Skip to content

Patch transitive dependency vulnerabilities via overrides#90

Open
exekias wants to merge 1 commit into
mainfrom
chore/patch-transitive-vulns
Open

Patch transitive dependency vulnerabilities via overrides#90
exekias wants to merge 1 commit into
mainfrom
chore/patch-transitive-vulns

Conversation

@exekias

@exekias exekias commented Jul 2, 2026

Copy link
Copy Markdown
Member

Patches three transitive dependency vulnerabilities flagged by Dependabot, using npm overrides so we keep next 16 and drizzle-kit 0.31 (npm's audit fix --force would downgrade them to next 9 / drizzle-kit 0.18).

Fixed (3 of 4 alerts)

Advisory Before After
postcss XSS (moderate) postcss 8.4.31 under next deduped to 8.5.15
@babel/core file read (low) @babel/core 7.29.0 7.29.7
esbuild dev-server read (low) esbuild 0.28.0 under tsx 0.28.1
"overrides": {
  "@babel/core": "^7.29.6",
  "postcss": "^8.5.10",
  "tsx": { "esbuild": "^0.28.1" }
}

Knowingly left for now (1 of 4)

esbuild dev-server request (moderate) via esbuild 0.18.20 under the deprecated @esbuild-kit/core-utils@esbuild-kit/esm-loader chain that drizzle-kit's CLI still pulls in. Forcing a non-vulnerable esbuild (≥ 0.25) there is a large jump from 0.18 and risks breaking drizzle-kit. It's a dev/CLI-only path (not shipped, not in the app build), so it's left as accepted risk pending an upstream drizzle-kit release that drops @esbuild-kit.

npm audit drops from 7 vulnerabilities to 4 (the remaining 4 are that single @esbuild-kit esbuild advisory plus its dependency-chain entries).

Verification

All CI steps pass locally with the new lockfile:

  • tsc --noEmit
  • eslint
  • npm run lessons:validate
  • next build

🤖 Generated with Claude Code

Clears 3 of 4 Dependabot alerts without downgrading next/drizzle-kit. Leaves the deprecated @esbuild-kit esbuild 0.18 chain (drizzle-kit CLI, dev-only) for an upstream fix.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@vercel

vercel Bot commented Jul 2, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
learn-postgres Ready Ready Preview Jul 2, 2026 9:51am

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant