chore: move pnpm overrides from package.json to pnpm-workspace.yaml

build-tools/package.json

@@ -145,52 +145,6 @@
 				"@aws-sdk/*"
 			]
 		},
-		"overrideComments": [
-			"eslint: jssm-viz-cli brings in ESLint 8.x as a transitive dependency. Force ESLint 9.x to ensure consistent version across the workspace.",
-			"oclif includes some AWS-related features, but we don't use them, so we drop those dependencies. This helps reduce lockfile churn since the deps release very frequently.",
-			"@types/node: To avoid duplicating the oclif package and adding a bunch of dependencies, force @types/node to a single version. For some reason version 22.8.0 can't be overridden, so use that to ensure a single version",
-			"@types/minimatch: @types/glob@7.x uses minimatch.IOptions and minimatch.IMinimatch interfaces. Force @types/minimatch@5 which includes these legacy type definitions.",
-			"mdast-util-gfm-footnote: mdast-util-gfm@3.1.0 has a type definition bug where it imports ToMarkdownOptions from mdast-util-gfm-footnote, but version 2.0.0 doesn't export it. Override to 2.1.0 which includes the missing export.",
-			"qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.",
-			"js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).",
-			"mdast-util-to-hast: overridden to ^13.2.1 to fix a known vulnerability (unsanitized class attribute injection).",
-			"simple-git: overridden to ^3.32.3 to resolve a CG alert.",
-			"diff: overridden to patched versions to resolve a known ReDoS vulnerability. diff@7.x has no fix so it is bumped to 8.0.3.",
-			"tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport).",
-			"serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support).",
-			"picomatch: overridden to patched versions to resolve a known security vulnerability."
-		],
-		"overrides": {
-			"@types/glob>@types/minimatch": "~5.1.2",
-			"diff@>=4 <5": "^4.0.4",
-			"diff@>=7 <8": "^8.0.3",
-			"diff@>=8 <9": "^8.0.3",
-			"@types/node": "~22.19.17",
-			"eslint": "~9.39.2",
-			"json5@<1.0.2": "^1.0.2",
-			"json5@>=2.0.0 <2.2.2": "^2.2.2",
-			"mdast-util-gfm-footnote": "^2.1.0",
-			"js-yaml@<4": "^3.14.2",
-			"js-yaml@>=4": "^4.1.1",
-			"jws": "^3.2.3",
-			"mdast-util-to-hast": "^13.2.1",
-			"oclif>@aws-sdk/client-cloudfront": "-",
-			"oclif>@aws-sdk/client-s3": "-",
-			"qs": "^6.15.0",
-			"simple-git": "^3.32.3",
-			"sharp": "^0.34.5",
-			"tar": "^7.5.11",
-			"minimatch@>=3 <4": "^3.1.5",
-			"minimatch@>=5 <6": "^5.1.9",
-			"minimatch@>=6 <7": "^6.2.3",
-			"minimatch@>=7 <8": "^7.4.9",
-			"minimatch@>=8 <9": "^8.0.7",
-			"minimatch@>=9 <10": "^9.0.9",
-			"minimatch@>=10 <11": "^10.2.4",
-			"serialize-javascript@>=6 <7": "^7.0.4",
-			"picomatch@>=2 <3": "^2.3.2",
-			"picomatch@>=4 <5": "^4.0.4"
-		},
 		"updateConfig": {
 			"ignoreDependencies": [
 				"latest-version",

build-tools/pnpm-workspace.yaml

@@ -17,3 +17,76 @@ resolutionMode: highest
 blockExoticSubdeps: true
 trustPolicy: no-downgrade
 strictDepBuilds: true
+
+overrides:
+  # @types/minimatch: @types/glob@7.x uses minimatch.IOptions and minimatch.IMinimatch interfaces.
+  # Force @types/minimatch@5 which includes these legacy type definitions.
+  "@types/glob>@types/minimatch": "~5.1.2"
+
+  # diff: overridden to patched versions to resolve a known ReDoS vulnerability. diff@7.x has no fix
+  # so it is bumped to 8.0.3.
+  "diff@>=4 <5": "^4.0.4"
+  "diff@>=7 <8": "^8.0.3"
+  "diff@>=8 <9": "^8.0.3"
+
+  # @types/node: To avoid duplicating the oclif package and adding a bunch of dependencies, force
+  # @types/node to a single version. For some reason version 22.8.0 can't be overridden, so use that
+  # to ensure a single version.
+  "@types/node": "~22.19.17"
+
+  # eslint: jssm-viz-cli brings in ESLint 8.x as a transitive dependency. Force ESLint 9.x to ensure
+  # consistent version across the workspace.
+  eslint: "~9.39.2"
+
+  "json5@<1.0.2": "^1.0.2"
+  "json5@>=2.0.0 <2.2.2": "^2.2.2"
+
+  # mdast-util-gfm-footnote: mdast-util-gfm@3.1.0 has a type definition bug where it imports
+  # ToMarkdownOptions from mdast-util-gfm-footnote, but version 2.0.0 doesn't export it. Override to
+  # 2.1.0 which includes the missing export.
+  mdast-util-gfm-footnote: "^2.1.0"
+
+  # js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).
+  "js-yaml@<4": "^3.14.2"
+  "js-yaml@>=4": "^4.1.1"
+
+  jws: "^3.2.3"
+
+  # mdast-util-to-hast: overridden to ^13.2.1 to fix a known vulnerability (unsanitized class
+  # attribute injection).
+  mdast-util-to-hast: "^13.2.1"
+
+  # oclif includes some AWS-related features, but we don't use them, so we drop those dependencies.
+  # This helps reduce lockfile churn since the deps release very frequently.
+  "oclif>@aws-sdk/client-cloudfront": "-"
+  "oclif>@aws-sdk/client-s3": "-"
+
+  # qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.
+  qs: "^6.15.0"
+
+  # simple-git: overridden to ^3.32.3 to resolve a CG alert.
+  simple-git: "^3.32.3"
+
+  sharp: "^0.34.5"
+
+  # tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no
+  # backport).
+  tar: "^7.5.11"
+
+  # minimatch: overridden to patched versions to resolve known security vulnerabilities across all
+  # major version ranges.
+  "minimatch@>=3 <4": "^3.1.5"
+  "minimatch@>=5 <6": "^5.1.9"
+  "minimatch@>=6 <7": "^6.2.3"
+  "minimatch@>=7 <8": "^7.4.9"
+  "minimatch@>=8 <9": "^8.0.7"
+  "minimatch@>=9 <10": "^9.0.9"
+  "minimatch@>=10 <11": "^10.2.4"
+
+  # serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists;
+  # 7.x is API-compatible (only drops Node <20 support).
+  "serialize-javascript@>=6 <7": "^7.0.4"
+
+  # picomatch: overridden to patched versions to resolve a known security vulnerability.
+  "picomatch@>=2 <3": "^2.3.2"
+  "picomatch@>=4 <5": "^4.0.4"

common/build/eslint-config-fluid/package.json

@@ -75,29 +75,6 @@
 		}
 	},
 	"pnpm": {
-		"commentsOverrides": [
-			"js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys).",
-			"diff: overridden to patched version to resolve a known ReDoS vulnerability.",
-			"minimatch: overridden to patched versions to resolve known security vulnerabilities across all major version ranges.",
-			"serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq and CVE-2024-11831. No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support).",
-			"brace-expansion: overridden to ^1.1.12 to resolve CVE-2025-5889.",
-			"picomatch: overridden to patched versions to resolve a known security vulnerability."
-		],
-		"overrides": {
-			"brace-expansion@>=1 <2": "^1.1.12",
-			"diff@>=5 <6": "^5.2.2",
-			"js-yaml": "^4.1.1",
-			"minimatch@>=3 <4": "^3.1.5",
-			"minimatch@>=5 <6": "^5.1.9",
-			"minimatch@>=6 <7": "^6.2.3",
-			"minimatch@>=7 <8": "^7.4.9",
-			"minimatch@>=8 <9": "^8.0.7",
-			"minimatch@>=9 <10": "^9.0.9",
-			"minimatch@>=10 <11": "^10.2.4",
-			"serialize-javascript@>=6 <7": "^7.0.4",
-			"picomatch@>=2 <3": "^2.3.2",
-			"picomatch@>=4 <5": "^4.0.4"
-		},
 		"onlyBuiltDependencies": [
 			"esbuild",
 			"unrs-resolver"

common/build/eslint-config-fluid/pnpm-workspace.yaml

@@ -14,3 +14,31 @@ resolutionMode: highest
 blockExoticSubdeps: true
 trustPolicy: no-downgrade
 strictDepBuilds: true
+
+overrides:
+  # brace-expansion: overridden to ^1.1.12 to resolve CVE-2025-5889.
+  "brace-expansion@>=1 <2": "^1.1.12"
+
+  # diff: overridden to patched version to resolve a known ReDoS vulnerability.
+  "diff@>=5 <6": "^5.2.2"
+
+  # js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys).
+  js-yaml: "^4.1.1"
+
+  # minimatch: overridden to patched versions to resolve known security vulnerabilities across all
+  # major version ranges.
+  "minimatch@>=3 <4": "^3.1.5"
+  "minimatch@>=5 <6": "^5.1.9"
+  "minimatch@>=6 <7": "^6.2.3"
+  "minimatch@>=7 <8": "^7.4.9"
+  "minimatch@>=8 <9": "^8.0.7"
+  "minimatch@>=9 <10": "^9.0.9"
+  "minimatch@>=10 <11": "^10.2.4"
+
+  # serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq and CVE-2024-11831.
+  # No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support).
+  "serialize-javascript@>=6 <7": "^7.0.4"
+
+  # picomatch: overridden to patched versions to resolve a known security vulnerability.
+  "picomatch@>=2 <3": "^2.3.2"
+  "picomatch@>=4 <5": "^4.0.4"

common/build/eslint-plugin-fluid/package.json

@@ -47,33 +47,5 @@
 	"peerDependencies": {
 		"eslint": "^8.57.0 || ^9.37.0"
 	},
-	"packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319",
-	"pnpm": {
-		"commentsOverrides": [
-			"validator: overridden to ^13.15.0 to resolve a known vulnerability in older versions (transitive via swagger-tools).",
-			"qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.",
-			"js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys).",
-			"diff: overridden to patched version to resolve a known ReDoS vulnerability.",
-			"minimatch: overridden to patched versions to resolve known security vulnerabilities across all major version ranges.",
-			"serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support).",
-			"brace-expansion: overridden to ^1.1.12 to resolve CVE-2025-5889.",
-			"picomatch: overridden to patched versions to resolve a known security vulnerability."
-		],
-		"overrides": {
-			"brace-expansion@>=1 <2": "^1.1.12",
-			"diff@>=5 <6": "^5.2.2",
-			"js-yaml": "^4.1.1",
-			"qs": "^6.15.0",
-			"validator": "^13.15.0",
-			"minimatch@>=3 <4": "^3.1.5",
-			"minimatch@>=5 <6": "^5.1.9",
-			"minimatch@>=6 <7": "^6.2.3",
-			"minimatch@>=7 <8": "^7.4.9",
-			"minimatch@>=8 <9": "^8.0.7",
-			"minimatch@>=9 <10": "^9.0.9",
-			"minimatch@>=10 <11": "^10.2.4",
-			"serialize-javascript@>=6 <7": "^7.0.4",
-			"picomatch@>=2 <3": "^2.3.2"
-		}
-	}
+	"packageManager": "pnpm@10.33.0+sha512.10568bb4a6afb58c9eb3630da90cc9516417abebd3fabbe6739f0ae795728da1491e9db5a544c76ad8eb7570f5c4bb3d6c637b2cb41bfdcdb47fa823c8649319"
 }

common/build/eslint-plugin-fluid/pnpm-workspace.yaml

@@ -14,3 +14,37 @@ resolutionMode: highest
 blockExoticSubdeps: true
 trustPolicy: no-downgrade
 strictDepBuilds: true
+
+overrides:
+  # brace-expansion: overridden to ^1.1.12 to resolve CVE-2025-5889.
+  "brace-expansion@>=1 <2": "^1.1.12"
+
+  # diff: overridden to patched version to resolve a known ReDoS vulnerability.
+  "diff@>=5 <6": "^5.2.2"
+
+  # js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys).
+  js-yaml: "^4.1.1"
+
+  # qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.
+  qs: "^6.15.0"
+
+  # validator: overridden to ^13.15.0 to resolve a known vulnerability in older versions (transitive
+  # via swagger-tools).
+  validator: "^13.15.0"
+
+  # minimatch: overridden to patched versions to resolve known security vulnerabilities across all
+  # major version ranges.
+  "minimatch@>=3 <4": "^3.1.5"
+  "minimatch@>=5 <6": "^5.1.9"
+  "minimatch@>=6 <7": "^6.2.3"
+  "minimatch@>=7 <8": "^7.4.9"
+  "minimatch@>=8 <9": "^8.0.7"
+  "minimatch@>=9 <10": "^9.0.9"
+  "minimatch@>=10 <11": "^10.2.4"
+
+  # serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists;
+  # 7.x is API-compatible (only drops Node <20 support).
+  "serialize-javascript@>=6 <7": "^7.0.4"
+
+  # picomatch: overridden to patched versions to resolve a known security vulnerability.
+  "picomatch@>=2 <3": "^2.3.2"

common/lib/common-utils/package.json

@@ -151,41 +151,6 @@
 			"puppeteer",
 			"unrs-resolver"
 		],
-		"overridesComments": [
-			"sharp <0.32.6 has a vulnerability that Component Governance flags (https://github.com/advisories/GHSA-54xq-cgqr-rpm3). It's a transitive dependency through jssm-viz-cli, which hasn't updated to a version with the fix",
-			"oclif includes some AWS-related features, but we don't use them, so we drop those dependencies entirely via pnpm overrides. This helps reduce lockfile churn since the deps release very frequently.",
-			"qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.",
-			"js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).",
-			"simple-git: overridden to ^3.32.3 to resolve a CG alert.",
-			"diff: overridden to patched versions to resolve a known ReDoS vulnerability.",
-			"tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport).",
-			"serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support).",
-			"picomatch: overridden to patched versions to resolve a known security vulnerability."
-		],
-		"overrides": {
-			"diff@>=4 <5": "^4.0.4",
-			"diff@>=5 <6": "^5.2.2",
-			"diff@>=8 <9": "^8.0.3",
-			"js-yaml@<4": "^3.14.2",
-			"js-yaml@>=4": "^4.1.1",
-			"jws": "^3.2.3",
-			"oclif>@aws-sdk/client-cloudfront": "-",
-			"oclif>@aws-sdk/client-s3": "-",
-			"qs": "^6.15.0",
-			"simple-git": "^3.32.3",
-			"sharp": "^0.33.2",
-			"tar": "^7.5.11",
-			"minimatch@>=3 <4": "^3.1.5",
-			"minimatch@>=5 <6": "^5.1.9",
-			"minimatch@>=6 <7": "^6.2.3",
-			"minimatch@>=7 <8": "^7.4.9",
-			"minimatch@>=8 <9": "^8.0.7",
-			"minimatch@>=9 <10": "^9.0.9",
-			"minimatch@>=10 <11": "^10.2.4",
-			"serialize-javascript@>=6 <7": "^7.0.4",
-			"picomatch@>=2 <3": "^2.3.2",
-			"picomatch@>=4 <5": "^4.0.4"
-		},
 		"patchedDependencies": {
 			"@microsoft/api-extractor@7.58.1": "../../../patches/@microsoft__api-extractor@7.58.1.patch"
 		}

common/lib/common-utils/pnpm-workspace.yaml

@@ -14,3 +14,54 @@ resolutionMode: highest
 blockExoticSubdeps: true
 trustPolicy: no-downgrade
 strictDepBuilds: true
+
+overrides:
+  # diff: overridden to patched versions to resolve a known ReDoS vulnerability.
+  "diff@>=4 <5": "^4.0.4"
+  "diff@>=5 <6": "^5.2.2"
+  "diff@>=8 <9": "^8.0.3"
+
+  # js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).
+  "js-yaml@<4": "^3.14.2"
+  "js-yaml@>=4": "^4.1.1"
+
+  jws: "^3.2.3"
+
+  # oclif includes some AWS-related features, but we don't use them, so we drop those dependencies
+  # entirely via pnpm overrides. This helps reduce lockfile churn since the deps release very
+  # frequently.
+  "oclif>@aws-sdk/client-cloudfront": "-"
+  "oclif>@aws-sdk/client-s3": "-"
+
+  # qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.
+  qs: "^6.15.0"
+
+  # simple-git: overridden to ^3.32.3 to resolve a CG alert.
+  simple-git: "^3.32.3"
+
+  # sharp <0.32.6 has a vulnerability that Component Governance flags
+  # (https://github.com/advisories/GHSA-54xq-cgqr-rpm3). It's a transitive dependency through
+  # jssm-viz-cli, which hasn't updated to a version with the fix.
+  sharp: "^0.33.2"
+
+  # tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no
+  # backport).
+  tar: "^7.5.11"
+
+  # minimatch: overridden to patched versions to resolve known security vulnerabilities across all
+  # major version ranges.
+  "minimatch@>=3 <4": "^3.1.5"
+  "minimatch@>=5 <6": "^5.1.9"
+  "minimatch@>=6 <7": "^6.2.3"
+  "minimatch@>=7 <8": "^7.4.9"
+  "minimatch@>=8 <9": "^8.0.7"
+  "minimatch@>=9 <10": "^9.0.9"
+  "minimatch@>=10 <11": "^10.2.4"
+
+  # serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists;
+  # 7.x is API-compatible (only drops Node <20 support).
+  "serialize-javascript@>=6 <7": "^7.0.4"
+
+  # picomatch: overridden to patched versions to resolve a known security vulnerability.
+  "picomatch@>=2 <3": "^2.3.2"
+  "picomatch@>=4 <5": "^4.0.4"