pnpm audit currently reports 4 critical advisories (3 distinct packages). These are pre-existing in the dependency tree.
| Package |
Advisory |
Vulnerable |
Patched |
Path |
| shell-quote |
GHSA-w7jw-789q-3m8p — quote() doesn't escape newlines in object .op values |
<=1.8.3 |
>=1.8.4 |
direct dep of apps/dokploy |
| vitest |
GHSA-5xrq-8626-4rwp — arbitrary file read+exec while the Vitest UI server is listening |
>=4.0.0 <4.1.0 |
>=4.1.0 |
apps/dokploy > vitest; packages/server > @better-auth/cli > better-auth > vitest |
| protobufjs |
GHSA-xq3m-2v4x-88gg — arbitrary code execution |
<7.5.5 |
>=7.5.5 |
transitive: apps/api > inngest > @opentelemetry/... > @grpc/proto-loader > protobufjs |
(The audit counts vitest twice for its two paths → 4.)
Notable: shell-quote is the highest real-world concern — it's a direct dependency of apps/dokploy and shell-quoting is on the command-construction path of a deploy platform. protobufjs is purely transitive (7 levels deep under OpenTelemetry/gRPC), so it can only be fixed via a version pin. vitest is dev/test-only.
Proposed fix
Scoped pnpm.overrides in the root package.json that pin only the vulnerable ranges to their patched minimums — surgical, leaves all other versions untouched, and covers the transitive paths. Verified: pnpm install succeeds and pnpm audit reports 0 criticals afterward (237 → 222 total vulns).
PR incoming.
pnpm auditcurrently reports 4 critical advisories (3 distinct packages). These are pre-existing in the dependency tree.quote()doesn't escape newlines in object.opvalues<=1.8.3>=1.8.4apps/dokploy>=4.0.0 <4.1.0>=4.1.0apps/dokploy > vitest;packages/server > @better-auth/cli > better-auth > vitest<7.5.5>=7.5.5apps/api > inngest > @opentelemetry/... > @grpc/proto-loader > protobufjs(The audit counts vitest twice for its two paths → 4.)
Notable: shell-quote is the highest real-world concern — it's a direct dependency of
apps/dokployand shell-quoting is on the command-construction path of a deploy platform. protobufjs is purely transitive (7 levels deep under OpenTelemetry/gRPC), so it can only be fixed via a version pin. vitest is dev/test-only.Proposed fix
Scoped
pnpm.overridesin the rootpackage.jsonthat pin only the vulnerable ranges to their patched minimums — surgical, leaves all other versions untouched, and covers the transitive paths. Verified:pnpm installsucceeds andpnpm auditreports 0 criticals afterward (237 → 222 total vulns).PR incoming.