Skip to content

fix(deps): resolve 23 transitive dependency vulnerabilities#12

Merged
bntvllnt merged 2 commits intomainfrom
fix/transitive-dep-vulnerabilities
Mar 29, 2026
Merged

fix(deps): resolve 23 transitive dependency vulnerabilities#12
bntvllnt merged 2 commits intomainfrom
fix/transitive-dep-vulnerabilities

Conversation

@bntvllnt
Copy link
Copy Markdown
Collaborator

@bntvllnt bntvllnt commented Mar 29, 2026

Summary

  • Bump @convex-dev/eslint-plugin ^1.1.1 → ^1.2.1 and eslint (dev) ^9.39.2 → ^9.39.4
  • Add pnpm.overrides for 6 transitive deps with no upstream fix: handlebars, flatted, minimatch, picomatch, brace-expansion
  • 23 → 0 vulnerabilities (1 critical, 14 high, 7 moderate, 1 low)
  • Bump version to 1.0.1

Closes #11

Vulnerability Resolution

Package Severity Fix
handlebars Critical + 4 High + 2 Moderate + 1 Low override >=4.7.9
minimatch 3.x 3 High override ^3.1.5
minimatch 9.x 3 High override ^9.0.7
flatted 2 High override >=3.4.2
picomatch 2.x 1 High + 1 Moderate override ^2.3.2
picomatch 4.x 1 High + 1 Moderate override ^4.0.4
brace-expansion 2 Moderate override ^1.1.13 / ^2.0.3

Test plan

  • pnpm audit returns 0 vulnerabilities
  • pnpm test — 43/43 pass, zero regressions vs baseline

greptile-apps[bot]
greptile-apps bot reviewed Mar 29, 2026
View reviewed changes
Copy link
Copy Markdown

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

@bntvllnt bntvllnt self-assigned this Mar 29, 2026
@bntvllnt bntvllnt force-pushed the fix/transitive-dep-vulnerabilities branch from 4e5d229 to 08268a6 Compare March 29, 2026 20:23
bntvllnt added 2 commits March 29, 2026 22:25
@bntvllnt
fix(deps): resolve 23 transitive dependency vulnerabilities
f1e7815 
Bump @convex-dev/eslint-plugin ^1.1.1 → ^1.2.1 and eslint (dev)
^9.39.2 → ^9.39.4. Refresh lockfile via pnpm update to resolve
transitive deps (minimatch, picomatch, flatted, brace-expansion)
to patched versions within existing semver ranges.

Add single pnpm override for handlebars >=4.7.9 — the only
transitive dep hard-pinned by upstream (@boundaries/elements).

23 → 0 vulnerabilities. All dep ranges unchanged (no new lint
rules forced on consumers). Safe for patch release.

Closes #11
@bntvllnt
chore: bump version to 1.0.1
2462964
@bntvllnt bntvllnt force-pushed the fix/transitive-dep-vulnerabilities branch from 08268a6 to 2462964 Compare March 29, 2026 20:25
@bntvllnt bntvllnt merged commit 5c32e9d into main Mar 29, 2026
2 checks passed
@bntvllnt bntvllnt deleted the fix/transitive-dep-vulnerabilities branch March 29, 2026 20:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Assignees

@bntvllnt bntvllnt

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix: bump transitive deps to resolve 28 vulnerabilities

1 participant

@bntvllnt