fix(deps): clear Dependabot alerts for @babel/core, js-yaml, undici#67
Conversation
…abot alerts Adds explicit npm override floors so the security-patched versions cannot regress on future lockfile regenerations: - @babel/core ^7.29.6 (GHSA-4x5r-pxfx-6jf8, low) -> resolves 7.29.7 - js-yaml ^4.2.0 (GHSA-h67p-54hq-rp68, medium) - jsdom > undici ^7.28.0 (high/med/low undici advisories, 7.x branch) - testcontainers > undici ^8.5.0 (same advisories, 8.x branch) undici is split across two majors (jsdom needs 7.x, testcontainers needs 8.x), so nested per-parent overrides patch each branch without forcing a breaking downgrade. All four packages are dev/build-only (zero runtime dependencies), so the production image is unaffected. npm audit: 0 vulnerabilities. tsc, lint, 533 tests, next build all green.
|
Warning Review limit reached
More reviews will be available in 38 minutes and 1 second. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
What
Adds explicit npm
overridesfloors so the security-patched transitive deps cannot regress on a future lockfile regeneration. Same mechanism already used in this repo for esbuild, postcss, lodash, minimatch, etc.@babel/core^7.29.6→ resolves 7.29.7js-yaml^4.2.0jsdom > undici^7.28.0testcontainers > undici^8.5.0Why nested overrides for undici
undiciresolves to two majors in the tree, and a flat pin would break one of them:jsdom(component tests) requiresundici ^7.25.0→ patched to 7.28.0testcontainers(integration tests) requiresundici ^8.3.0→ patched to 8.5.0Per-parent nested overrides patch each major on its own branch, avoiding a breaking downgrade of testcontainers to 7.x.
Runtime impact
None. All four packages are dev/build-only — zero entries in production
dependencies(jsdom, testcontainers, @babel/core, js-yaml are all dev tooling). The runtime Docker image is unaffected.The bulk of the lockfile diff is the
@babel/*toolchain moving 7.29.0 → 7.29.7 as a set, pulled by the@babel/corefloor.Verification
npm audit— 0 vulnerabilitiesnpm ci— clean, package.json ↔ lock in synctsc --noEmit— passnpm run lint— pass (pre-existing warnings only)npm test— 533/533 passed (75 files)npm run build— pass, 31/31 static pages