chore(deps): pin patched transitive deps via pnpm.overrides
Renovate-driven updates of direct deps could not clear the audit
gate: 20 vulnerabilities (4 high + 13 moderate + 3 low) lived inside
transitive chains pinned by upstream tooling — `nx > axios`,
`nx > yaml`, `nx > follow-redirects`, `@nx/devkit > minimatch >
brace-expansion`, `nestjs-prisma > @angular-devkit/core > ajv`,
`@angular/cli > @modelcontextprotocol/sdk > express-rate-limit >
ip-address`, `@lhci/cli > tmp`. Upstream releases that bump those
transitives have not landed (or never will, in some cases).
Use `pnpm.overrides` with the upper-bound form (`pkg@<x.y.z`):
forces patched versions even when a parent specifies a tighter
range, and the rule expires on its own once a parent legitimately
resolves to a patched version (it stops matching).
Result: `pnpm audit --audit-level=moderate` reports zero
vulnerabilities. Remaining peer-dep warnings (`chokidar`,
`typescript`) are pre-existing mismatches inside nestjs-prisma /
@nestjs/schematics and out of scope for this PR.
Also fix a lint-staged trap surfaced while preparing this PR: the
glob `*.yaml` was matching `pnpm-lock.yaml`, so prettier reformatted
the entire lockfile on every dep-change commit (~9000 lines of
diff churn, with a non-zero risk of pnpm rejecting the rewritten
file). Tighten the glob to `!(pnpm-lock).{...,yaml}` so the
lockfile is left to pnpm's own formatter.
This commit is contained in:
+11
-2
@@ -12,7 +12,7 @@
|
||||
},
|
||||
"private": true,
|
||||
"lint-staged": {
|
||||
"*.{ts,tsx,js,jsx,html,scss,css,md,json,yml,yaml}": [
|
||||
"!(pnpm-lock).{ts,tsx,js,jsx,html,scss,css,md,json,yml,yaml}": [
|
||||
"prettier --write"
|
||||
]
|
||||
},
|
||||
@@ -30,7 +30,16 @@
|
||||
"nx",
|
||||
"prisma",
|
||||
"unrs-resolver"
|
||||
]
|
||||
],
|
||||
"overrides": {
|
||||
"axios@<1.15.2": ">=1.15.2",
|
||||
"ajv@<8.18.0": ">=8.18.0",
|
||||
"brace-expansion@<5.0.5": ">=5.0.5",
|
||||
"follow-redirects@<1.16.0": ">=1.16.0",
|
||||
"ip-address@<10.1.1": ">=10.1.1",
|
||||
"tmp@<0.2.4": ">=0.2.4",
|
||||
"yaml@<2.8.3": ">=2.8.3"
|
||||
}
|
||||
},
|
||||
"prisma": {
|
||||
"schema": "apps/portal-bff/prisma/schema.prisma"
|
||||
|
||||
Reference in New Issue
Block a user