Skip to content

chore: upgrade pnpm to 11.8.0 and resolve audit vulnerabilities#292

Merged
sriramveeraghanta merged 3 commits into
masterfrom
update/pnpm-11.8-and-audit-fixes
Jul 1, 2026
Merged

chore: upgrade pnpm to 11.8.0 and resolve audit vulnerabilities#292
sriramveeraghanta merged 3 commits into
masterfrom
update/pnpm-11.8-and-audit-fixes

Conversation

@sriramveeraghanta

@sriramveeraghanta sriramveeraghanta commented Jun 18, 2026

Copy link
Copy Markdown
Member

Summary

  • Upgrade pnpm 10.33.0 → 11.8.0 (packageManager field, with corepack integrity hash). pnpm self-switches to this version.
  • Move overrides to pnpm-workspace.yaml — relocated overrides and peerDependencyRules out of package.json's pnpm field into the new workspace file (pnpm's recommended location), alongside a new auditConfig.
  • Resolve all actionable pnpm audit advisories — was 17 total (1 high, 13 moderate, 3 low).

Vulnerability resolution

Package Before After Fixes
vite 6.4.2 6.4.3 GHSA-fx2h-pf6j-xcff (high) + GHSA-v6wh-96g9-6wx3
dompurify 3.4.0 3.4.11 8 DOMPurify advisories (via mermaid)
postcss 8.5.6 8.5.15 GHSA-qx2v-qp2m-jg93 (new override)
uuid 11.1.0 11.1.1 GHSA-w5hq-g745-h8pq (new override, stays in mermaid's ^11 range)
mermaid ^11.12.2 ^11.15.0 4 advisories (direct devDependency)
js-yaml 3.14.2 ignored see below

js-yaml (GHSA-h67p-54hq-rp68, moderate) — intentionally ignored

gray-matter@4.0.3 hard-pins js-yaml 3.x (uses safeLoad/safeDump, removed in js-yaml 4.x) and has no newer release; the fix only landed in js-yaml >=4.2.0, so 3.x cannot be patched. js-yaml here only parses this repo's own build-time frontmatter (trusted input), so the merge-key DoS is not reachable. Ignored via auditConfig.ignoreGhsas with a documenting comment.

pnpm 11 also surfaced its new allowBuilds approval for esbuild/vue-demi; set to false to match prior pnpm 10 behavior (those build scripts were never approved and the site builds without them).

Verification

  • pnpm audit --audit-level low → exit 0 (only the documented js-yaml entry remains, ignored)
  • pnpm build ✓ (incl. llms.txt generation — confirms gray-matter/js-yaml 3.x still works)
  • pnpm check:format
  • pnpm check:types

Summary by CodeRabbit

  • Chores
    • Updated development tooling dependency versions.
    • Added workspace-wide package management policy to standardize dependency behavior and security overrides.
  • CI
    • Updated the formatting and build jobs to run on Node.js 22 instead of Node.js 20.

- Bump packageManager to pnpm@11.8.0 (corepack hash included)
- Move overrides + peerDependencyRules from package.json into
  pnpm-workspace.yaml (pnpm's recommended location)
- Resolve all actionable pnpm audit advisories (was 1 high, 13 mod, 3 low):
  - vite 6.4.2 -> 6.4.3 (GHSA-fx2h-pf6j-xcff high, GHSA-v6wh-96g9-6wx3)
  - dompurify 3.4.0 -> 3.4.11 (8 DOMPurify advisories, via mermaid)
  - postcss -> 8.5.15 (GHSA-qx2v-qp2m-jg93, new override)
  - uuid -> 11.1.1 (GHSA-w5hq-g745-h8pq, new override)
  - mermaid ^11.12.2 -> ^11.15.0 (4 advisories, direct devDependency)
- Ignore js-yaml advisory GHSA-h67p-54hq-rp68 via auditConfig: gray-matter
  hard-pins js-yaml 3.x with no patched 3.x release; only parses trusted
  build-time frontmatter so the DoS is not reachable
@vercel

vercel Bot commented Jun 18, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
developer-docs Ready Ready Preview, Comment Jul 1, 2026 4:32pm

Request Review

@coderabbitai

coderabbitai Bot commented Jun 18, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a154e4e6-25d2-48d8-85d9-75c33500f621

📥 Commits

Reviewing files that changed from the base of the PR and between 481e47e and c38997a.

📒 Files selected for processing (1)
  • .github/workflows/check-format.yml
✅ Files skipped from review due to trivial changes (1)
  • .github/workflows/check-format.yml

📝 Walkthrough

Walkthrough

Updates pnpm, mermaid, and CI Node.js versions, and adds a new pnpm-workspace.yaml with workspace-wide overrides, peer dependency rules, audit ignores, and build restrictions.

Changes

Toolchain and workspace configuration update

Layer / File(s) Summary
pnpm, mermaid, and CI Node versions
package.json, .github/workflows/check-format.yml
Updates packageManager to pnpm@11.8.0, bumps mermaid to ^11.15.0, and changes the format and build jobs to Node.js 22.
Workspace dependency and audit policy
pnpm-workspace.yaml
Adds workspace overrides, vitepress peer version constraints, a js-yaml GHSA ignore, and disabled builds for esbuild and vue-demi.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main changes: pnpm was upgraded and audit vulnerabilities were addressed.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch update/pnpm-11.8-and-audit-fixes

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

pnpm 11.8.0 requires Node.js >= 22.13 (uses the node:sqlite builtin),
but the workflow pinned node-version: 20, causing ERR_UNKNOWN_BUILTIN_MODULE.
@sriramveeraghanta sriramveeraghanta merged commit d0a531b into master Jul 1, 2026
8 checks passed
@sriramveeraghanta sriramveeraghanta deleted the update/pnpm-11.8-and-audit-fixes branch July 1, 2026 17:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants