chore(deps): pin transitive deps to patched versions for 33 Dependabot alerts (#7556)

Adds a pnpm.overrides block to force-upgrade vulnerable transitive
dependencies to their patched versions. All 33 open Dependabot alerts on
ether/etherpad are against pnpm-lock.yaml; none of these packages are
direct dependencies of the workspace.

Bumps (vulnerable range → pinned):

- basic-ftp                ≤5.2.2  → ≥5.3.0   (GHSA-5rq4-664w-9x2c,
                                                GHSA-6v7q-wjvx-w8wg,
                                                GHSA-rp42-5vxx-qpwr)
- brace-expansion          <2.0.3  → ≥2.0.3   (GHSA-f886-m6hf-6m8v)
- diff                     <8.0.3  → ≥8.0.3   (GHSA-73rr-hh4g-fpgx)
- flatted                  <3.4.2  → ≥3.4.2   (GHSA-25h7-pfq9-p65f,
                                                GHSA-rf6f-7fwh-wjgh)
- follow-redirects         ≤1.15.11 → ≥1.16.0 (GHSA-r4q5-vmmm-2653)
- glob (10.x CLI)          <10.5.0 → ≥10.5.0  (GHSA-5j98-mcp5-4vw2)
- js-yaml                  <4.1.1  → ≥4.1.1   (GHSA-mh29-5h37-fv8m)
- lodash                   ≤4.17.23 → ≥4.18.0 (GHSA-f23m-r3pf-42rh,
                                                GHSA-r5fr-rjxr-66jc)
- minimatch (9.x)          <9.0.7  → ≥9.0.7   (GHSA-23c5-xmqv-rm74,
                                                GHSA-3ppc-4f35-3m26,
                                                GHSA-7r86-cg39-jmmj)
- path-to-regexp (8.x)     <8.4.0  → ≥8.4.0   (GHSA-27v5-c462-wpq7,
                                                GHSA-j3q9-mxjg-w52f)
- picomatch (4.x)          <4.0.4  → ≥4.0.4   (GHSA-3v7f-55p6-f55p,
                                                GHSA-c2c7-rcm5-vvqj)
- qs                       <6.14.2 → ≥6.14.2  (GHSA-6rw7-vpxm-498p,
                                                GHSA-w7fw-mjwx-w883)
- serialize-javascript     ≤7.0.2  → ≥7.0.5   (GHSA-5c6j-r48x-rmvq,
                                                GHSA-qj8w-gfj5-8c6v)
- socket.io-parser         <4.2.6  → ≥4.2.6   (GHSA-677m-j7p3-52f9)
- tar                      <7.5.11 → ≥7.5.11  (GHSA-8qq5-rm4j-mr97,
                                                GHSA-34x7-hfp2-rc4v,
                                                GHSA-r6q2-hw4h-h46w,
                                                GHSA-83g3-92jg-28cx,
                                                GHSA-qffp-2rhf-9h96,
                                                GHSA-9ppj-qmqm-q256)
- vite (non-aliased)       <7.3.2  → ≥7.3.2   (GHSA-p9ff-h696-f583,
                                                GHSA-v2wj-q39q-566r,
                                                GHSA-4w7w-66w2-5vf9)

Scoped overrides are used where the vulnerable range is a specific major
line — e.g. `minimatch@>=9.0.0 <9.0.7` — so that 3.x/10.x lines resolving
via unrelated dependency chains are not disturbed. Otherwise the override
targets the bare package name.

Note: admin/ui/doc packages alias `vite` to `rolldown-vite@7.2.10`; those
are a separate package on npm and the vite CVEs do not apply to them.

- `pnpm install` succeeds
- `pnpm run ts-check` clean
- No source code changes; `tar` and `glob` are not directly imported by
  etherpad-lite sources, so the major-version bumps (tar 6→7, glob 10→13)
  affect only transitive consumers that already declare compatibility.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
John McLear 2026-04-19 17:06:23 +01:00 committed by GitHub
parent e8c9efb5c5
commit f3f6829f8f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 507 additions and 820 deletions

View file

@ -57,6 +57,24 @@
],
"ignoredBuiltDependencies": [
"@scarf/scarf"
]
],
"overrides": {
"basic-ftp": ">=5.3.0",
"brace-expansion@>=2.0.0 <2.0.3": ">=2.0.3",
"diff@>=6.0.0 <8.0.3": ">=8.0.3",
"flatted": ">=3.4.2",
"follow-redirects": ">=1.16.0",
"glob@>=10.2.0 <10.5.0": ">=10.5.0",
"js-yaml@>=4.0.0 <4.1.1": ">=4.1.1",
"lodash": ">=4.18.0",
"minimatch@>=9.0.0 <9.0.7": ">=9.0.7",
"path-to-regexp@>=8.0.0 <8.4.0": ">=8.4.0",
"picomatch@>=4.0.0 <4.0.4": ">=4.0.4",
"qs@>=6.7.0 <6.14.2": ">=6.14.2",
"serialize-javascript": ">=7.0.5",
"socket.io-parser@>=4.0.0 <4.2.6": ">=4.2.6",
"tar@<7.5.11": ">=7.5.11",
"vite@>=7.0.0 <7.3.2": ">=7.3.2"
}
}
}

1307
pnpm-lock.yaml generated

File diff suppressed because it is too large Load diff