Skip to content

πŸ“¦ Trim security dependency overrides#477

Closed
baealex wants to merge 1 commit into
mainfrom
chore/remove-unneeded-security-overrides
Closed

πŸ“¦ Trim security dependency overrides#477
baealex wants to merge 1 commit into
mainfrom
chore/remove-unneeded-security-overrides

Conversation

@baealex

@baealex baealex commented Jun 28, 2026

Copy link
Copy Markdown
Owner

🎯 Goal

  • Reduce the security dependency override surface introduced while resolving Dependabot alerts.
  • Keep only overrides that are actually needed after lockfile resolution.

πŸ”§ Core Changes

  • Remove unnecessary pnpm overrides for @babel/core, form-data, js-yaml, linkify-it, and markdown-it.
  • Keep dompurify override because monaco-editor@0.55.1 pins dompurify to 3.2.7 exactly when the override is removed.
  • Keep the existing esbuild override.

πŸ€” Key Decisions

  • Verified that non-DOMPurify packages stay on patched versions through normal lockfile resolution.
  • Avoided updating to unstable Monaco dev releases; stable monaco-editor@0.55.1 is currently the latest stable and still pins vulnerable DOMPurify.

πŸ§ͺ Verification Guide

How to verify

  1. Run npx -y pnpm@10.34.4 --dir backend/islands audit --audit-level=low.
  2. Run npm audit --audit-level=low.
  3. Run npm run islands:lint.
  4. Run npm run islands:type-check.

Expected result

  • Audits report no known vulnerabilities.
  • Lint and type-check complete successfully.

βœ… Checklist

  • Lint completed
  • Type-check completed
  • Tests completed
  • Documentation updated (if needed)

@baealex

baealex commented Jun 29, 2026

Copy link
Copy Markdown
Owner Author

Closing this because keeping the dependency overrides is the safer guardrail against future lockfile re-resolution.

@baealex baealex closed this Jun 29, 2026
@baealex baealex deleted the chore/remove-unneeded-security-overrides branch June 29, 2026 13:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant