Skip to content

chore(deps): pin patched transitive npm deps (Vanta high/medium remediation)#10147

Merged
santicomp2014 merged 1 commit into
mainfrom
vuln-remediation/npm-transitive-bumps
Jul 1, 2026
Merged

chore(deps): pin patched transitive npm deps (Vanta high/medium remediation)#10147
santicomp2014 merged 1 commit into
mainfrom
vuln-remediation/npm-transitive-bumps

Conversation

@santicomp2014

Copy link
Copy Markdown
Contributor

What

Adds a Yarn Berry resolutions block to package.json so transitively-pinned npm
dependencies are forced to patched versions, then regenerates yarn.lock. Only
package.json and yarn.lock change.

Why (the transitive-pin trap)

These packages are not direct dependencies — they are pulled in transitively and
were pinned to vulnerable versions deep in yarn.lock. Bumping a direct dep doesn't
move them; the reliable fix in a Yarn Berry repo is resolutions. Berry matches each
resolution descriptor range exactly, so multi-major packages get one resolution per
vulnerable range that appears in the lockfile (verified by re-checking the lockfile and
iterating until nothing resolved below target).

Versions (all now >= patched target)

package before after notes
tar 6.2.1 7.5.16 MAJOR v6 -> v7 (build/dev)
serialize-javascript 6.0.2 7.0.5 MAJOR v6 -> v7 (build/dev)
lodash 4.17.21 4.18.0
minimatch (v3) 3.1.2 3.1.4
minimatch (v9) 9.0.3 / 9.0.5 9.0.7
minimatch (v10) 10.0.1 10.2.3
picomatch (v2) 2.3.0 / 2.3.1 2.3.2
picomatch (v4) 4.0.2 / 4.0.3 4.0.4
brace-expansion (v1) 1.1.12 1.1.13 ReDoS CVE-2025-5889
brace-expansion (v2 2.0.1) 5.0.7 newer minimatch switched to v5; above all patched thresholds

CI caveat — MAJOR bumps

tar and serialize-javascript jump v6 -> v7. These are build/dev transitive deps,
but tar v7 raises its Node floor (>= 18). Locally yarn install --immutable passes and
the bumps introduce no new peer-dependency conflicts (the only YN0060 warnings are
pre-existing vitest/rollup ones). Please let CI exercise the build/test pipeline before
un-drafting.

Status

Draft — opened for review / CI. Nothing merged.

🤖 Generated with Claude Code

…iation)

Rebuilt on current main and regenerated yarn.lock. Forces tar 7.5.16,
serialize-javascript 7.0.5, minimatch v3/v9/v10, picomatch v2/v4, lodash,
brace-expansion to patched. No vulnerable versions resolve.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@santicomp2014 santicomp2014 force-pushed the vuln-remediation/npm-transitive-bumps branch from ab31e09 to ec6146e Compare June 30, 2026 22:14
@santicomp2014 santicomp2014 marked this pull request as ready for review July 1, 2026 14:00
@santicomp2014 santicomp2014 merged commit f6957cd into main Jul 1, 2026
9 of 10 checks passed
@santicomp2014 santicomp2014 deleted the vuln-remediation/npm-transitive-bumps branch July 1, 2026 14:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant