Skip to content

fix(deps): resolve pnpm audit vulnerabilities breaking CI#90

Merged
BODMAT merged 1 commit into
masterfrom
fix/security-audit-vulns
Jun 16, 2026
Merged

fix(deps): resolve pnpm audit vulnerabilities breaking CI#90
BODMAT merged 1 commit into
masterfrom
fix/security-audit-vulns

Conversation

@BODMAT

@BODMAT BODMAT commented Jun 15, 2026

Copy link
Copy Markdown
Collaborator

Description

The Security Audit CI job (pnpm audit --audit-level=moderate) started
failing on 6 vulnerabilities (surfaced on the #85 dependabot run). This pins
patched versions of the affected packages:

Overrides live in pnpm-workspace.yaml since pnpm 10 no longer reads the
pnpm field in package.json.

Closes # (issue)

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Refactoring (no functional changes)

How Has This Been Tested?

Full CI-equivalent run locally, all green:

  • pnpm audit --audit-level=moderate → exit 0 (1 low remaining, below threshold)

  • pnpm run check-types → 4/4

  • pnpm run lint + pnpm run format:check → clean

  • API Jest → 382/382 (40 suites; covers supertest/form-data + coverage/js-yaml)

  • Web Vitest → 19/19 (6 files; on vite 8.0.16)

  • Unit tests (Jest/Vitest)

  • Integration tests

  • Manual testing (screenshots/screencasts encouraged)

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have documented non-obvious behavior or constraints where necessary
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules
  • (If API) Database migrations have been created and tested
  • (If UI) Changes look good on mobile and desktop

@BODMAT
fix(deps): resolve pnpm audit vulnerabilities breaking CI
68eca6c 
Pin patched versions of three advisories that fail the Security Audit
job (pnpm audit --audit-level=moderate):

- vite -> ^8.0.16 as a direct devDep in apps/web (was peer-only at
  8.0.13, so a workspace override did not apply): GHSA-fx2h-pf6j-xcff
  (high), GHSA-v6wh-96g9-6wx3 (moderate)
- form-data -> ^4.0.6 override: GHSA-hmw2-7cc7-3qxx (high)
- js-yaml -> ^4.2.0 override: GHSA-h67p-54hq-rp68 (moderate); consumers
  only call js-yaml.load(), present in v4

Overrides live in pnpm-workspace.yaml since pnpm 10 no longer reads the
package.json pnpm field.
@vercel

vercel Bot commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
fin-track-web Ready Ready Preview, Comment Jun 15, 2026 9:19pm

@BODMAT BODMAT requested a review from dzhhem June 15, 2026 21:19
@BODMAT BODMAT merged commit 727a785 into master Jun 16, 2026
14 checks passed
@BODMAT BODMAT deleted the fix/security-audit-vulns branch June 16, 2026 09:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dzhhem dzhhem dzhhem approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BODMAT @dzhhem