mirror of
https://github.com/ether/etherpad-lite.git
synced 2026-07-17 16:47:05 +00:00
Pin the transitive @opentelemetry/core dep (pulled in via @elastic/elasticsearch -> @elastic/transport) to >=2.8.0 to clear GHSA-8988-4f7v-96qf / CVE-2026-54285: W3CBaggagePropagator.extract() did not enforce W3C size limits on inbound baggage headers, allowing unbounded memory allocation. @elastic/transport declares the dep as "2.x" so 2.8.0 satisfies the existing range with no parent bump, and 2.8.0's @opentelemetry/api peer range (>=1.0.0 <1.10.0) is satisfied by the 1.9.1 already in the tree. Override added to pnpm-workspace.yaml alongside the other CVE force-bumps (pnpm 11 ignores root package.json pnpm.overrides). Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
46 lines
1.6 KiB
YAML
46 lines
1.6 KiB
YAML
packages:
|
|
- src
|
|
- admin
|
|
- bin
|
|
- doc
|
|
- ui
|
|
allowBuilds:
|
|
'@scarf/scarf': set this to true or false
|
|
esbuild: set this to true or false
|
|
# Explicitly ignore build scripts we don't want to run. Listing them here
|
|
# stops pnpm from failing with ERR_PNPM_IGNORED_BUILDS when they're
|
|
# encountered as transitive deps (e.g. scarf pulled in via swagger-ui-dist).
|
|
ignoredBuiltDependencies:
|
|
- '@scarf/scarf'
|
|
onlyBuiltDependencies:
|
|
- esbuild
|
|
# Belt-and-suspenders: even if a fresh transitive dep slips through with a
|
|
# postinstall script, downgrade to a warning so CI doesn't break for
|
|
# downstream plugin repos that pull etherpad-lite as their core install.
|
|
strictDepBuilds: false
|
|
# As of pnpm 11, overrides must live here (root package.json's pnpm.overrides
|
|
# is no longer read). Force-bump transitive deps with known CVEs.
|
|
overrides:
|
|
'@babel/core@<7.29.6': '>=7.29.6'
|
|
'@opentelemetry/core@<2.8.0': '>=2.8.0'
|
|
basic-ftp@<5.3.1: '>=5.3.1 <6.0.0'
|
|
brace-expansion@>=2.0.0 <2.0.3: '>=2.0.3'
|
|
diff@>=6.0.0 <8.0.3: '>=8.0.3'
|
|
esbuild@<0.28.1: '>=0.28.1'
|
|
flatted: '>=3.4.2'
|
|
follow-redirects: '>=1.16.0'
|
|
form-data@>=4.0.0 <4.0.6: '>=4.0.6'
|
|
glob@>=10.2.0 <10.5.0: '>=10.5.0'
|
|
ip-address@<10.1.1: '>=10.1.1'
|
|
js-yaml@>=4.0.0 <4.2.0: '>=4.2.0'
|
|
lodash: '>=4.18.0'
|
|
minimatch@>=9.0.0 <9.0.7: '>=9.0.7'
|
|
path-to-regexp@>=8.0.0 <8.4.0: '>=8.4.0'
|
|
picomatch@>=4.0.0 <4.0.4: '>=4.0.4'
|
|
qs@>=6.7.0 <6.15.2: '>=6.15.2'
|
|
serialize-javascript@<7.0.5: '>=7.0.5'
|
|
socket.io-parser@>=4.0.0 <4.2.6: '>=4.2.6'
|
|
tar@<7.5.16: '>=7.5.16'
|
|
uuid@<14.0.0: '>=14.0.0'
|
|
vite@>=7.0.0 <7.3.2: '>=7.3.2'
|
|
ws@>=8.0.0 <8.21.0: '>=8.21.0'
|