fix(deps): resolve Dependabot security vulnerabilities

[BillChirico]

Summary

Resolve open Dependabot security alerts by adding pnpm overrides for transitive dependencies.

Fixed

Package	Severity	CVE	Fix
rollup	High	Arbitrary File Write via Path Traversal	>=4.59.0 (was 4.57.1)
undici	Medium	Unbounded decompression chain DoS	>=6.23.0 (was 5.28.5/6.21.3)
undici	Low	DoS via bad certificate data	>=5.29.0 (resolved by 6.23.0 override)
axios	High (3 CVEs)	DoS, SSRF, credential leakage	Already at 1.13.6 via existing override ✅

Tests

• All 2392 tests passing
• No behavior changes — these are transitive dependency version bumps

Closes #125

[claude]

Claude finished @BillChirico's task in 1m 37s —— View job

---

Review: PR #141 — Approved

• Read project conventions (AGENTS.md)
• Gather PR diff and review changes
• Review package.json changes
• Verify overrides resolve the stated CVEs
• Submit review verdict

---

Zero issues found. The PR is clean:

• package.json — adds rollup and undici to pnpm.overrides, following the exact same >= pattern as the existing axios, tar, and langsmith overrides.
• pnpm-lock.yaml — resolves to [email protected] and [email protected]. No stale vulnerable versions (undici 5.x/6.x, rollup <4.59.0) remain in the lockfile.
• Overrides correctly address the stated CVEs (rollup path traversal, undici decompression DoS / bad certificate DoS).

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2f894ce and f660279.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Agent
• GitHub Check: Greptile Review
• GitHub Check: claude-review

🔇 Additional comments (1)

package.json (1)

44-46: Appropriate use of pnpm overrides for transitive dependency security fixes.

The syntax and approach are correct—using >= ensures the patched versions (or newer) are resolved for transitive dependencies. This is the standard pattern for addressing security alerts on indirect dependencies without waiting for upstream packages to update.

Verification confirms the specified minimum versions contain the security patches:

• [email protected] — Fixes CVE-2026-27606 (arbitrary file write via path traversal, High severity)
• [email protected] — Fixes CVE-2026-22036 (unbounded decompression chain DoS, Medium severity)

---

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated package dependency constraints for improved build stability and compatibility.

Walkthrough

Adds PNPM package overrides for rollup (>=4.59.0) and undici (>=6.23.0) in package.json to enforce minimum dependency versions. Updates formatting by adding a trailing comma after the existing langsmith override entry.

Changes

Cohort / File(s)	Summary
PNPM Package Overrides package.json	Introduces two new PNPM version overrides targeting security vulnerabilities: rollup >=4.59.0 and undici >=6.23.0. Adds formatting consistency with trailing comma after langsmith override.

Possibly related PRs

• build: fix frozen lockfile mismatch on CI #116: Related pnpm configuration changes that align package.json overrides and regenerate the lockfile to maintain consistency with version constraint updates.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix(deps): resolve Dependabot security vulnerabilities' accurately describes the primary change—adding pnpm overrides to resolve security vulnerabilities in transitive dependencies.
Description check	✅ Passed	The description clearly details the security fixes applied, including specific packages, severity levels, CVE descriptions, and version overrides, directly relating to the package.json changes.
Linked Issues check	✅ Passed	The PR addresses the primary objective from issue #125 by adding pnpm overrides to resolve identified high and medium severity vulnerabilities (rollup, undici, axios). All tests passing confirms no regressions.
Out of Scope Changes check	✅ Passed	All changes are directly related to resolving Dependabot security vulnerabilities as specified in issue #125; only package.json overrides were modified with no unrelated alterations.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/dependabot-vulns

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Clean PR — security overrides for rollup and undici follow the existing pattern, lockfile resolves correctly ([email protected], [email protected]), no stale vulnerable versions remain.

[greptile-apps]

Greptile Summary

This PR resolves 4 Dependabot security vulnerabilities by adding pnpm overrides for transitive dependencies. The changes upgrade rollup from 4.57.1 to 4.59.0 (fixing a High severity arbitrary file write vulnerability) and undici from 5.28.5/6.21.3 to 7.22.0 (fixing Medium and Low severity DoS vulnerabilities).

• All security requirements met or exceeded (undici at 7.22.0 vs required 6.23.0)
• No behavioral changes — purely dependency version bumps
• All 2392 tests passing
• Properly uses pnpm overrides mechanism for transitive dependencies

Confidence Score: 5/5

• This PR is safe to merge with no risk
• Score reflects straightforward security dependency updates with no code changes, all tests passing, and proper use of pnpm overrides for transitive dependencies
• No files require special attention

Important Files Changed

Filename	Overview
package.json	Added pnpm overrides for rollup (>=4.59.0) and undici (>=6.23.0) to fix security vulnerabilities
pnpm-lock.yaml	Lockfile updated with rollup 4.59.0 and undici 7.22.0, removing vulnerable versions

_{Last reviewed commit: f660279}

[Copilot]

Pull request overview

Resolves Dependabot security alerts by forcing patched versions of vulnerable transitive dependencies via pnpm overrides, ensuring the repository installs non-vulnerable versions under the supported Node runtime.

Changes:

• Added pnpm.overrides entries for rollup and undici in package.json.
• Updated pnpm-lock.yaml to reflect the new overrides and the resulting resolved versions (including Rollup platform packages and Undici).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.

File	Description
package.json	Adds pnpm overrides for rollup and undici to enforce non-vulnerable versions.
pnpm-lock.yaml	Updates the lockfile to reflect the override-driven dependency graph and resolved versions.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.