Skip to content

chore(deps): patch transitive dev-dep security advisories#5346

Merged
marcoscaceres merged 1 commit into
speced:mainfrom
marcoscaceres:chore/security-overrides-2026-07-07
Jul 7, 2026
Merged

chore(deps): patch transitive dev-dep security advisories#5346
marcoscaceres merged 1 commit into
speced:mainfrom
marcoscaceres:chore/security-overrides-2026-07-07

Conversation

@marcoscaceres

Copy link
Copy Markdown
Contributor

Patches transitive dev-dependency security advisories (dependabot + pnpm audit) via pnpm.overrides. All affected packages are dev/test/build only, reached through karma and eslint; none are in dependencies or ship in the browser bundle, so there is no runtime exposure for spec authors.

Forces patched versions: ws >=8.21.0, tmp >=0.2.6, qs >=6.15.2, js-yaml >=4.2.0, cookie >=0.7.0. This clears 6 of the 7 audit findings.

The remaining one, html-minifier (via rollup-plugin-minify-html-literals), has no upstream patch and the plugin is already on its latest version; it runs at build time on ReSpec's own trusted source, so it is left as-is.

Adds pnpm.overrides to force patched versions of transitive
devDependencies flagged by dependabot/pnpm audit (all dev/test/build
only; none ship in the browser bundle):

- ws >=8.21.0 (via karma>socket.io>engine.io)
- tmp >=0.2.6 (via karma)
- qs >=6.15.2 (via karma>body-parser)
- js-yaml >=4.2.0 (via eslint>@eslint/eslintrc)
- cookie >=0.7.0 (via karma>socket.io>engine.io)

Clears 6 of 7 audit findings. html-minifier (via
rollup-plugin-minify-html-literals) has no upstream patch and runs at
build time on trusted input; left as-is.
@marcoscaceres
marcoscaceres merged commit b673d5d into speced:main Jul 7, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant