You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Part of the recurring PMDS repos dependency + security maintenance. Highest-priority repo this week — 6 High-severity alerts. For a coding agent to remediate and open a PR.
Workflow (per repo standard)
Review Dependabot / pnpm audit alerts
Bump outdated + vulnerable deps with pnpm (regenerate pnpm-lock.yaml via pnpm — do NOT hand-edit the lockfile)
Run the test suite and confirm CI is green
Honor the minimumReleaseAge guard (do not pull versions newer than the configured cooldown)
README/docs accuracy pass (see below)
Open one PR with a Conventional Commits title/message
Open Dependabot alerts (8)
tar — 7 alerts (6 High, 1 Moderate), all in pnpm-lock.yaml
⚠️Requires a major-version bump. Currently installable max is tar 6.2.1; affected range is <= 7.5.3 and the earliest fully-fixed version across this cluster is 7.5.16. Going 6.x → 7.5.16 is a breaking change — check tar's v7 API changes and any code/CLI usage before landing. If tar is transitive, use a pnpm.overrides entry pinning tar to >=7.5.16 and re-run the full test suite.
Interim mitigation if the upgrade can't land immediately: filter out SymbolicLink/hardlink entries when extracting untrusted tarballs.
Weekly Dependency + Security Sweep (Wk 3)
Part of the recurring PMDS repos dependency + security maintenance. Highest-priority repo this week — 6 High-severity alerts. For a coding agent to remediate and open a PR.
Workflow (per repo standard)
pnpm auditalertspnpm-lock.yamlvia pnpm — do NOT hand-edit the lockfile)minimumReleaseAgeguard (do not pull versions newer than the configured cooldown)Open Dependabot alerts (8)
tar— 7 alerts (6 High, 1 Moderate), all inpnpm-lock.yaml<= 7.5.3and the earliest fully-fixed version across this cluster is 7.5.16. Going 6.x → 7.5.16 is a breaking change — check tar's v7 API changes and any code/CLI usage before landing. Iftaris transitive, use apnpm.overridesentry pinningtarto>=7.5.16and re-run the full test suite.esbuild— 1 Moderate alertAccess-Control-Allow-Origin: *lets any site read responsespnpm-lock.yaml<= 0.24.2; earliest fixed 0.28.1 (installable max currently 0.21.5)pnpm.overridesbump of esbuild to>=0.28.1, or bumping the parent that pulls it.README / docs accuracy pass
PR
chore(deps): bump tar to >=7.5.16 and esbuild to >=0.28.1; docs accuracy passFiled as part of the weekly PMDS repos Dependency + Security Sweep.