Dependency security updates #1225
Conversation
This commit updates various dependencies, including Sentry packages, to their latest versions. It also adds new dependencies and adjusts peer dependency requirements for Vite. Co-authored-by: burak.kaya <burak.kaya@sentry.io>
|
Cursor Agent can help with this pull request. Just |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
The >=2.0.2 resolution was upgrading to brace-expansion 4.x which is ESM-only, breaking minimatch which uses CommonJS require(). This constrains the version to stay within the 2.x range while still getting the CVE-2025-5889 security fix.
![sentry[bot]](https://avatars.githubusercontent.com/u/1396951?s=60&v=4){kind=small}
| }, | ||
| "pnpm": { | ||
| "overrides": { | ||
| "vite@>=6.0.0 <6.3.6": ">=6.3.6" |
There was a problem hiding this comment.
Bug: The pnpm override for vite uses >=6.3.6, which will pull in vite 7.0.0 (a major version with breaking changes), instead of staying within the 6.x range.
Severity: CRITICAL | Confidence: High
🔍 Detailed Analysis
The pnpm override "vite@>=6.0.0 <6.3.6": ">=6.3.6" in package.json will resolve to the latest available version of vite, which is 7.0.0. This major version introduces breaking changes, such as requiring Node.js 20.19+ and removing the splitVendorChunkPlugin. The packages/website workspace, which depends on astro (which in turn uses vite 6.x), will be forced to use vite 7.0.0. This will likely cause build failures due to the breaking changes. This also creates inconsistent vite versions across the monorepo.
💡 Suggested Fix
Change the override value from >=6.3.6 to ^6.3.6. This will ensure that only versions within the 6.x range are installed, preventing the automatic upgrade to the breaking 7.0.0 major version while still applying the intended security fix.
🤖 Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: package.json#L44
Potential issue: The `pnpm` override `"vite@>=6.0.0 <6.3.6": ">=6.3.6"` in
`package.json` will resolve to the latest available version of `vite`, which is `7.0.0`.
This major version introduces breaking changes, such as requiring Node.js 20.19+ and
removing the `splitVendorChunkPlugin`. The `packages/website` workspace, which depends
on `astro` (which in turn uses `vite` 6.x), will be forced to use `vite` 7.0.0. This
will likely cause build failures due to the breaking changes. This also creates
inconsistent `vite` versions across the monorepo.
Did we get this right? 👍 / 👎 to inform future reviews.
Reference ID: 8075914
Fix Dependabot Security Vulnerabilities
This PR addresses multiple Dependabot security alerts by updating vulnerable dependencies to their patched versions.
Key Changes:
cookie,esbuild,brace-expansion,tmp,js-yaml,body-parser, andmdast-util-to-hast.@sentry/*packages across the workspace via catalog updates and direct dependency bumps inpackages/spotlight/package.json.pnpm.overridesin the rootpackage.jsonto ensureviteversions6.0.0-6.3.5are upgraded to6.3.6+to mitigate reported CVEs, specifically targeting transitivevitedependencies brought in byastro.Verification:
docker-compose.test.tsare noted as pre-existing and unrelated to these dependency updates.