Skip to content

fix(deps): resolver vulnerabilidades de pnpm audit (overrides)#62

Merged
iicc1 merged 2 commits into
mainfrom
develop
Jun 12, 2026
Merged

fix(deps): resolver vulnerabilidades de pnpm audit (overrides)#62
iicc1 merged 2 commits into
mainfrom
develop

Conversation

@iicc1

@iicc1 iicc1 commented Jun 11, 2026

Copy link
Copy Markdown
Member

Resumen

Resuelve las vulnerabilidades de pnpm audit (13 → 0) mediante overrides, sin cambios en las dependencias declaradas. Todas eran transitivas del árbol de Docusaurus.

Cambios de seguridad

Se añaden overrides en pnpm-workspace.yaml (la ubicación que lee pnpm 11; el campo pnpm de package.json ya no se lee):

Paquete Parcheado a Severidad
shell-quote 1.8.4 Critical (escape de newlines / command injection)
serialize-javascript 7.0.5 High (RCE + DoS)
lodash 4.18.1 High (code injection vía _.template + prototype pollution)
joi 18.2.1 Moderate (RangeError no capturado)
ajv 8.20.0 Moderate (ReDoS)
js-yaml 4.1.1 Moderate (prototype pollution)
yaml 1.10.3 Moderate (stack overflow)
ws 8.21.0 Moderate (memory disclosure)
uuid 11.1.1 Moderate
qs 6.15.2 Moderate (DoS)

Los selectores son por rango, de modo que los consumidores de otros majors quedan intactos (js-yaml 3.x, ajv 6.x, ws 7.x sin tocar).

Verificación

  • pnpm audit0 vulnerabilidades.
  • pnpm build (docusaurus) → SUCCESS (los warnings de "broken anchors" son pre-existentes, idénticos a la base).
  • pnpm smoke:test (vitest) → 32/32 OK, incluidos los guards que vigilan el major de Docusaurus.

Nota

Como develop ya iba por delante de main, este PR incluye también un commit previo no relacionado con seguridad: chore: update sui json-rpc to graphql (toca docs/public-nodes/public-endpoints.md).

🤖 Generated with Claude Code

iicc1 and others added 2 commits June 9, 2026 12:06
@iicc1
chore: update sui json-rpc to graphql
6d8d9cf
@iicc1 @claude
fix(deps): resolve pnpm audit vulnerabilities via overrides
c78b3b8 
Adds pnpm overrides (in pnpm-workspace.yaml, the location read by pnpm 11)
to bump vulnerable transitive Docusaurus dependencies to patched versions:

- shell-quote -> 1.8.4 (critical: newline escaping GHSA, command injection)
- serialize-javascript -> 7.0.5 (high RCE + DoS)
- lodash -> 4.18.1 (high code injection via _.template + prototype pollution)
- joi -> 18.2.1 (uncaught RangeError DoS)
- ajv -> 8.20.0, js-yaml -> 4.1.1, yaml -> 1.10.3, ws -> 8.21.0,
  uuid -> 11.1.1, qs -> 6.15.2

Range-scoped selectors keep other-major consumers untouched
(js-yaml 3.x, ajv 6.x, ws 7.x unchanged). pnpm audit now reports
0 vulnerabilities. `pnpm build` succeeds and `vitest` 32/32 pass.

Co-Authored-By: Claude Opus 4.8 <[email protected]>
kilo-code-bot[bot]
kilo-code-bot Bot reviewed Jun 11, 2026
View reviewed changes
Comment thread pnpm-workspace.yaml
postman-code-generators: false
overrides:
ajv@>=7.0.0-alpha.0 <8.18.0: ^8.18.0
joi@<18.2.1: ^18.2.1

@kilo-code-bot kilo-code-bot Bot Jun 11, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: The Joi override installs a Node 20-only package

package.json still declares support for Node >=18.0, but [email protected] declares engines: {node: '>= 20'} in the updated lockfile. Anyone installing this project on Node 18 with strict engine checks enabled will fail dependency installation, and without strict checks Docusaurus will run against a transitive version outside the declared Node support. Either raise the project engine to Node 20 or choose a patched Joi version that supports Node 18.

@kilo-code-bot

kilo-code-bot Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown

Code Review Summary

Status: 1 Issue Found | Recommendation: Address before merge

Overview

This PR updates the Sui public endpoint documentation from JSON-RPC to GraphQL and adds pnpm overrides/lockfile updates to resolve vulnerable transitive Docusaurus dependencies.

Severity Count
CRITICAL 0
WARNING 1
SUGGESTION 0
Issue Details (click to expand)

WARNING

File Line Issue
pnpm-workspace.yaml 10 Joi override resolves to a Node 20-only package while the project declares Node >=18 support

Fix these issues in Kilo Cloud

Other Observations (not in diff)

Issues found in unchanged code that cannot receive inline comments:

File Line Issue
None
Files Reviewed (4 files)
  • docs/public-nodes/public-endpoints.md - 0 issues
  • pnpm-workspace.yaml - 1 issue
  • pnpm-lock.yaml - 0 issues
  • package.json - context reviewed

Reviewed by gpt-5.5-2026-04-23 · 273,447 tokens

@iicc1 iicc1 merged commit d3e484d into main Jun 12, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kilo-code-bot kilo-code-bot[bot] kilo-code-bot[bot] left review comments

@Josepdal Josepdal Josepdal approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@iicc1 @Josepdal