Skip to content

πŸ“¦ Patch Dependabot security dependencies#476

Merged
baealex merged 1 commit into
mainfrom
chore/dependabot-security-dependencies
Jun 28, 2026
Merged

πŸ“¦ Patch Dependabot security dependencies#476
baealex merged 1 commit into
mainfrom
chore/dependabot-security-dependencies

Conversation

@baealex

@baealex baealex commented Jun 28, 2026

Copy link
Copy Markdown
Owner

🎯 Goal

  • Resolve remaining Dependabot security alerts after merging the existing update PRs.
  • Keep dependency changes scoped to patched versions and lockfile refreshes.

πŸ”§ Core Changes

  • Update root pnpm dev dependency from 10.28.2 to 10.34.4.
  • Update islands packageManager to pnpm@10.34.4.
  • Add islands pnpm overrides for patched transitive dependencies: @babel/core, dompurify, form-data, js-yaml, linkify-it, and markdown-it.
  • Regenerate package-lock.json and backend/islands/pnpm-lock.yaml.

πŸ€” Key Decisions

  • Kept pnpm on the patched 10.x line instead of taking the 11.x major release.
  • Used pnpm overrides because the vulnerable packages are transitive dependencies.

πŸ§ͺ Verification Guide

How to verify

  1. Run npm audit --audit-level=low.
  2. Run npx -y pnpm@10.34.4 --dir backend/islands audit --audit-level=low.
  3. Run npm run islands:lint.
  4. Run npm run islands:type-check.

Expected result

  • Audits report no known vulnerabilities.
  • Lint and type-check complete successfully.

βœ… Checklist

  • Lint completed
  • Type-check completed
  • Tests completed
  • Documentation updated (if needed)

@baealex baealex merged commit 28cc443 into main Jun 28, 2026
2 checks passed
@baealex baealex deleted the chore/dependabot-security-dependencies branch June 28, 2026 05:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant