Skip to content

Resolve 4 critical dependency vulnerabilities (protobufjs, vitest, shell-quote) reported by pnpm audit #4680

Description

@vikyw89

pnpm audit currently reports 4 critical advisories (3 distinct packages). These are pre-existing in the dependency tree.

Package Advisory Vulnerable Patched Path
shell-quote GHSA-w7jw-789q-3m8pquote() doesn't escape newlines in object .op values <=1.8.3 >=1.8.4 direct dep of apps/dokploy
vitest GHSA-5xrq-8626-4rwp — arbitrary file read+exec while the Vitest UI server is listening >=4.0.0 <4.1.0 >=4.1.0 apps/dokploy > vitest; packages/server > @better-auth/cli > better-auth > vitest
protobufjs GHSA-xq3m-2v4x-88gg — arbitrary code execution <7.5.5 >=7.5.5 transitive: apps/api > inngest > @opentelemetry/... > @grpc/proto-loader > protobufjs

(The audit counts vitest twice for its two paths → 4.)

Notable: shell-quote is the highest real-world concern — it's a direct dependency of apps/dokploy and shell-quoting is on the command-construction path of a deploy platform. protobufjs is purely transitive (7 levels deep under OpenTelemetry/gRPC), so it can only be fixed via a version pin. vitest is dev/test-only.

Proposed fix

Scoped pnpm.overrides in the root package.json that pin only the vulnerable ranges to their patched minimums — surgical, leaves all other versions untouched, and covers the transitive paths. Verified: pnpm install succeeds and pnpm audit reports 0 criticals afterward (237 → 222 total vulns).

PR incoming.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions