" + "js-yaml@>=4": "^4.1.1" + + # qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions. + qs: "^6.15.0" + + # simple-git: overridden to ^3.32.3 to resolve a CG alert. + simple-git: "^3.32.3" + + # sharp <0.32.6 has a vulnerability that Component Governance flags + # (https://github.com/advisories/GHSA-54xq-cgqr-rpm3). It's a transitive dependency through + # jssm-viz-cli, which hasn't updated to a version with the fix. + sharp: "^0.33.2" + + # tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no + # backport). + tar: "^7.5.11" + + # minimatch: overridden to patched versions to resolve known security vulnerabilities across all + # major version ranges. + "minimatch@>=3 <4": "^3.1.5" + "minimatch@>=5 <6": "^5.1.9" + "minimatch@>=6 <7": "^6.2.3" + "minimatch@>=7 <8": "^7.4.9" + "minimatch@>=8 <9": "^8.0.7" + "minimatch@>=9 <10": "^9.0.9" + "minimatch@>=10 <11": "^10.2.4" + + # serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; + # 7.x is API-compatible (only drops Node <20 support). + "serialize-javascript@>=6 <7": "^7.0.4" + + # express: overridden to ^4.22.1 to resolve a known vulnerability in express 4.21.2. + "express@>=4 <5": "^4.22.1" + + # picomatch: overridden to patched versions to resolve a known security vulnerability. + "picomatch@>=2 <3": "^2.3.2" + "picomatch@>=4 <5": "^4.0.4" diff --git a/server/historian/package.json b/server/historian/package.json index d4d033366785..e3f0d9842f25 100644 --- a/server/historian/package.json +++ b/server/historian/package.json @@ -64,61 +64,5 @@ "supertest": "^3.3.0", "typescript": "~5.1.6" }, - "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319", - "pnpm": { - "commentsOverrides": [ - "sharp <0.32.6 has a vulnerability that Component Governance flags (https://github.com/advisories/GHSA-54xq-cgqr-rpm3). It's a transitive dependency through jssm-viz-cli, which hasn't updated to a version with the fix", - "mongodb>@aws-sdk/credential-providers: not needed and brings in a large transitive dependency tree (including fast-xml-parser). Dropped with '-'.", - "oclif includes some AWS-related features, but we don't use them, so we drop those dependencies with '-'. This helps reduce lockfile churn since the deps release very frequently.", - "eslint is overridden to v9 for flat config support across all packages", - "qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.", - "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", - "simple-git: overridden to ^3.32.3 to resolve a CG alert.", - "diff: overridden to patched versions to resolve a known ReDoS vulnerability. diff@7.x has no fix so it is bumped to 8.0.3.", - "tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport).", - "minimatch: overridden to patched versions to resolve known security vulnerabilities across all major version ranges.", - "serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support).", - "express: overridden to ^4.22.1 to resolve a known vulnerability in express 4.21.2.", - "picomatch: overridden to patched versions to resolve a known security vulnerability.", - "zookeeper: pinned to 7.x since earlier versions fail to compile on Node 22 due to deprecated NAN APIs, and may be brought in transitively." - ], - "overrides": { - "express@>=4 <5": "^4.22.1", - "diff@>=5 <6": "^5.2.2", - "diff@>=7 <8": "^8.0.3", - "diff@>=8 <9": "^8.0.3", - "@types/node": "~22.19.17", - "eslint": "~9.39.2", - "jws": "^3.2.3", - "mongodb>@aws-sdk/credential-providers": "-", - "nanoid": "^3.3.9", - "oclif>@aws-sdk/client-cloudfront": "-", - "oclif>@aws-sdk/client-s3": "-", - "js-yaml@<4": "^3.14.2", - "js-yaml@>=4": "^4.1.1", - "qs": "^6.15.0", - "simple-git": "^3.32.3", - "socket.io-parser": "^4.2.6", - "tar": "^7.5.11", - "sharp": "^0.33.2", - "minimatch@>=3 <4": "^3.1.5", - "minimatch@>=5 <6": "^5.1.9", - "minimatch@>=6 <7": "^6.2.3", - "minimatch@>=7 <8": "^7.4.9", - "minimatch@>=8 <9": "^8.0.7", - "minimatch@>=9 <10": "^9.0.9", - "minimatch@>=10 <11": "^10.2.4", - "serialize-javascript@>=6 <7": "^7.0.4", - "picomatch@>=2 <3": "^2.3.2", - "picomatch@>=4 <5": "^4.0.4", - "zookeeper": "^7.2.0" - }, - "onlyBuiltDependencies": [ - "core-js", - "node-rdkafka", - "snappy", - "unrs-resolver", - "zookeeper" - ] - } + "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319" } diff --git a/server/historian/pnpm-workspace.yaml b/server/historian/pnpm-workspace.yaml index b21c06bbd89d..93d0187d9849 100644 --- a/server/historian/pnpm-workspace.yaml +++ b/server/historian/pnpm-workspace.yaml @@ -11,9 +11,6 @@ packages: - "packages/*" -# These entries must be duplicated from package.json due to a pnpm bug where onlyBuiltDependencies -# in package.json is not respected when the workspace has its own lockfile. -# See: https://github.com/pnpm/pnpm/issues/9082 onlyBuiltDependencies: - core-js - node-rdkafka @@ -27,3 +24,74 @@ resolutionMode: highest blockExoticSubdeps: true trustPolicy: no-downgrade strictDepBuilds: true + +overrides: + # express: overridden to ^4.22.1 to resolve a known vulnerability in express 4.21.2. + "express@>=4 <5": "^4.22.1" + + # diff: overridden to patched versions to resolve a known ReDoS vulnerability. diff@7.x has no fix + # so it is bumped to 8.0.3. + "diff@>=5 <6": "^5.2.2" + "diff@>=7 <8": "^8.0.3" + "diff@>=8 <9": "^8.0.3" + + "@types/node": "~22.19.17" + + # eslint is overridden to v9 for flat config support across all packages. + eslint: "~9.39.2" + + jws: "^3.2.3" + + # mongodb>@aws-sdk/credential-providers: not needed and brings in a large transitive dependency tree + # (including fast-xml-parser). Dropped with '-'. + "mongodb>@aws-sdk/credential-providers": "-" + + nanoid: "^3.3.9" + + # oclif includes some AWS-related features, but we don't use them, so we drop those dependencies + # with '-'. This helps reduce lockfile churn since the deps release very frequently. + "oclif>@aws-sdk/client-cloudfront": "-" + "oclif>@aws-sdk/client-s3": "-" + + # js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys). + "js-yaml@<4": "^3.14.2" + "js-yaml@>=4": "^4.1.1" + + # qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions. + qs: "^6.15.0" + + # simple-git: overridden to ^3.32.3 to resolve a CG alert. + simple-git: "^3.32.3" + + socket.io-parser: "^4.2.6" + + # tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no + # backport). + tar: "^7.5.11" + + # sharp <0.32.6 has a vulnerability that Component Governance flags + # (https://github.com/advisories/GHSA-54xq-cgqr-rpm3). It's a transitive dependency through + # jssm-viz-cli, which hasn't updated to a version with the fix. + sharp: "^0.33.2" + + # minimatch: overridden to patched versions to resolve known security vulnerabilities across all + # major version ranges. + "minimatch@>=3 <4": "^3.1.5" + "minimatch@>=5 <6": "^5.1.9" + "minimatch@>=6 <7": "^6.2.3" + "minimatch@>=7 <8": "^7.4.9" + "minimatch@>=8 <9": "^8.0.7" + "minimatch@>=9 <10": "^9.0.9" + "minimatch@>=10 <11": "^10.2.4" + + # serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; + # 7.x is API-compatible (only drops Node <20 support). + "serialize-javascript@>=6 <7": "^7.0.4" + + # picomatch: overridden to patched versions to resolve a known security vulnerability. + "picomatch@>=2 <3": "^2.3.2" + "picomatch@>=4 <5": "^4.0.4" + + # zookeeper: pinned to 7.x since earlier versions fail to compile on Node 22 due to deprecated NAN + # APIs, and may be brought in transitively. + zookeeper: "^7.2.0" diff --git a/server/routerlicious/package.json b/server/routerlicious/package.json index 4769cda63184..277ab2c9c6bf 100644 --- a/server/routerlicious/package.json +++ b/server/routerlicious/package.json @@ -139,69 +139,6 @@ } }, "pnpm": { - "commentsOverrides": [ - "mongodb>@aws-sdk/credential-providers: not needed and brings in a large transitive dependency tree (including fast-xml-parser). Dropped with '-'.", - "oclif includes some AWS-related features, but we don't use them, so we drop those dependencies with '-'. This helps reduce lockfile churn since the deps release very frequently.", - "eslint: Force ESLint 9.x to ensure consistent version across the workspace.", - "@typescript-eslint/*: Pin to 8.52.0 to avoid 8.53.0 which may not be available in ADO package feed.", - "@babel/*: Pin to 7.27.x to avoid 7.28.x versions which may not be available in ADO package feed.", - "zookeeper: pinned to 7.x since earlier versions fail to compile and may be brought in transitively.", - "qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.", - "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", - "systeminformation: overridden to ^5.31.0 to resolve command injection vulnerabilities.", - "simple-git: overridden to ^3.32.3 to resolve a CG alert.", - "diff: overridden to patched versions to resolve a known ReDoS vulnerability.", - "tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport).", - "minimatch: overridden to patched versions to resolve known security vulnerabilities across all major version ranges.", - "serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support).", - "express: overridden to ^4.22.1 to resolve a known vulnerability in express 4.21.2.", - "picomatch: overridden to patched versions to resolve a known security vulnerability." - ], - "overrides": { - "@typescript-eslint/tsconfig-utils": "8.52.0", - "@typescript-eslint/project-service": "8.52.0", - "@babel/core": "7.27.7", - "@babel/parser": "7.27.7", - "@babel/code-frame": "7.27.1", - "@babel/generator": "7.27.5", - "@babel/helper-compilation-targets": "7.27.2", - "@babel/helper-module-imports": "7.27.1", - "@babel/helper-module-transforms": "7.27.3", - "@babel/helper-string-parser": "7.27.1", - "@babel/helper-validator-identifier": "7.27.1", - "@babel/helpers": "7.27.6", - "@babel/template": "7.27.2", - "@babel/traverse": "7.27.7", - "@babel/types": "7.27.7", - "@babel/runtime": "7.27.6", - "diff@>=4 <5": "^4.0.4", - "diff@>=5 <6": "^5.2.2", - "diff@>=8 <9": "^8.0.3", - "eslint": "^9.39.2", - "jws": "^3.2.3", - "mongodb>@aws-sdk/credential-providers": "-", - "oclif>@aws-sdk/client-cloudfront": "-", - "oclif>@aws-sdk/client-s3": "-", - "js-yaml@<4": "^3.14.2", - "js-yaml@>=4": "^4.1.1", - "qs": "^6.15.0", - "simple-git": "^3.32.3", - "systeminformation": "^5.31.0", - "tar": "^7.5.11", - "socket.io-parser": "^4.2.6", - "zookeeper": "^7.2.0", - "minimatch@>=3 <4": "^3.1.5", - "minimatch@>=5 <6": "^5.1.9", - "minimatch@>=6 <7": "^6.2.3", - "minimatch@>=7 <8": "^7.4.9", - "minimatch@>=8 <9": "^8.0.7", - "minimatch@>=9 <10": "^9.0.9", - "minimatch@>=10 <11": "^10.2.4", - "serialize-javascript@>=6 <7": "^7.0.4", - "express@>=4 <5": "^4.22.1", - "picomatch@>=2 <3": "^2.3.2", - "picomatch@>=4 <5": "^4.0.4" - }, "peerDependencyComments": [ "@types/node is a peer dependency because of build tools. The package is not needed because it's only used for compilation. It's not needed at runtime.", "oclif includes some AWS-related features, but we don't use them, so we ignore @aws-sdk peer dependencies." @@ -214,14 +151,6 @@ }, "patchedDependencies": { "@microsoft/api-extractor@7.58.1": "patches/@microsoft__api-extractor@7.58.1.patch" - }, - "onlyBuiltDependencies": [ - "classic-level", - "core-js", - "node-rdkafka", - "snappy", - "unrs-resolver", - "zookeeper" - ] + } } } diff --git a/server/routerlicious/pnpm-workspace.yaml b/server/routerlicious/pnpm-workspace.yaml index e1da24f221e6..e05d84574bff 100644 --- a/server/routerlicious/pnpm-workspace.yaml +++ b/server/routerlicious/pnpm-workspace.yaml @@ -11,9 +11,6 @@ packages: - "packages/*" -# These entries must be duplicated from package.json due to a pnpm bug where onlyBuiltDependencies -# in package.json is not respected when the workspace has its own lockfile. -# See: https://github.com/pnpm/pnpm/issues/9082 onlyBuiltDependencies: - classic-level - core-js @@ -28,3 +25,86 @@ resolutionMode: highest blockExoticSubdeps: true trustPolicy: no-downgrade strictDepBuilds: true + +overrides: + # @typescript-eslint/*: Pin to 8.52.0 to avoid 8.53.0 which may not be available in ADO package feed. + "@typescript-eslint/tsconfig-utils": "8.52.0" + "@typescript-eslint/project-service": "8.52.0" + + # @babel/*: Pin to 7.27.x to avoid 7.28.x versions which may not be available in ADO package feed. + "@babel/core": "7.27.7" + "@babel/parser": "7.27.7" + "@babel/code-frame": "7.27.1" + "@babel/generator": "7.27.5" + "@babel/helper-compilation-targets": "7.27.2" + "@babel/helper-module-imports": "7.27.1" + "@babel/helper-module-transforms": "7.27.3" + "@babel/helper-string-parser": "7.27.1" + "@babel/helper-validator-identifier": "7.27.1" + "@babel/helpers": "7.27.6" + "@babel/template": "7.27.2" + "@babel/traverse": "7.27.7" + "@babel/types": "7.27.7" + "@babel/runtime": "7.27.6" + + # diff: overridden to patched versions to resolve a known ReDoS vulnerability. + "diff@>=4 <5": "^4.0.4" + "diff@>=5 <6": "^5.2.2" + "diff@>=8 <9": "^8.0.3" + + # eslint: Force ESLint 9.x to ensure consistent version across the workspace. + eslint: "^9.39.2" + + jws: "^3.2.3" + + # mongodb>@aws-sdk/credential-providers: not needed and brings in a large transitive dependency tree + # (including fast-xml-parser). Dropped with '-'. + "mongodb>@aws-sdk/credential-providers": "-" + + # oclif includes some AWS-related features, but we don't use them, so we drop those dependencies + # with '-'. This helps reduce lockfile churn since the deps release very frequently. + "oclif>@aws-sdk/client-cloudfront": "-" + "oclif>@aws-sdk/client-s3": "-" + + # js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys). + "js-yaml@<4": "^3.14.2" + "js-yaml@>=4": "^4.1.1" + + # qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions. + qs: "^6.15.0" + + # simple-git: overridden to ^3.32.3 to resolve a CG alert. + simple-git: "^3.32.3" + + # systeminformation: overridden to ^5.31.0 to resolve command injection vulnerabilities. + systeminformation: "^5.31.0" + + # tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no + # backport). + tar: "^7.5.11" + + socket.io-parser: "^4.2.6" + + # zookeeper: pinned to 7.x since earlier versions fail to compile and may be brought in transitively. + zookeeper: "^7.2.0" + + # minimatch: overridden to patched versions to resolve known security vulnerabilities across all + # major version ranges. + "minimatch@>=3 <4": "^3.1.5" + "minimatch@>=5 <6": "^5.1.9" + "minimatch@>=6 <7": "^6.2.3" + "minimatch@>=7 <8": "^7.4.9" + "minimatch@>=8 <9": "^8.0.7" + "minimatch@>=9 <10": "^9.0.9" + "minimatch@>=10 <11": "^10.2.4" + + # serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; + # 7.x is API-compatible (only drops Node <20 support). + "serialize-javascript@>=6 <7": "^7.0.4" + + # express: overridden to ^4.22.1 to resolve a known vulnerability in express 4.21.2. + "express@>=4 <5": "^4.22.1" + + # picomatch: overridden to patched versions to resolve a known security vulnerability. + "picomatch@>=2 <3": "^2.3.2" + "picomatch@>=4 <5": "^4.0.4" diff --git a/tools/api-markdown-documenter/package.json b/tools/api-markdown-documenter/package.json index 8fa5710f9ccd..bce15d01feb0 100644 --- a/tools/api-markdown-documenter/package.json +++ b/tools/api-markdown-documenter/package.json @@ -123,35 +123,5 @@ "^tsc" ] } - }, - "pnpm": { - "commentsOverrides": [ - "qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.", - "js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys).", - "diff: overridden to patched versions to resolve a known ReDoS vulnerability. diff@7.x has no fix so it is bumped to 8.0.3.", - "minimatch: overridden to patched versions to resolve known security vulnerabilities across all major version ranges.", - "serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support).", - "picomatch: overridden to patched versions to resolve a known security vulnerability." - ], - "overrides": { - "diff@>=5 <6": "^5.2.2", - "diff@>=7 <8": "^8.0.3", - "js-yaml": "^4.1.1", - "qs": "^6.15.0", - "minimatch@>=3 <4": "^3.1.5", - "minimatch@>=5 <6": "^5.1.9", - "minimatch@>=6 <7": "^6.2.3", - "minimatch@>=7 <8": "^7.4.9", - "minimatch@>=8 <9": "^8.0.7", - "minimatch@>=9 <10": "^9.0.9", - "minimatch@>=10 <11": "^10.2.4", - "serialize-javascript@>=6 <7": "^7.0.4", - "picomatch@>=2 <3": "^2.3.2", - "picomatch@>=4 <5": "^4.0.4" - }, - "onlyBuiltDependencies": [ - "@biomejs/biome", - "unrs-resolver" - ] } } diff --git a/tools/api-markdown-documenter/pnpm-workspace.yaml b/tools/api-markdown-documenter/pnpm-workspace.yaml index 0e17bfdf850a..3b362b556661 100644 --- a/tools/api-markdown-documenter/pnpm-workspace.yaml +++ b/tools/api-markdown-documenter/pnpm-workspace.yaml @@ -7,9 +7,6 @@ packages: - "." -# These entries must be duplicated from package.json due to a pnpm bug where onlyBuiltDependencies -# in package.json is not respected when the workspace has its own lockfile. -# See: https://github.com/pnpm/pnpm/issues/9082 onlyBuiltDependencies: - '@biomejs/biome' - unrs-resolver @@ -20,3 +17,33 @@ resolutionMode: highest blockExoticSubdeps: true trustPolicy: no-downgrade strictDepBuilds: true + +overrides: + # diff: overridden to patched versions to resolve a known ReDoS vulnerability. diff@7.x has no fix + # so it is bumped to 8.0.3. + "diff@>=5 <6": "^5.2.2" + "diff@>=7 <8": "^8.0.3" + + # js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys). + js-yaml: "^4.1.1" + + # qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions. + qs: "^6.15.0" + + # minimatch: overridden to patched versions to resolve known security vulnerabilities across all + # major version ranges. + "minimatch@>=3 <4": "^3.1.5" + "minimatch@>=5 <6": "^5.1.9" + "minimatch@>=6 <7": "^6.2.3" + "minimatch@>=7 <8": "^7.4.9" + "minimatch@>=8 <9": "^8.0.7" + "minimatch@>=9 <10": "^9.0.9" + "minimatch@>=10 <11": "^10.2.4" + + # serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; + # 7.x is API-compatible (only drops Node <20 support). + "serialize-javascript@>=6 <7": "^7.0.4" + + # picomatch: overridden to patched versions to resolve a known security vulnerability. + "picomatch@>=2 <3": "^2.3.2" + "picomatch@>=4 <5": "^4.0.4" diff --git a/tools/benchmark/package.json b/tools/benchmark/package.json index 50b9d08994a2..bc86bd979c20 100644 --- a/tools/benchmark/package.json +++ b/tools/benchmark/package.json @@ -61,32 +61,5 @@ "typescript": "~5.4.5", "typescript-eslint": "~8.54.0" }, - "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319", - "pnpm": { - "onlyBuiltDependencies": [ - "unrs-resolver" - ], - "commentsOverrides": [ - "js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys).", - "diff: overridden to patched version to resolve a known ReDoS vulnerability.", - "minimatch: overridden to patched versions to resolve known security vulnerabilities across all major version ranges.", - "serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support).", - "picomatch: overridden to patched versions to resolve a known security vulnerability." - ], - "overrides": { - "diff@>=5 <6": "^5.2.2", - "js-yaml": "^4.1.1", - "nanoid": "^3.3.9", - "minimatch@>=3 <4": "^3.1.5", - "minimatch@>=5 <6": "^5.1.9", - "minimatch@>=6 <7": "^6.2.3", - "minimatch@>=7 <8": "^7.4.9", - "minimatch@>=8 <9": "^8.0.7", - "minimatch@>=9 <10": "^9.0.9", - "minimatch@>=10 <11": "^10.2.4", - "serialize-javascript@>=6 <7": "^7.0.4", - "picomatch@>=2 <3": "^2.3.2", - "picomatch@>=4 <5": "^4.0.4" - } - } + "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319" } diff --git a/tools/benchmark/pnpm-workspace.yaml b/tools/benchmark/pnpm-workspace.yaml index 35edfeafb395..cd4091d5ca5c 100644 --- a/tools/benchmark/pnpm-workspace.yaml +++ b/tools/benchmark/pnpm-workspace.yaml @@ -7,9 +7,6 @@ packages: - "." -# These entries must be duplicated from package.json due to a pnpm bug where onlyBuiltDependencies -# in package.json is not respected when the workspace has its own lockfile. -# See: https://github.com/pnpm/pnpm/issues/9082 onlyBuiltDependencies: - unrs-resolver @@ -19,3 +16,30 @@ resolutionMode: highest blockExoticSubdeps: true trustPolicy: no-downgrade strictDepBuilds: true + +overrides: + # diff: overridden to patched version to resolve a known ReDoS vulnerability. + "diff@>=5 <6": "^5.2.2" + + # js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys). + js-yaml: "^4.1.1" + + nanoid: "^3.3.9" + + # minimatch: overridden to patched versions to resolve known security vulnerabilities across all + # major version ranges. + "minimatch@>=3 <4": "^3.1.5" + "minimatch@>=5 <6": "^5.1.9" + "minimatch@>=6 <7": "^6.2.3" + "minimatch@>=7 <8": "^7.4.9" + "minimatch@>=8 <9": "^8.0.7" + "minimatch@>=9 <10": "^9.0.9" + "minimatch@>=10 <11": "^10.2.4" + + # serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; + # 7.x is API-compatible (only drops Node <20 support). + "serialize-javascript@>=6 <7": "^7.0.4" + + # picomatch: overridden to patched versions to resolve a known security vulnerability. + "picomatch@>=2 <3": "^2.3.2" + "picomatch@>=4 <5": "^4.0.4" diff --git a/tools/getkeys/package.json b/tools/getkeys/package.json index 5fd833f1db8f..09db2bbbde63 100644 --- a/tools/getkeys/package.json +++ b/tools/getkeys/package.json @@ -34,27 +34,5 @@ "prettier": "~3.0.3", "typescript": "~4.5.5" }, - "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319", - "pnpm": { - "onlyBuiltDependencies": ["unrs-resolver"], - "commentsOverrides": [ - "qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.", - "js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys).", - "minimatch: overridden to patched versions to resolve known security vulnerabilities across all major version ranges.", - "picomatch: overridden to patched versions to resolve a known security vulnerability." - ], - "overrides": { - "js-yaml": "^4.1.1", - "qs": "^6.15.0", - "minimatch@>=3 <4": "^3.1.5", - "minimatch@>=5 <6": "^5.1.9", - "minimatch@>=6 <7": "^6.2.3", - "minimatch@>=7 <8": "^7.4.9", - "minimatch@>=8 <9": "^8.0.7", - "minimatch@>=9 <10": "^9.0.9", - "minimatch@>=10 <11": "^10.2.4", - "picomatch@>=2 <3": "^2.3.2", - "picomatch@>=4 <5": "^4.0.4" - } - } + "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319" } diff --git a/tools/getkeys/pnpm-workspace.yaml b/tools/getkeys/pnpm-workspace.yaml index 2c0c6e63a55c..a3135f034233 100644 --- a/tools/getkeys/pnpm-workspace.yaml +++ b/tools/getkeys/pnpm-workspace.yaml @@ -1,9 +1,6 @@ packages: - "." -# These entries must be duplicated from package.json due to a pnpm bug where onlyBuiltDependencies -# in package.json is not respected when the workspace has its own lockfile. -# See: https://github.com/pnpm/pnpm/issues/9082 onlyBuiltDependencies: - unrs-resolver @@ -13,3 +10,24 @@ resolutionMode: highest blockExoticSubdeps: true trustPolicy: no-downgrade strictDepBuilds: true + +overrides: + # js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys). + js-yaml: "^4.1.1" + + # qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions. + qs: "^6.15.0" + + # minimatch: overridden to patched versions to resolve known security vulnerabilities across all + # major version ranges. + "minimatch@>=3 <4": "^3.1.5" + "minimatch@>=5 <6": "^5.1.9" + "minimatch@>=6 <7": "^6.2.3" + "minimatch@>=7 <8": "^7.4.9" + "minimatch@>=8 <9": "^8.0.7" + "minimatch@>=9 <10": "^9.0.9" + "minimatch@>=10 <11": "^10.2.4" + + # picomatch: overridden to patched versions to resolve a known security vulnerability. + "picomatch@>=2 <3": "^2.3.2" + "picomatch@>=4 <5": "^4.0.4" diff --git a/tools/test-tools/package.json b/tools/test-tools/package.json index e7fdecb010cc..2486a8f2e8cf 100644 --- a/tools/test-tools/package.json +++ b/tools/test-tools/package.json @@ -44,31 +44,5 @@ "rimraf": "^6.1.3", "typescript": "~5.4.5" }, - "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319", - "pnpm": { - "commentsOverrides": [ - "js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys).", - "diff: overridden to patched version to resolve a known ReDoS vulnerability.", - "minimatch: overridden to patched versions to resolve known security vulnerabilities across all major version ranges.", - "serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support).", - "picomatch: overridden to patched versions to resolve a known security vulnerability." - ], - "overrides": { - "diff@>=5 <6": "^5.2.2", - "js-yaml": "^4.1.1", - "minimatch@>=3 <4": "^3.1.5", - "minimatch@>=5 <6": "^5.1.9", - "minimatch@>=6 <7": "^6.2.3", - "minimatch@>=7 <8": "^7.4.9", - "minimatch@>=8 <9": "^8.0.7", - "minimatch@>=9 <10": "^9.0.9", - "minimatch@>=10 <11": "^10.2.4", - "serialize-javascript@>=6 <7": "^7.0.4", - "picomatch@>=2 <3": "^2.3.2", - "picomatch@>=4 <5": "^4.0.4" - }, - "onlyBuiltDependencies": [ - "unrs-resolver" - ] - } + "packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319" } diff --git a/tools/test-tools/pnpm-workspace.yaml b/tools/test-tools/pnpm-workspace.yaml index 35edfeafb395..e63a237d7a36 100644 --- a/tools/test-tools/pnpm-workspace.yaml +++ b/tools/test-tools/pnpm-workspace.yaml @@ -7,9 +7,6 @@ packages: - "." -# These entries must be duplicated from package.json due to a pnpm bug where onlyBuiltDependencies -# in package.json is not respected when the workspace has its own lockfile. -# See: https://github.com/pnpm/pnpm/issues/9082 onlyBuiltDependencies: - unrs-resolver @@ -19,3 +16,28 @@ resolutionMode: highest blockExoticSubdeps: true trustPolicy: no-downgrade strictDepBuilds: true + +overrides: + # diff: overridden to patched version to resolve a known ReDoS vulnerability. + "diff@>=5 <6": "^5.2.2" + + # js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys). + js-yaml: "^4.1.1" + + # minimatch: overridden to patched versions to resolve known security vulnerabilities across all + # major version ranges. + "minimatch@>=3 <4": "^3.1.5" + "minimatch@>=5 <6": "^5.1.9" + "minimatch@>=6 <7": "^6.2.3" + "minimatch@>=7 <8": "^7.4.9" + "minimatch@>=8 <9": "^8.0.7" + "minimatch@>=9 <10": "^9.0.9" + "minimatch@>=10 <11": "^10.2.4" + + # serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; + # 7.x is API-compatible (only drops Node <20 support). + "serialize-javascript@>=6 <7": "^7.0.4" + + # picomatch: overridden to patched versions to resolve a known security vulnerability. + "picomatch@>=2 <3": "^2.3.2" + "picomatch@>=4 <5": "^4.0.4"