chore(deps): pin patched transitive deps via pnpm.overrides
CI / commits (pull_request) Successful in 2m13s
CI / check (pull_request) Failing after 2m23s
CI / a11y (pull_request) Successful in 1m45s
CI / perf (pull_request) Failing after 2m4s
CI / scan (pull_request) Failing after 7m29s

Renovate-driven updates of direct deps could not clear the audit
gate: 20 vulnerabilities (4 high + 13 moderate + 3 low) lived inside
transitive chains pinned by upstream tooling — `nx > axios`,
`nx > yaml`, `nx > follow-redirects`, `@nx/devkit > minimatch >
brace-expansion`, `nestjs-prisma > @angular-devkit/core > ajv`,
`@angular/cli > @modelcontextprotocol/sdk > express-rate-limit >
ip-address`, `@lhci/cli > tmp`. Upstream releases that bump those
transitives have not landed (or never will, in some cases).

Use `pnpm.overrides` with the upper-bound form (`pkg@<x.y.z`):
forces patched versions even when a parent specifies a tighter
range, and the rule expires on its own once a parent legitimately
resolves to a patched version (it stops matching).

Result: `pnpm audit --audit-level=moderate` reports zero
vulnerabilities. Remaining peer-dep warnings (`chokidar`,
`typescript`) are pre-existing mismatches inside nestjs-prisma /
@nestjs/schematics and out of scope for this PR.

Also fix a lint-staged trap surfaced while preparing this PR: the
glob `*.yaml` was matching `pnpm-lock.yaml`, so prettier reformatted
the entire lockfile on every dep-change commit (~9000 lines of
diff churn, with a non-zero risk of pnpm rejecting the rewritten
file). Tighten the glob to `!(pnpm-lock).{...,yaml}` so the
lockfile is left to pnpm's own formatter.
This commit is contained in:
Julien Gautier
2026-05-06 21:21:54 +02:00
parent 6545c3a176
commit 1edaeb1857
2 changed files with 46 additions and 170 deletions
+11 -2
View File
@@ -12,7 +12,7 @@
},
"private": true,
"lint-staged": {
"*.{ts,tsx,js,jsx,html,scss,css,md,json,yml,yaml}": [
"!(pnpm-lock).{ts,tsx,js,jsx,html,scss,css,md,json,yml,yaml}": [
"prettier --write"
]
},
@@ -30,7 +30,16 @@
"nx",
"prisma",
"unrs-resolver"
]
],
"overrides": {
"axios@<1.15.2": ">=1.15.2",
"ajv@<8.18.0": ">=8.18.0",
"brace-expansion@<5.0.5": ">=5.0.5",
"follow-redirects@<1.16.0": ">=1.16.0",
"ip-address@<10.1.1": ">=10.1.1",
"tmp@<0.2.4": ">=0.2.4",
"yaml@<2.8.3": ">=2.8.3"
}
},
"prisma": {
"schema": "apps/portal-bff/prisma/schema.prisma"