Skip to content

pnpm-lock: upgrade deps to address vulnerabilities #36103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
xnox wants to merge 1 commit into
base: release/v1.25
Choose a base branch
from
Open

pnpm-lock: upgrade deps to address vulnerabilities #36103

xnox wants to merge 1 commit into from
+74 −208

Conversation

@xnox
Copy link

@xnox xnox commented Dec 7, 2025

There are a few vulnerabilities reported with:

npx pnpm audit
...
6 vulnerabilities found
Severity: 2 moderate | 3 high | 1 critical

Fix them by upgrading.

@xnox
pnpm-lock: upgrade deps to address vulnerabilities
24e5d2c 
There are a few vulnerabilities reported with:

```
npx pnpm audit
...
6 vulnerabilities found
Severity: 2 moderate | 3 high | 1 critical
```

Fix them by upgrading.
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Dec 7, 2025
@GiteaBot GiteaBot added this to the 1.25.3 milestone Dec 7, 2025
@xnox
Copy link
Author

xnox commented Dec 7, 2025

I am not very good with javascript, the lock file updates look less targeted than the resolution updates.

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Dec 7, 2025
@lunny
Copy link
Member

lunny commented Dec 7, 2025

We should submit the PR to the main branch first and then backport it to v1.25. Otherwise, the bug may reappear during future upgrades.

@xnox
Copy link
Author

xnox commented Dec 7, 2025
edited
Loading

We should submit the PR to the main branch first and then backport it to v1.25. Otherwise, the bug may reappear during future upgrades.

I do not see any vulnerabilities on the main branch.

Unless I am holding pnpm wrong

@techknowlogick
Copy link
Member

techknowlogick commented Dec 7, 2025

Thanks!

@techknowlogick
Copy link
Member

techknowlogick commented Dec 7, 2025

Cc @silverwind

@xnox
Copy link
Author

xnox commented Dec 7, 2025

I have no idea if these upgrades break the gitea UI though :-/

@techknowlogick
Copy link
Member

techknowlogick commented Dec 7, 2025

Maintainers note: This targets the 1.25 branch. These are solved in nightly already

@techknowlogick
Copy link
Member

techknowlogick commented Dec 7, 2025

Aha, my client hadn't updated yet so I didn't see the above comments already re: main branch

@silverwind
Copy link
Member

silverwind commented Dec 7, 2025
edited
Loading

It is not necessary to edit pnpm.overrides. Upgrade affected direct dependencies via pnpm i dep@version and indirect ones viarm -rf node_modules pnpm-lock.yaml && pnpm i which will regenerate the lockfile and bump all indirect dependencies.

silverwind
silverwind requested changes Dec 7, 2025
View reviewed changes
Copy link
Member

@silverwind silverwind left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see above

@GiteaBot GiteaBot added lgtm/blocked A maintainer has reservations with the PR and thus it cannot be merged and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Dec 7, 2025
@silverwind
Copy link
Member

silverwind commented Dec 7, 2025

Try this:

pnpm i happy-dom@latest vitest@latest markdownlint-cli@latest tailwindcss@latest @vitejs/plugin-vue@latest @playwright/test@latest @vitest/eslint-plugin@latest && rm -rf node_modules pnpm-lock.yaml && pnpm i

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@silverwind silverwind silverwind requested changes

@techknowlogick techknowlogick techknowlogick approved these changes

Assignees

No one assigned

Labels

lgtm/blocked A maintainer has reservations with the PR and thus it cannot be merged modifies/dependencies

Projects

None yet

Milestone

1.25.3

Development

Successfully merging this pull request may close these issues.

5 participants

@xnox @lunny @techknowlogick @silverwind @GiteaBot