chore: remove pnpm overrides once upstream deps are patched #90
Description
Context
PR #XX added pnpm.overrides in the root package.json to patch transitive dependency vulnerabilities (Dependabot alerts #1–#6).
These overrides are a workaround, not a permanent fix. They should be removed once the direct dependencies ship versions that pull in the patched transitive deps naturally.
Overrides to track
| Override | Patched version | Upstream dependency | Remove when |
|---|---|---|---|
picomatch@<2.3.2 → 2.3.2 |
2.3.2 | @changesets/cli → micromatch |
micromatch depends on picomatch@>=2.3.2 |
picomatch@>=4.0.0 <4.0.4 → 4.0.4 |
4.0.4 | Various (tinyglobby, fdir) | Upstream deps require picomatch@>=4.0.4 |
brace-expansion@>=5.0.0 <5.0.5 → 5.0.5 |
5.0.5 | ultracite → glob → minimatch |
minimatch depends on brace-expansion@>=5.0.5 |
yaml@>=2.0.0 <2.8.3 → 2.8.3 |
2.8.3 | vitest → vite |
vite depends on yaml@>=2.8.3 |
Action
Periodically check if upstream has caught up. When all four are resolved:
- Remove the
pnpm.overridesblock from rootpackage.json - Run
pnpm installand verify no Dependabot alerts remain - Close this issue
Labels
maintenance, dependencies