Skip to content

fix(security): resolve 22 dependabot alerts via workspace overrides#3250

Merged
misama-ct merged 1 commit into
mainfrom
security/fix-alerts-2026-05-19
May 19, 2026
Merged

fix(security): resolve 22 dependabot alerts via workspace overrides#3250
misama-ct merged 1 commit into
mainfrom
security/fix-alerts-2026-05-19

Conversation

@misama-ct
Copy link
Copy Markdown
Contributor

@misama-ct misama-ct commented May 19, 2026

Summary

Resolves all 22 open Dependabot security alerts by lifting transitive dependency floors in pnpm-workspace.yaml overrides:. Every affected package is dev-scoped (build/test/visual-regression tooling — axios via Bundlewatch & Puppeteer, basic-ftp/ip-address via Percy, postcss via Vite, etc.), so there is no runtime impact on publishable @commercetools-uikit/* packages and no changeset is required.

🔒 Vulnerabilities Fixed

Package Severity Advisories Version Change
axios HIGH×5, MED×6, LOW×1 CVE-2025-62718, CVE-2026-40175, CVE-2026-42033, CVE-2026-42035, CVE-2026-42037, CVE-2026-42038, CVE-2026-42040, CVE-2026-42041, CVE-2026-42042, CVE-2026-42043, CVE-2026-42044, CVE-2026-42264 resolves 1.14.0 → 1.16.1
basic-ftp HIGH×2 CVE-2026-39983, GHSA-6v7q-wjvx-w8wg resolves 5.2.0 → 5.3.1
systeminformation HIGH CVE-2026-44724 resolves 5.31.5 → 5.31.6
@babel/plugin-transform-modules-systemjs HIGH CVE-2026-44728 resolves 7.29.0 → 7.29.4
fast-uri HIGH×2 CVE-2026-6321, CVE-2026-6322 resolves 3.1.0 → 3.1.2
follow-redirects MED GHSA-r4q5-vmmm-2653 resolves 1.15.11 → 1.16.0
ip-address MED CVE-2026-42338 resolves 10.1.0 → 10.2.0
js-yaml MED CVE-2025-64718 resolves 4.1.0 → 4.1.1 (3.14.2 untouched)
postcss MED CVE-2026-41305 resolves transitive 8.5.6 → 8.5.15 (already-safe catalog version)

⚠️ Alerts Requiring Manual Attention

None — all 22 alerts had a SemVer-compatible patched version and were auto-fixable via overrides.

🧹 Overrides Changes

Added

Override Pinned to Reason
@babel/plugin-transform-modules-systemjs ^7.29.4 Fixes CVE-2026-44728 in transitive of @babel/preset-env@7.29.2
fast-uri ^3.1.2 Fixes CVE-2026-6321 & CVE-2026-6322 in transitive of ajv@8.18.0
follow-redirects ^1.16.0 Fixes GHSA-r4q5-vmmm-2653 in transitive of axios
ip-address ^10.1.1 Fixes CVE-2026-42338 in transitive of socks@2.8.7
js-yaml@^4.0.0 ^4.1.1 Fixes CVE-2025-64718 in transitive of @modyfi/vite-plugin-yaml. Scoped to 4.x line — js-yaml@3.14.2 (istanbul tooling) is unaffected and stays
postcss ^8.5.10 Fixes CVE-2026-41305 in stale vite transitive (8.5.6). Workspace consumers already use catalog postcss: 8.5.15

Updated

Override Old New Reason
axios ^1.13.5 ^1.15.2 12 CVEs (5 high / 6 medium / 1 low) — 1.14.0 was resolving inside the old range
basic-ftp ^5.2.0 ^5.2.2 CVE-2026-39983 + GHSA-6v7q-wjvx-w8wg5.2.0 was resolving inside the old range
systeminformation ^5.31.0 ^5.31.6 CVE-2026-447245.31.5 was resolving inside the old range

Removed (no parent in the current tree declares these; not blocking any vulnerable version — verified via pnpm why + node_modules/.pnpm/ inventory)

Override Was pinning to Reason removed
@isaacs/brace-expansion ^5.0.1 Absent from lockfile and from node_modules/.pnpm/; no parent declares it
got 14.5.0 Absent from lockfile and from node_modules/.pnpm/; no parent declares it
tar ^7.5.11 Absent from lockfile and from node_modules/.pnpm/; no parent declares it

Kept — all other existing overrides remain (@babel/preset-env, core-js-compat, flatted, glob-parent, handlebars, immutable, jest-environment-node, json5, lodash, lodash-es, minimatch, path-to-regexp@*, picomatch@*, react-from-dom, rollup@*, svgo, tar-fs@*, trim@0.0.1, plus the @types/* and @typescript-eslint/* compatibility pins). Each was verified still active by pnpm why resolving against a parent in the current tree.

🔄 Superseded Dependabot PRs

None — Dependabot did not have any open PRs for these alerts (gh pr list --search "author:app/dependabot" returned an empty list).

✅ Validation

Check Status Notes
pnpm lint ✅ Pass 1308/1308
pnpm lint:publint ✅ Pass EXIT=0 after fresh build (this is what CI runs after the build step)
pnpm typecheck ✅ Pass clean
pnpm build ✅ Pass bundles built
pnpm test ✅ Pass 1402/1402
pnpm test:bundle ✅ Pass 3/3
pnpm lint:css ⚠️ 19 pre-existing failures Not caused by this PR. lint:css was removed from CI in March 2023 (commit cb0a75647, "ci: disable stylelint"); the same 19 stylelint failures exist on main. Out of scope for this PR.

📋 Review Checklist

  • All 22 CVEs in the table above are covered
  • No catalog or workspace package.json edits required (overrides are the right knob)
  • Removed overrides really are unused — spot-check git log -S "<override>" if curious about original intent
  • No changeset needed — confirm no @commercetools-uikit/* package gains a vulnerable dep at runtime

@misama-ct
fix(security): resolve 22 dependabot alerts via workspace overrides
8a7a0c7 
Addresses the following Dependabot security advisories by lifting transitive
dependency floors in pnpm-workspace.yaml `overrides:`. All affected packages
are dev-scoped (build/test/visual-regression tooling) — no runtime impact on
publishable @commercetools-uikit/* packages.

Bumped existing overrides:
- axios: ^1.13.5 → ^1.15.2
  CVE-2025-62718, CVE-2026-40175, CVE-2026-42033, CVE-2026-42035,
  CVE-2026-42037, CVE-2026-42038, CVE-2026-42040, CVE-2026-42041,
  CVE-2026-42042, CVE-2026-42043, CVE-2026-42044, CVE-2026-42264
- basic-ftp: ^5.2.0 → ^5.2.2
  CVE-2026-39983, GHSA-6v7q-wjvx-w8wg
- systeminformation: ^5.31.0 → ^5.31.6
  CVE-2026-44724

Added new overrides:
- '@babel/plugin-transform-modules-systemjs': ^7.29.4 (CVE-2026-44728)
- fast-uri: ^3.1.2 (CVE-2026-6321, CVE-2026-6322)
- follow-redirects: ^1.16.0 (GHSA-r4q5-vmmm-2653)
- ip-address: ^10.1.1 (CVE-2026-42338)
- 'js-yaml@^4.0.0': ^4.1.1 (CVE-2025-64718) — scoped to 4.x line so the
  unaffected 3.14.2 (istanbul tooling) keeps resolving normally
- postcss: ^8.5.10 (CVE-2026-41305) — catalog `postcss: 8.5.15` is already
  safe; the override lifts a stale vite transitive (8.5.6)

Removed stale overrides (no parent in the current tree declares them):
- '@isaacs/brace-expansion': ^5.0.1
- got: 14.5.0
- tar: ^7.5.11
@misama-ct misama-ct requested a review from a team as a code owner May 19, 2026 13:33
@misama-ct misama-ct added dependencies Pull requests that update a dependency file security labels May 19, 2026
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 19, 2026

⚠️ No Changeset found

Latest commit: 8a7a0c7

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@vercel
Copy link
Copy Markdown

vercel Bot commented May 19, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
ui-kit Ready Ready Preview, Comment May 19, 2026 1:34pm

Request Review

@misama-ct misama-ct merged commit d95eda0 into main May 19, 2026
11 checks passed
@misama-ct misama-ct deleted the security/fix-alerts-2026-05-19 branch May 19, 2026 13:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@valoriecarli valoriecarli valoriecarli approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@misama-ct @valoriecarli