chore(deps): clear pnpm audit advisories (hono, vite, js-yaml)#45
Merged
Conversation
Newly-published advisories began failing the CI `pnpm audit --audit-level=moderate` gate repo-wide (main passed only because its run predates publication). - Override hono >=4.12.25 (runtime, via @modelcontextprotocol/sdk in the CLI) and js-yaml >=4.2.0 (dev, via @changesets/cli). - Pin vite ^8.0.16 as a direct devDependency in the cli/react-email/sdk test packages. An override can't move it because vite is both a dependency and a peerDependency of vitest; pinning it where the peer is consumed does. pnpm audit (moderate and high) now reports no known vulnerabilities; build, typecheck, and tests pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01A299AvEPRfoWPP3Hq5NJGa
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
CI's
pnpm audit --audit-level=moderategate (.github/workflows/ci.yml) started failing repo-wide on 9 newly-published advisories.main's last run was green only because it predates publication —pnpm auditqueries the live advisory DB, so any new run (onmainor any PR) now fails. This is surfacing on #44 but is not caused by it; splitting the fix out keeps that PR focused on theblockedstatus and fixesmaintoo.Advisories cleared (9 → 0)
hono(<4.12.25)@senderkit/cli›@modelcontextprotocol/sdk>=4.12.25(5 advisories)js-yaml(≤4.1.1)@changesets/cli>=4.2.0vite(≤8.0.15)vitest^8.0.16as a direct devDependencyNotes
hono/js-yamlare fixed withpnpm.overrides, matching the repo's existing precedent (postcss,esbuild).vitecan't be moved by an override: it's both adependencyand apeerDependencyofvitest, which pnpm 10.13.1 won't re-resolve via overrides (it keeps the locked 8.0.14 even on a from-scratch lockfile). Pinningvite@^8.0.16as a direct devDependency in the three test packages (cli,react-email,sdk) resolves the peer to the patched version and eliminates 8.0.14 from the tree entirely.honoships in a published package's runtime tree (@senderkit/cli), so the changeset is a single@senderkit/clipatch;vite/js-yamlare dev-only.Verification
pnpm audit --audit-level=moderateand--audit-level=high→ no known vulnerabilities.pnpm install --frozen-lockfile,pnpm build,pnpm typecheckpass.pnpm testgreen — sdk 58, cli 80, react-email 29.🤖 Generated with Claude Code
Generated by Claude Code