Conversation
There was a problem hiding this comment.
Pull request overview
This PR applies a dependency security/audit remediation by forcing an updated Axios version via pnpm overrides and regenerating the pnpm lockfile to reflect the new resolved dependency graph.
Changes:
- Add a pnpm override to force
axios@<=1.13.4to resolve to^1.13.5. - Update
pnpm-lock.yamlto reflectaxios@1.13.5and related transitive dependency bumps (e.g.,follow-redirects,form-data). - Lockfile metadata adjustments for several platform-specific packages and the
mermaid-isomorphictarball reference.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| package.json | Adds pnpm override to force Axios to a patched version. |
| pnpm-lock.yaml | Regenerates lockfile with updated Axios resolution and transitive updates; includes additional lockfile metadata changes. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| '@img/sharp-linuxmusl-x64@0.34.5': | ||
| resolution: {integrity: sha512-Jg8wNT1MUzIvhBFxViqrEhWDGzqymo3sV7z7ZsaWbZNDLXRJZoRGrjulp60YYtV4wfY8VIKcWidjojlLcWrd8Q==} | ||
| engines: {node: ^18.17.0 || ^20.3.0 || >=21.0.0} | ||
| cpu: [x64] | ||
| os: [linux] |
There was a problem hiding this comment.
The libc constraint metadata is missing for this Linux musl binary package entry. Without libc: [musl], pnpm can't distinguish musl vs glibc variants by platform, which can lead to installing both variants on Linux and bloating installs (or picking the wrong one in some environments). Please regenerate the lockfile in a way that preserves libc constraints, or confirm that upstream packages no longer rely on libc filtering.
| '@rollup/rollup-linux-x64-musl@4.50.2': | ||
| resolution: {integrity: sha512-HPNJwxPL3EmhzeAnsWQCM3DcoqOz3/IC6de9rWfGR8ZCuEHETi9km66bH/wG3YH0V3nyzyFEGUZeL5PKyy4xvw==} | ||
| cpu: [x64] | ||
| os: [linux] |
There was a problem hiding this comment.
These Rollup Linux binary packages no longer include a libc qualifier (e.g., libc: [musl]). Since rollup@4.50.2 lists both *-gnu and *-musl as optional dependencies, losing libc constraints may cause extra platform packages to be installed on Linux, increasing install size/time. Please confirm this is expected with the pnpm version used in CI (pnpm 10) and that installs remain deterministic across glibc vs musl environments.
| mermaid-isomorphic@https://codeload.github.com/silverhand-io/mermaid-isomorphic/tar.gz/c081c30: | ||
| resolution: {tarball: https://codeload.github.com/silverhand-io/mermaid-isomorphic/tar.gz/c081c30} |
There was a problem hiding this comment.
mermaid-isomorphic is locked to a short Git commit hash (c081c30) in the tarball URL. For long-term reproducibility and to avoid potential hash-prefix ambiguity, prefer locking GitHub tarballs to the full 40-character commit SHA (or a tag) so the dependency remains unambiguous.
Deploying auth-wiki with
|
| Latest commit: |
74232c9
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://fccc6c5b.auth-wiki.pages.dev |
| Branch Preview URL: | https://yemq-audit-fix-20260215.auth-wiki.pages.dev |
Summary
audit fix