chore(deps): pin patched transitive deps via pnpm.overrides #42
Reference in New Issue
Block a user
Delete Branch "chore/deps/audit-overrides"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Direct-dep updates from Renovate could not clear the
scangate — 20 vulnerabilities (4 high + 13 moderate + 3 low) lived inside transitive chains pinned by upstream tooling:nx > axios(8× CVEs),nx > yaml,nx > follow-redirects@nx/devkit > minimatch > brace-expansionnestjs-prisma > @angular-devkit/core > ajv@angular/cli > @modelcontextprotocol/sdk > express-rate-limit > ip-address@lhci/cli > tmpPatched versions exist upstream but the parents pin tighter ranges. Renovate cannot help here —
pnpm.overrideswith the upper-bound form (pkg@<x.y.z) is the right tool: it forces patched resolutions today and self-expires once a parent legitimately reaches the patched version (the override stops matching).After overrides:
pnpm audit --audit-level=moderate→ 0 vulnerabilities.Bonus fix
Lint-staged was running prettier on
pnpm-lock.yamlbecause the glob*.yamlmatched. Tightened the glob to!(pnpm-lock).{...,yaml}so the lockfile stays under pnpm's own formatting authority.Test plan
scanjob goes green on this PR.check(lint/test/build).pnpm-lock.yaml.Out of scope (separate follow-up PRs)
While testing locally, two pre-existing regressions on
mainsurfaced (introduced by recent Renovate major bumps that passed CI throughnx affectedreporting "nothing affected"):tsconfig.lib.json→TS5101: Option 'baseUrl' is deprecatedon every lib build.@nx/eslint@22.7.1plugin can't resolve eslint, project graph fails.Both deserve their own investigation before we move on to phase-2 chantiers.
Renovate-driven updates of direct deps could not clear the audit gate: 20 vulnerabilities (4 high + 13 moderate + 3 low) lived inside transitive chains pinned by upstream tooling — `nx > axios`, `nx > yaml`, `nx > follow-redirects`, `@nx/devkit > minimatch > brace-expansion`, `nestjs-prisma > @angular-devkit/core > ajv`, `@angular/cli > @modelcontextprotocol/sdk > express-rate-limit > ip-address`, `@lhci/cli > tmp`. Upstream releases that bump those transitives have not landed (or never will, in some cases). Use `pnpm.overrides` with the upper-bound form (`pkg@<x.y.z`): forces patched versions even when a parent specifies a tighter range, and the rule expires on its own once a parent legitimately resolves to a patched version (it stops matching). Result: `pnpm audit --audit-level=moderate` reports zero vulnerabilities. Remaining peer-dep warnings (`chokidar`, `typescript`) are pre-existing mismatches inside nestjs-prisma / @nestjs/schematics and out of scope for this PR. Also fix a lint-staged trap surfaced while preparing this PR: the glob `*.yaml` was matching `pnpm-lock.yaml`, so prettier reformatted the entire lockfile on every dep-change commit (~9000 lines of diff churn, with a non-zero risk of pnpm rejecting the rewritten file). Tighten the glob to `!(pnpm-lock).{...,yaml}` so the lockfile is left to pnpm's own formatter.