chore(deps): pin patched transitive deps via pnpm.overrides (#42)
## Summary
Direct-dep updates from Renovate could not clear the `scan` gate — 20 vulnerabilities (4 high + 13 moderate + 3 low) lived inside transitive chains pinned by upstream tooling:
- `nx > axios` (8× CVEs), `nx > yaml`, `nx > follow-redirects`
- `@nx/devkit > minimatch > brace-expansion`
- `nestjs-prisma > @angular-devkit/core > ajv`
- `@angular/cli > @modelcontextprotocol/sdk > express-rate-limit > ip-address`
- `@lhci/cli > tmp`
Patched versions exist upstream but the parents pin tighter ranges. Renovate cannot help here — `pnpm.overrides` with the **upper-bound** form (`pkg@<x.y.z`) is the right tool: it forces patched resolutions today and self-expires once a parent legitimately reaches the patched version (the override stops matching).
After overrides: `pnpm audit --audit-level=moderate` → **0 vulnerabilities**.
## Bonus fix
Lint-staged was running prettier on `pnpm-lock.yaml` because the glob `*.yaml` matched. Tightened the glob to `!(pnpm-lock).{...,yaml}` so the lockfile stays under pnpm's own formatting authority.
## Test plan
- [ ] `scan` job goes green on this PR.
- [ ] No regression on `check` (lint/test/build).
- [ ] On the next deps-bump commit (any future Renovate PR rebased), the local pre-commit hook does **not** reformat `pnpm-lock.yaml`.
## Out of scope (separate follow-up PRs)
While testing locally, two pre-existing regressions on `main` surfaced (introduced by recent Renovate major bumps that passed CI through `nx affected` reporting "nothing affected"):
- **TypeScript 6 (PR #33)** — `tsconfig.lib.json` → `TS5101: Option 'baseUrl' is deprecated` on every lib build.
- **ESLint 10 (PR #36)** — `@nx/eslint@22.7.1` plugin can't resolve eslint, project graph fails.
Both deserve their own investigation before we move on to phase-2 chantiers.
---------
Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr>
Reviewed-on: #42
This commit was merged in pull request #42.
This commit is contained in:
+11
-2
@@ -12,7 +12,7 @@
|
||||
},
|
||||
"private": true,
|
||||
"lint-staged": {
|
||||
"*.{ts,tsx,js,jsx,html,scss,css,md,json,yml,yaml}": [
|
||||
"!(pnpm-lock).{ts,tsx,js,jsx,html,scss,css,md,json,yml,yaml}": [
|
||||
"prettier --write"
|
||||
]
|
||||
},
|
||||
@@ -30,7 +30,16 @@
|
||||
"nx",
|
||||
"prisma",
|
||||
"unrs-resolver"
|
||||
]
|
||||
],
|
||||
"overrides": {
|
||||
"axios@<1.15.2": ">=1.15.2",
|
||||
"ajv@<8.18.0": ">=8.18.0",
|
||||
"brace-expansion@<5.0.5": ">=5.0.5",
|
||||
"follow-redirects@<1.16.0": ">=1.16.0",
|
||||
"ip-address@<10.1.1": ">=10.1.1",
|
||||
"tmp@<0.2.4": ">=0.2.4",
|
||||
"yaml@<2.8.3": ">=2.8.3"
|
||||
}
|
||||
},
|
||||
"prisma": {
|
||||
"schema": "apps/portal-bff/prisma/schema.prisma"
|
||||
|
||||
Reference in New Issue
Block a user