Skip to content

fix: patch Dependabot alerts #4, #9, #12 (path-to-regexp, picomatch, brace-expansion)#46

Merged
marcelosalloum merged 3 commits intomainfrom
copilot/fix-dependency-issues
Mar 31, 2026
Merged

fix: patch Dependabot alerts #4, #9, #12 (path-to-regexp, picomatch, brace-expansion)#46
marcelosalloum merged 3 commits intomainfrom
copilot/fix-dependency-issues

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 31, 2026
edited by marcelosalloum
Loading

Three sets of npm advisories published March 25–27, 2026 affect transitive dependencies. All are fixed by updating the lockfile directly — no pnpm.overrides needed.

Vulnerabilities patched

Package Old New GHSA Severity
path-to-regexp 8.3.0 8.4.1 GHSA-j3q9-mxjg-w52f, GHSA-27v5-c462-wpq7 HIGH / MEDIUM
picomatch (2.x) 2.3.1 2.3.2 GHSA-c2c7-rcm5-vvqj, GHSA-3v7f-55p6-f55p HIGH / MEDIUM
picomatch (4.x) 4.0.3 4.0.4 same HIGH / MEDIUM
brace-expansion (1.x) 1.1.12 1.1.13 GHSA-f886-m6hf-6m8v MEDIUM
brace-expansion (5.x) 5.0.4 5.0.5 same MEDIUM

Approach

Every parent package already uses a ^ semver range that allows the patched version:

Vulnerable dep Parent Parent's constraint Patched version
path-to-regexp router@2.2.0 ^8.0.0 8.4.1 ✓
picomatch@2.x anymatch@3.1.3 ^2.0.4 2.3.2 ✓
picomatch@4.x tinyglobby ^4.0.3 4.0.4 ✓
brace-expansion@1.x minimatch@3.1.5 ^1.1.7 1.1.13 ✓
brace-expansion@5.x minimatch@10.2.4 ^5.0.2 5.0.5 ✓

Running pnpm update path-to-regexp picomatch brace-expansion refreshes the lockfile pins to the latest compatible versions (the patched ones). pnpm.overrides would be unnecessary maintenance overhead — the lockfile is committed and deterministic, so pnpm install everywhere uses the pinned fixed versions.

Changes: pnpm-lock.yaml only — package.json is untouched (beyond the previous flatted override).

@stellar-jenkins-ci
Copy link
Copy Markdown

stellar-jenkins-ci Bot commented Mar 31, 2026

x402-stellar PR Preview deployed:
- Client: https://x402-stellar-client-pr46.previews.kube001.services.stellar-ops.com/
- Server: https://x402-stellar-server-pr46.previews.kube001.services.stellar-ops.com/

@sagpatil
fix: patch Dependabot alerts #4, #9, #12 by upgrading path-to-regexp,…
2a0d94c 
… picomatch, and brace-expansion

Agent-Logs-Url: https://github.com/stellar/x402-stellar/sessions/63da46bc-19cc-40f0-a6b1-d4222b0440b7

Co-authored-by: sagpatil <1414227+sagpatil@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix dependency issues and ensure builds and tests fix: patch Dependabot alerts #4, #9, #12 (path-to-regexp, picomatch, brace-expansion) Mar 31, 2026
Copilot AI requested a review from sagpatil March 31, 2026 20:59
@stellar-jenkins-ci
Copy link
Copy Markdown

stellar-jenkins-ci Bot commented Mar 31, 2026

x402-stellar PR Preview deployed:
- Client: https://x402-stellar-client-pr46.previews.kube001.services.stellar-ops.com/
- Server: https://x402-stellar-server-pr46.previews.kube001.services.stellar-ops.com/

@sagpatil sagpatil requested a review from marcelosalloum March 31, 2026 21:07
@sagpatil sagpatil marked this pull request as ready for review March 31, 2026 21:07
Copilot AI review requested due to automatic review settings March 31, 2026 21:07
Copilot AI reviewed Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR patches several Dependabot alerts affecting transitive npm dependencies by adding pnpm.overrides in the root package.json and regenerating pnpm-lock.yaml to ensure the patched versions are resolved across the workspace.

Changes:

  • Added parent-scoped pnpm.overrides for picomatch (2.x vs 4.x) and version-scoped overrides for brace-expansion (1.x vs 5.x), plus a global override for path-to-regexp.
  • Regenerated pnpm-lock.yaml to reflect the new override rules and resolved patched versions.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
package.json Introduces new pnpm.overrides entries to force patched transitive dependency versions.
pnpm-lock.yaml Updates the lockfile override section and resolved dependency graph to the patched versions.
Files not reviewed (1)
  • pnpm-lock.yaml: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json Outdated
@marcelosalloum
fix: patch CVE alerts via lockfile update instead of pnpm overrides
1af2520 
All parent packages (router, anymatch, tinyglobby, minimatch) already
use semver ranges (^) that allow the patched versions. A targeted
pnpm update is sufficient to pin the fixes — no overrides needed.

- path-to-regexp: 8.3.0 → 8.4.1 (GHSA-j3q9-mxjg-w52f, GHSA-27v5-c462-wpq7)
- picomatch@2: 2.3.1 → 2.3.2 (GHSA-c2c7-rcm5-vvqj, GHSA-3v7f-55p6-f55p)
- picomatch@4: 4.0.3 → 4.0.4 (same)
- brace-expansion@1: 1.1.12 → 1.1.13 (GHSA-f886-m6hf-6m8v)
- brace-expansion@5: 5.0.4 → 5.0.5 (same)
@stellar-jenkins-ci
Copy link
Copy Markdown

stellar-jenkins-ci Bot commented Mar 31, 2026

x402-stellar PR Preview deployed:
- Client: https://x402-stellar-client-pr46.previews.kube001.services.stellar-ops.com/
- Server: https://x402-stellar-server-pr46.previews.kube001.services.stellar-ops.com/

@marcelosalloum marcelosalloum merged commit db7eded into main Mar 31, 2026
8 checks passed
@marcelosalloum marcelosalloum deleted the copilot/fix-dependency-issues branch March 31, 2026 21:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@marcelosalloum marcelosalloum marcelosalloum approved these changes

@sagpatil sagpatil Awaiting requested review from sagpatil

Assignees

@sagpatil sagpatil

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@marcelosalloum @sagpatil