Skip to content

chore: pin dependencies and fix tar vulnerability #31

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mattinannt merged 1 commit into from
Jan 27, 2026
Merged

chore: pin dependencies and fix tar vulnerability #31

mattinannt merged 1 commit into from
Jan 27, 2026

Conversation

@mattinannt
Copy link
Member

@mattinannt mattinannt commented Jan 27, 2026

Summary

This PR addresses two main requirements:

  1. Pinning Dependencies: All dependencies in the root package.json and workspace packages have been pinned to specific versions to meet enterprise security requirements.
  2. Security Fix: Added a pnpm.overrides for the tar package to version 7.5.4 to resolve a high-severity vulnerability (Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS #42).

Changes

  • Updated package.json to pin prettier, turbo, and other devDependencies.
  • Updated apps/playground/package.json to pin its dependencies.
  • Added pnpm.overrides and a descriptive comment in the root package.json.
  • Updated pnpm-lock.yaml via pnpm install.

Test plan

  • Verified that pnpm install completes successfully.
  • Verified tar version in pnpm-lock.yaml is 7.5.4.

@mattinannt
chore: pin dependencies and fix tar vulnerability
7af27e7 
- Pin all dependencies in package.json to specific versions as per enterprise requirements.
- Add pnpm override for 'tar' to version 7.5.4 to fix high-severity vulnerability (Dependabot #42).
- Update pnpm-lock.yaml to reflect changes.
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 27, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@coderabbitai
Copy link

coderabbitai bot commented Jan 27, 2026

Walkthrough

The changes update package.json with version bumps for development dependencies and package management tooling. The turbo dependency is upgraded from 2.7.5 to 2.7.6, and the package manager is updated from pnpm@10.28.1 to pnpm@10.28.2. Additionally, a new pnpm configuration section is introduced that pins the tar package to version 7.5.4 as an override, with a comment indicating this addresses security vulnerabilities in transitive dependencies pending upstream resolution.

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely summarizes the main changes: pinning dependencies and fixing the tar vulnerability, which aligns with the core objectives of the pull request.
Description check ✅ Passed The description is well-structured, provides clear context about the two main requirements (pinning dependencies and fixing tar vulnerability), explains the changes made, and includes a test plan that verifies the work.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@mattinannt mattinannt added this pull request to the merge queue Jan 27, 2026
Merged via the queue into main with commit 4c56f8c Jan 27, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pandeymangg pandeymangg pandeymangg approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mattinannt @pandeymangg