mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(#377): add pnpm overrides for matrix-bot-sdk transitive vulnerabilities
All checks were successful
ci/woodpecker/push/orchestrator Pipeline was successful
Details
ci/woodpecker/push/web Pipeline was successful
Details
ci/woodpecker/push/api Pipeline was successful
Details

Browse Source 
matrix-bot-sdk depends on the deprecated `request` library which pulls
in vulnerable form-data (<2.5.4, critical: unsafe random boundary) and
qs (<6.14.1, high: DoS via memory exhaustion). Add pnpm overrides to
force patched versions since matrix-bot-sdk has no newer release.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-15 12:17:17 -06:00
parent eca2c46e9d
commit 3cc2030446
2 changed files with 6 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
package.json
View File

@@ -57,8 +57,10 @@
"pnpm": { "pnpm": {
"overrides": { "overrides": {
"@isaacs/brace-expansion": ">=5.0.1", "@isaacs/brace-expansion": ">=5.0.1",
"form-data": ">=2.5.4",
"lodash": ">=4.17.23", "lodash": ">=4.17.23",
"lodash-es": ">=4.17.23", "lodash-es": ">=4.17.23",
"qs": ">=6.14.1",
"undici": ">=6.23.0" "undici": ">=6.23.0"
} }
} }

22
pnpm-lock.yaml generated
View File

@@ -6,8 +6,10 @@ settings:
overrides: overrides:
'@isaacs/brace-expansion': '>=5.0.1' '@isaacs/brace-expansion': '>=5.0.1'
form-data: '>=2.5.4'
lodash: '>=4.17.23' lodash: '>=4.17.23'
lodash-es: '>=4.17.23' lodash-es: '>=4.17.23'
qs: '>=6.14.1'
undici: '>=6.23.0' undici: '>=6.23.0'
importers: importers:
@@ -4653,10 +4655,6 @@ packages:
typescript: '>3.6.0' typescript: '>3.6.0'
webpack: ^5.11.0 webpack: ^5.11.0
form-data@2.3.3:
resolution: {integrity: sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==}
engines: {node: '>= 0.12'}
form-data@4.0.5: form-data@4.0.5:
resolution: {integrity: sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==} resolution: {integrity: sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==}
engines: {node: '>= 6'} engines: {node: '>= 6'}
@@ -5874,10 +5872,6 @@ packages:
resolution: {integrity: sha512-4EK3+xJl8Ts67nLYNwqw/dsFVnCf+qR7RgXSK9jEEm9unao3njwMDdmsdvoKBKHzxd7tCYz5e5M+SnMjdtXGQQ==} resolution: {integrity: sha512-4EK3+xJl8Ts67nLYNwqw/dsFVnCf+qR7RgXSK9jEEm9unao3njwMDdmsdvoKBKHzxd7tCYz5e5M+SnMjdtXGQQ==}
engines: {node: '>=0.6'} engines: {node: '>=0.6'}
qs@6.5.5:
resolution: {integrity: sha512-mzR4sElr1bfCaPJe7m8ilJ6ZXdDaGoObcYR0ZHSsktM/Lt21MVHj5De30GQH2eiZ1qGRTO7LCAzQsUeXTNexWQ==}
engines: {node: '>=0.6'}
randombytes@2.1.0: randombytes@2.1.0:
resolution: {integrity: sha512-vYl3iOX+4CKUWuxGi9Ukhie6fsqXqS9FE2Zaic4tNFD2N2QQaXOMFbuKK4QmDHC0JO6B1Zp41J0LpT0oR68amQ==} resolution: {integrity: sha512-vYl3iOX+4CKUWuxGi9Ukhie6fsqXqS9FE2Zaic4tNFD2N2QQaXOMFbuKK4QmDHC0JO6B1Zp41J0LpT0oR68amQ==}
@@ -11688,12 +11682,6 @@ snapshots:
typescript: 5.9.3 typescript: 5.9.3
webpack: 5.104.1(@swc/core@1.15.11) webpack: 5.104.1(@swc/core@1.15.11)
form-data@2.3.3:
dependencies:
asynckit: 0.4.0
combined-stream: 1.0.8
mime-types: 2.1.35
form-data@4.0.5: form-data@4.0.5:
dependencies: dependencies:
asynckit: 0.4.0 asynckit: 0.4.0
@@ -12906,8 +12894,6 @@ snapshots:
dependencies: dependencies:
side-channel: 1.1.0 side-channel: 1.1.0
qs@6.5.5: {}
randombytes@2.1.0: randombytes@2.1.0:
dependencies: dependencies:
safe-buffer: 5.2.1 safe-buffer: 5.2.1
@@ -13083,7 +13069,7 @@ snapshots:
combined-stream: 1.0.8 combined-stream: 1.0.8
extend: 3.0.2 extend: 3.0.2
forever-agent: 0.6.1 forever-agent: 0.6.1
form-data: 2.3.3 form-data: 4.0.5
har-validator: 5.1.5 har-validator: 5.1.5
http-signature: 1.2.0 http-signature: 1.2.0
is-typedarray: 1.0.0 is-typedarray: 1.0.0
@@ -13092,7 +13078,7 @@ snapshots:
mime-types: 2.1.35 mime-types: 2.1.35
oauth-sign: 0.9.0 oauth-sign: 0.9.0
performance-now: 2.1.0 performance-now: 2.1.0
qs: 6.5.5 qs: 6.14.1
safe-buffer: 5.2.1 safe-buffer: 5.2.1
tough-cookie: 2.5.0 tough-cookie: 2.5.0
tunnel-agent: 0.6.0 tunnel-agent: 0.6.0