Skip to content

fix(ci): unblock dependency audit - patch shell-quote, ignore unreachable uuid advisory#81

Merged
BODMAT merged 1 commit into
masterfrom
fix/ci-security-audit-unblock
Jun 10, 2026
Merged

fix(ci): unblock dependency audit - patch shell-quote, ignore unreachable uuid advisory#81
BODMAT merged 1 commit into
masterfrom
fix/ci-security-audit-unblock

Conversation

@BODMAT

@BODMAT BODMAT commented Jun 10, 2026

Copy link
Copy Markdown
Owner

Description

Every open Dependabot PR is currently red on the same single check — the
Security Audit job. Two advisories were published after master last ran CI:

  • shell-quote@1.8.3GHSA-w7jw-789q-3m8p (critical), pulled as a
    dev-only transitive dep by concurrently@9.2.1. Fixed for real via a pnpm
    override to ^1.8.4.
  • uuid@8.3.2GHSA-w5hq-g745-h8pq (moderate), transitive prod dep of
    next-auth@4.24.14 (locked to uuid v8). The vulnerable path (v3/v5/v6 buffer
    bounds) is unreachable through next-auth, so it is ignored via
    pnpm.auditConfig.ignoreGhsas + allow-ghsas in dependency-review, with a
    note to revisit on the next-auth v5 upgrade.

Bonus fix: pnpm v10 no longer reads pnpm.overrides / onlyBuiltDependencies
from package.json and was silently ignoring them — migrated to
pnpm-workspace.yaml where they now actually apply.

Merging this unblocks all pending Dependabot PRs (then @dependabot rebase on each).

Type of change

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

  • Manual testing: pnpm audit --audit-level=moderate exits 0 locally
    (was: 1 critical + 1 moderate); lockfile diff is exactly
    shell-quote 1.8.3 → 1.8.4; pnpm run format:check passes.

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have documented non-obvious behavior or constraints where necessary
  • My changes generate no new warnings — pnpm prints a cosmetic warning
    about pnpm.auditConfig in package.json; the ignore still works (audit
    reads it from there), documented in the commit
  • New and existing unit tests pass locally with my changes

@BODMAT @dzhhem
fix(ci): unblock dependency audit — patch shell-quote, ignore unreach…
4f91592 
…able uuid advisory

The Security Audit job and the PR-only dependency-review step were failing on
every PR because of two advisories that surfaced after master last ran CI:

- shell-quote@1.8.3 (GHSA-w7jw-789q-3m8p, critical, dev-only via concurrently):
  forced to ^1.8.4 via a pnpm override — a real patch, removes the critical.
- uuid@8.3.2 (GHSA-w5hq-g745-h8pq, moderate, transitive prod dep of next-auth@4
  which is locked to uuid v8): vulnerable v3/v5/v6 buffer path is unreachable via
  next-auth, so it is ignored (pnpm.auditConfig.ignoreGhsas + dependency-review
  allow-ghsas) until the next-auth v5 upgrade.

Also migrate the pnpm `overrides`/`onlyBuiltDependencies` from package.json to
pnpm-workspace.yaml: pnpm v10 no longer reads them from package.json and was
silently ignoring them.

Co-Authored-By: Makar Dzhehur <100146104+dzhhem@users.noreply.github.com>
@vercel

vercel Bot commented Jun 10, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
fin-track-web Ready Ready Preview, Comment Jun 10, 2026 5:31pm

@BODMAT BODMAT requested a review from dzhhem June 10, 2026 17:36
@BODMAT BODMAT merged commit 2904619 into master Jun 10, 2026
14 checks passed
@BODMAT BODMAT deleted the fix/ci-security-audit-unblock branch June 10, 2026 19:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dzhhem dzhhem dzhhem approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BODMAT @dzhhem