Skip to content

fix(deps): resolve all 26 open Dependabot alerts via active pnpm overrides#545

Open
coderdan wants to merge 2 commits into
mainfrom
chore/dependabot-alert-cleanup
Open

fix(deps): resolve all 26 open Dependabot alerts via active pnpm overrides#545
coderdan wants to merge 2 commits into
mainfrom
chore/dependabot-alert-cleanup

Conversation

@coderdan

@coderdan coderdan commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Why Dependabot couldn't fix these itself

Nearly all 26 open alerts are transitive deps Dependabot can't PR against, and the repo's previous mitigation attempts were silently inert:

  • The root package.json had a top-level overrides block in npm format, which pnpm ignores — it contained next: >=15.5.15, lodash: >=4.18.0, postcss: >=8.5.10, vite: catalog:security… none of it ever applied (and its js-yaml: 4.1.1 pinned the vulnerable version). Deleted in this PR, along with the stale workspaces.catalogs duplicate that still advertised vulnerable pins (next 15.5.10, vite 6.4.1).
  • The catalog:security pins for next: 15.5.18 / vite: 8.0.13 in pnpm-workspace.yaml were referenced by no package.
  • @anthropic-ai/sdk@0.81.0 was a stale auto-installed peer of claude-agent-sdk (peer floor >=0.93.0) — verified empirically that pnpm overrides rewrite peer ranges, not peer resolutions, so an explicit dep is the only working fix.

What this PR does

Range-scoped overrides in pnpm-workspace.yaml (the location pnpm actually reads), each annotated in-file with its alert + advisory:

Override Alerts Advisory
next@<15.5.18 → ~15.5.18 #96, #115#127 GHSA-267c-6grr-h53f, GHSA-26hh-7cqf-hhc6, GHSA-36qx-fr4f-26g5, GHSA-3g8h-86w9-wvmq, GHSA-492v-c6pp-mqqv, GHSA-8h8q-6873-q5fj, GHSA-c4j6-fc7j-m34r, GHSA-ffhc-5mcf-pf4q, GHSA-gx5p-jg67-6x7h, GHSA-h64f-5h5j-jqjh, GHSA-mg66-mrh9-m8jx, GHSA-q4gf-8mx6-v5v3, GHSA-vfv6-92ff-j949, GHSA-wfc6-r584-vfw7, GHSA-3x4c-7xq6-9pq8, GHSA-ggv3-7p47-pfv8
lodash@<4.18.0 → ^4.18.0 #87, #88 GHSA-f23m-r3pf-42rh (CVE-2026-2950), GHSA-r5fr-rjxr-66jc (CVE-2026-4800)
js-cookie@<3.0.7 → ^3.0.7 #133 GHSA-qjx8-664m-686j (CVE-2026-46625)
postcss@<8.5.10 → ^8.5.10 #102 GHSA-qx2v-qp2m-jg93 (CVE-2026-41305)
vite@>=7.0.0 <7.3.5 → ~7.3.5 #145, #146 GHSA-fx2h-pf6j-xcff (CVE-2026-53571), GHSA-v6wh-96g9-6wx3 (CVE-2026-53632)
esbuild@>=0.27.3 <0.28.1 → ^0.28.1 #142 GHSA-g7r4-m6w7-qqqr⚠️ 0.28.1 is the first patched release and sits outside tsup@8.5.1's declared ^0.27.0; builds pass, retire by bumping tsup once it declares ^0.28
js-yaml@<3.15.0 → 3.15.0 (exact) #153 GHSA-h67p-54hq-rp68 (CVE-2026-53550)
js-yaml@>=4.0.0 <5 → 4.2.0 (exact, matured) #152 GHSA-h67p-54hq-rp68 (CVE-2026-53550)
fast-uri@<3.1.3 → 3.1.3 (exact) regression guard GHSA-4c8g-83qw-93j6 (CVE-2026-13676) — the lockfile regen let the 7-day cooldown demote ajv's fast-uri to vulnerable 3.1.2; this pins the patched release (matures 2026-07-06, then relaxable to ^3.1.3)

Manifest changes:

  • packages/nextjs: next: catalog:security devDep — makes the existing 15.5.18 pin real; peer range ^14 || ^15 unchanged. (Kept alongside the override deliberately: tested override-only and it floats to 15.5.19 instead of the catalog-pinned version.)
  • packages/wizard: explicit @anthropic-ai/sdk: ^0.106.0 (alert fix(protect): proper handling of composite types #128, GHSA-p7fg-763f-g4gf / CVE-2026-41686) — the only alert reaching published-package runtime (npx stash init). This is a peer-resolution pin, never imported — documented in the workspace file so it isn't tidied away as unused.
  • Root js-yaml^4.2.0.

Cooldown bypass (per SKILL.md): js-yaml 3.15.0 (published 2026-06-26) and fast-uri 3.1.3 (2026-06-29) are inside the 7-day window. Both are exact-pinned and were admitted via a single one-off pnpm install --config.minimumReleaseAge=0 run — no persistent minimumReleaseAgeExclude entry (an earlier revision used one; removed after review). Locked versions aren't re-age-checked, so normal and --frozen-lockfile installs need no bypass. Also fixed SKILL.md's bypass recipe — the --ignore-workspace-min-release-age flag it documented doesn't exist in pnpm 10.

New CI gates in e2e/tests/supply-chain.e2e.test.ts: overrides must stay range-scoped (no blanket pins) and ≤12 entries; minimumReleaseAgeExclude must stay first-party-only.

Verification

  • No vulnerable versions remain in the lockfile (every alert range checked).
  • Full turbo build 10/10 · wizard tests 139 ✅ · script tests 20 ✅ · supply-chain e2e 14 ✅ (incl. the 2 new gates) · --frozen-lockfile install ✅.
  • Changesets regression check (js-yaml moved on both majors, and a past js-yaml upgrade broke changesets): changeset status (exercises @manypkg/get-packages → js-yaml 3.15.0) and a full changeset version run with a throwaway changeset (exercises @changesets/parse → js-yaml 4.2.0) both work — changelogs and version bumps generated correctly, then reverted.

Follow-ups

  1. Relax fast-uri pin to ^3.1.3 after 2026-07-06 (noted in the workspace comment).
  2. Bump tsup to a release declaring esbuild ^0.28 and retire the esbuild override note.
  3. The open Dependabot PRs (chore(deps): bump the production-minor-patch group across 1 directory with 29 updates #544, chore(deps-dev): bump the dev-dependencies group across 1 directory with 9 updates #525, chore(deps): bump the actions-minor-patch group across 1 directory with 3 updates #514) are still worth merging for general freshness; chore(deps-dev): bump js-yaml from 4.1.1 to 4.2.0 #520 (js-yaml) is superseded by this PR.

Summary by CodeRabbit

  • Security

    • Updated several package versions and dependency constraints to address known vulnerabilities.
    • Added safeguards to better control which dependency versions can be installed.
  • Tests

    • Added checks to help prevent risky dependency configuration changes from slipping in.
  • Documentation

    • Clarified the recommended process for applying security-related dependency fixes.

…rides

Root cause: the root package.json has a top-level npm-format `overrides`
block that pnpm ignores, so earlier fixes (next >=15.5.15, lodash
>=4.18.0, postcss >=8.5.10, vite catalog pin) never took effect, and the
catalog:security pins for next/vite were referenced by nothing.

- Add range-scoped security overrides to pnpm-workspace.yaml (the active
  location): next, lodash, js-cookie, postcss, vite 7.x, esbuild 0.27/28,
  js-yaml 3.x/4.x
- Reference catalog:security next from packages/nextjs devDependencies so
  the 15.5.18 pin actually resolves (peer range unchanged)
- Give wizard an explicit @anthropic-ai/sdk ^0.106.0 dependency — the
  vulnerable 0.81.0 was a stale auto-installed peer of claude-agent-sdk
  (which wants >=0.93.0); overrides don't rewrite peer resolutions
- Bump root js-yaml to ^4.2.0; temporarily exclude js-yaml from the
  7-day cooldown (3.15.0 security release is 6 days old — remove the
  exclusion after 2026-07-04)

Verified: no vulnerable versions remain in the lockfile; full turbo
build (10 packages), wizard tests (139), and script tests (20) pass.
@coderdan coderdan requested a review from a team as a code owner July 3, 2026 07:05
@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This PR updates workspace security overrides and validation, revises supply-chain cooldown guidance, and bumps dependency versions in the root and package manifests.

Changes

Dependency and workspace override updates

Layer / File(s) Summary
Workspace override and enforcement updates
pnpm-workspace.yaml, e2e/tests/supply-chain.e2e.test.ts, skills/stash-supply-chain-security/SKILL.md
Adds a top-level overrides block for transitive dependencies, adds e2e checks for minimumReleaseAgeExclude and override selector scoping/count, and updates cooldown bypass guidance for patched dependency installs.
Package manifest dependency updates
package.json, packages/nextjs/package.json, packages/wizard/package.json
Updates the root js-yaml devDependency, adds next to packages/nextjs, and adds @anthropic-ai/sdk to packages/wizard.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

  • cipherstash/stack#382: Both PRs modify e2e/tests/supply-chain.e2e.test.ts and pnpm-workspace.yaml to enforce pnpm supply-chain rules.
  • cipherstash/stack#414: Both PRs adjust next version constraints used by pnpm resolution and overrides.

Suggested reviewers: auxesis

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: resolving Dependabot alerts through pnpm overrides and dependency updates.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/dependabot-alert-cleanup

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 61: The root npm-format overrides entry for js-yaml is stale and still
pins the vulnerable 4.1.1 version even though devDependencies.js-yaml was bumped
to ^4.2.0. Update the package.json overrides.js-yaml value to match the new safe
version, or remove the dead npm overrides block entirely if pnpm-workspace.yaml
is now the source of truth; check the js-yaml entries in package.json to keep
them consistent.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 42b994b8-ad53-4cc5-b0f5-c1cd530b9e89

📥 Commits

Reviewing files that changed from the base of the PR and between b650a8c and f73f523.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (4)
  • package.json
  • packages/nextjs/package.json
  • packages/wizard/package.json
  • pnpm-workspace.yaml

Comment thread package.json

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to eliminate a set of open Dependabot security alerts by making pnpm overrides actually apply (moving them into pnpm-workspace.yaml), pinning security-sensitive toolchain deps via catalogs, and ensuring a published runtime package (@cipherstash/wizard) no longer pulls a vulnerable peer version.

Changes:

  • Added pnpm workspace-level overrides targeting vulnerable transitive dependency ranges (Next, lodash, js-cookie, postcss, vite, esbuild, js-yaml).
  • Activated the existing catalog:security Next.js pin by adding next: catalog:security to packages/nextjs devDependencies.
  • Updated @cipherstash/wizard to depend directly on @anthropic-ai/sdk@^0.106.0 and refreshed lockfile resolutions accordingly.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
pnpm-workspace.yaml Adds effective pnpm overrides for vulnerable transitive deps and a temporary minimumReleaseAgeExclude entry.
pnpm-lock.yaml Captures the resulting dependency graph changes (Next/esbuild/js-yaml/etc.) after applying overrides and catalog pins.
packages/nextjs/package.json Adds next: catalog:security to ensure the workspace resolves the pinned Next version for dev/test.
packages/wizard/package.json Adds an explicit @anthropic-ai/sdk runtime dependency to avoid a vulnerable peer resolution path.
package.json Bumps root js-yaml devDependency range to ^4.2.0.
Files not reviewed (1)
  • pnpm-lock.yaml: Generated file

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines 31 to 34
"dependencies": {
"@anthropic-ai/claude-agent-sdk": "^0.3.143",
"@anthropic-ai/sdk": "^0.106.0",
"@cipherstash/auth": "catalog:repo",
- Restore fast-uri 3.1.3: the lockfile regen let the 7-day cooldown
  demote ajv's fast-uri to 3.1.2, un-fixing GHSA-4c8g-83qw-93j6 /
  CVE-2026-13676; pin the patched release until it matures
- Replace the js-yaml minimumReleaseAgeExclude entry (name-scoped,
  first-party-only list) with exact pins (3.15.0 / matured 4.2.0,
  evicting immature 4.3.0) installed via a one-off
  --config.minimumReleaseAge=0 run per SKILL.md; locked versions are
  not re-age-checked so normal installs need no bypass
- Delete the inert npm-format overrides block and stale
  workspaces.catalogs duplicate from root package.json (dead config
  that contradicted the live pins; the overrides copy still pinned
  vulnerable js-yaml 4.1.1)
- Annotate every override with its Dependabot alert + GHSA ID, note
  the esbuild-outside-tsup-range tradeoff, and document the wizard's
  @anthropic-ai/sdk dep as a peer-resolution pin (not unused)
- Gate both escape hatches in the supply-chain e2e test: overrides
  must stay range-scoped and ≤12 entries; minimumReleaseAgeExclude
  must stay first-party-only
- Fix SKILL.md's cooldown-bypass recipe: the documented
  --ignore-workspace-min-release-age flag does not exist in pnpm 10;
  the one-off equivalent is --config.minimumReleaseAge=0 with an
  exact pin

Verified: full turbo build (10 pkgs), wizard tests (139), script
tests (20), supply-chain e2e (14, incl. 2 new gates) all pass;
frozen-lockfile install passes with no bypass.
@changeset-bot

changeset-bot Bot commented Jul 3, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: d232298

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pnpm-workspace.yaml`:
- Around line 59-64: The js-yaml pin comment is stale because it still
references the removed `--ignore-workspace-min-release-age` workaround, which no
longer matches the updated `SKILL.md` recipe. Update the explanatory comment
near the `js-yaml@<3.15.0` entry in `pnpm-workspace.yaml` so it points to the
current `pnpm install --config.minimumReleaseAge=0` flow and remove the old flag
reference while keeping the note about the bypass/maturity window.

In `@skills/stash-supply-chain-security/SKILL.md`:
- Around line 141-147: The one-off pnpm install override is using the wrong
config flag format, so pnpm 10.33.2 will ignore it. Update the install example
in SKILL.md to use the kebab-case CLI override with pnpm install and the
minimum-release-age setting, and make sure the guidance around the one-off run
matches the accepted pnpm config override form.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ce94914e-4930-4ed5-a911-b51d53e0926f

📥 Commits

Reviewing files that changed from the base of the PR and between f73f523 and d232298.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (4)
  • e2e/tests/supply-chain.e2e.test.ts
  • package.json
  • pnpm-workspace.yaml
  • skills/stash-supply-chain-security/SKILL.md
💤 Files with no reviewable changes (1)
  • package.json

Comment thread pnpm-workspace.yaml
Comment on lines +59 to +64
# #153 GHSA-h67p-54hq-rp68 / CVE-2026-53550 — js-yaml merge-key DoS, 3.x line.
# Exact pin: 3.15.0 is the only patched 3.x release. Installed with the
# one-off --ignore-workspace-min-release-age bypass (published 2026-06-26,
# matures 2026-07-04) per SKILL.md, instead of a minimumReleaseAgeExclude
# entry.
'js-yaml@<3.15.0': '3.15.0'

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Stale flag reference: comment still cites the removed --ignore-workspace-min-release-age flag.

This comment says the js-yaml pin was installed with --ignore-workspace-min-release-age "per SKILL.md," but the updated SKILL.md recipe (lines 138-154 of that file) now documents pnpm install --config.minimumReleaseAge=0 instead — the old flag name was removed from the doc in this same PR. A future reader following "per SKILL.md" will find a different command than the one referenced here.

📝 Proposed fix to align the comment with the updated SKILL.md recipe
   # `#153` GHSA-h67p-54hq-rp68 / CVE-2026-53550 — js-yaml merge-key DoS, 3.x line.
   # Exact pin: 3.15.0 is the only patched 3.x release. Installed with the
-  # one-off --ignore-workspace-min-release-age bypass (published 2026-06-26,
+  # one-off `--config.minimumReleaseAge=0` bypass (published 2026-06-26,
   # matures 2026-07-04) per SKILL.md, instead of a minimumReleaseAgeExclude
   # entry.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# #153 GHSA-h67p-54hq-rp68 / CVE-2026-53550 — js-yaml merge-key DoS, 3.x line.
# Exact pin: 3.15.0 is the only patched 3.x release. Installed with the
# one-off --ignore-workspace-min-release-age bypass (published 2026-06-26,
# matures 2026-07-04) per SKILL.md, instead of a minimumReleaseAgeExclude
# entry.
'js-yaml@<3.15.0': '3.15.0'
# `#153` GHSA-h67p-54hq-rp68 / CVE-2026-53550 — js-yaml merge-key DoS, 3.x line.
# Exact pin: 3.15.0 is the only patched 3.x release. Installed with the
# one-off `--config.minimumReleaseAge=0` bypass (published 2026-06-26,
# matures 2026-07-04) per SKILL.md, instead of a minimumReleaseAgeExclude
# entry.
'js-yaml@<3.15.0': '3.15.0'
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pnpm-workspace.yaml` around lines 59 - 64, The js-yaml pin comment is stale
because it still references the removed `--ignore-workspace-min-release-age`
workaround, which no longer matches the updated `SKILL.md` recipe. Update the
explanatory comment near the `js-yaml@<3.15.0` entry in `pnpm-workspace.yaml` so
it points to the current `pnpm install --config.minimumReleaseAge=0` flow and
remove the old flag reference while keeping the note about the bypass/maturity
window.

Comment on lines +141 to 147
2. Run a one-off install with the cooldown disabled for that single run
(pnpm ≥ 10 has no dedicated flag; the CLI config override is the one-off
equivalent and does not persist):

```bash
# pnpm flag for a one-off install:
pnpm install <pkg>@<version> --ignore-workspace-min-release-age
pnpm install --config.minimumReleaseAge=0
```

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

Does pnpm's --config.minimumReleaseAge CLI flag actually override the minimumReleaseAge setting for a single install, or is it config-file-only in pnpm 10.x?

💡 Result:

In pnpm 10.x, the --config.minimum-release-age CLI flag does override the minimumReleaseAge setting for a single install [1][2]. Pnpm treats the minimumReleaseAge as a configurable setting that can be defined in multiple ways, including in the pnpm-workspace.yaml file, via environment variables, or through CLI flags [2][3]. When you set this value explicitly via the CLI, such as using --config.minimum-release-age=, pnpm respects that value for the duration of that command [1][2]. Furthermore, as of recent updates in the pnpm 10.x lifecycle, explicitly setting minimumReleaseAge via the CLI or other configuration methods also causes the minimumReleaseAgeStrict setting to default to true [2][3]. This ensures that the constraint is actively enforced (i.e., the installation will fail if no version meets the age requirement), rather than silently falling back to an immature version [2][3]. For users who have not explicitly configured the setting, the built-in default of 1440 minutes remains non-strict for backward compatibility [2][3].

Citations:


🌐 Web query:

pnpm 10.33.2 minimumReleaseAge CLI override --config.minimumReleaseAge=0 single install

💡 Result:

To disable the minimum release age constraint for a single pnpm install command, you can use the following CLI override: pnpm install --config.minimum-release-age=0 Note the following details regarding this configuration: 1. CLI Syntax: When passing this configuration via the CLI, the setting must use the kebab-case format (--config.minimum-release-age=0) rather than camelCase (--config.minimumReleaseAge=0) to be correctly parsed [1]. 2. Availability: This method of overriding the configuration via the CLI is supported in newer versions of pnpm, including pnpm 11+ and late 10.x versions that introduced the minimumReleaseAge feature [2][3][1]. 3. Configuration Precedence: While you can override the setting per-command, the recommended approach for persistent settings is to define minimumReleaseAge within your pnpm-workspace.yaml file [4]. 4. Strict Enforcement: In recent versions, if you explicitly configure a minimumReleaseAge (whether via config file or CLI), pnpm defaults to strict mode (minimumReleaseAgeStrict: true). This ensures the constraint is enforced rather than silently falling back to insecure or older package versions [2]. If you are using pnpm 10.33.2 specifically, the --config.minimum-release-age=0 syntax is the correct way to bypass the age gate for a single invocation [2][1].

Citations:


🌐 Web query:

pnpm 10.33.2 minimumReleaseAgeStrict CLI flag config file override issue 9921 11436

💡 Result:

In pnpm, an issue was identified where the minimumReleaseAge setting could appear ineffective because it would silently fall back to installing an immature version if no mature version satisfied the requested range [1][2][3]. This was addressed in pull request #11436 [1]. As of the fix, minimumReleaseAgeStrict now defaults to true whenever a user explicitly sets minimumReleaseAge via any configuration method (e.g., pnpm-workspace.yaml, CLI flags, global config.yaml, or environment variables) [1][4][3]. This ensures that the age constraint is strictly enforced [1]. Key details regarding this behavior include: - Backward Compatibility: The built-in default value for minimumReleaseAge (1440 minutes) remains non-strict to preserve existing behavior for users who have not explicitly configured the setting [1][4][3]. - Overriding: Users who wish to revert to the previous "silent fallback" behavior can do so by explicitly setting minimumReleaseAgeStrict: false in their configuration [1][4][3]. - Tracking: The changes were associated with issue #11433, which reported that the setting was not being respected in monorepos [2], and the foundational feature was introduced via issue #9921 [5][6]. This fix was implemented in pnpm v11.0.4 [2].

Citations:


Use the kebab-case CLI override
pnpm install --config.minimum-release-age=0 is the form pnpm 10.33.2 understands for a one-off override; --config.minimumReleaseAge=0 won’t be applied.

🧰 Tools
🪛 SkillSpector (2.3.7)

[error] 3: [PE3] Credential Access: Code accesses credential files (SSH keys, AWS credentials, etc.). This could indicate credential theft attempts.

Remediation: Remove references to credential paths. Use environment variables or secrets managers. For docs, use placeholder paths (e.g., /path/to/config). Never load .env or token files in production code paths.

(Privilege Escalation (PE3))


[error] 13: [PE3] Credential Access: Code accesses credential files (SSH keys, AWS credentials, etc.). This could indicate credential theft attempts.

Remediation: Remove references to credential paths. Use environment variables or secrets managers. For docs, use placeholder paths (e.g., /path/to/config). Never load .env or token files in production code paths.

(Privilege Escalation (PE3))


[error] 63: [PE3] Credential Access: Code accesses credential files (SSH keys, AWS credentials, etc.). This could indicate credential theft attempts.

Remediation: Remove references to credential paths. Use environment variables or secrets managers. For docs, use placeholder paths (e.g., /path/to/config). Never load .env or token files in production code paths.

(Privilege Escalation (PE3))


[error] 63: [PE3] Credential Access: Code accesses credential files (SSH keys, AWS credentials, etc.). This could indicate credential theft attempts.

Remediation: Remove references to credential paths. Use environment variables or secrets managers. For docs, use placeholder paths (e.g., /path/to/config). Never load .env or token files in production code paths.

(Privilege Escalation (PE3))


[error] 65: [PE3] Credential Access: Code accesses credential files (SSH keys, AWS credentials, etc.). This could indicate credential theft attempts.

Remediation: Remove references to credential paths. Use environment variables or secrets managers. For docs, use placeholder paths (e.g., /path/to/config). Never load .env or token files in production code paths.

(Privilege Escalation (PE3))

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@skills/stash-supply-chain-security/SKILL.md` around lines 141 - 147, The
one-off pnpm install override is using the wrong config flag format, so pnpm
10.33.2 will ignore it. Update the install example in SKILL.md to use the
kebab-case CLI override with pnpm install and the minimum-release-age setting,
and make sure the guidance around the one-off run matches the accepted pnpm
config override form.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants