Skip to content

🔒 Security: Add pnpm overrides for malicious package versions #249

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jul 24, 2025
Merged

🔒 Security: Add pnpm overrides for malicious package versions #249

merged 6 commits into from
Jul 24, 2025

Conversation

CalebGerman
Copy link
Collaborator

Summary

Added pnpm overrides to prevent installation of known malicious versions of eslint-plugin-prettier and eslint-config-prettier packages.

Changes

  • Added eslint-plugin-prettier: ">=5.5.3" override to ensure minimum safe version
  • Added eslint-config-prettier: ">=10.1.8" override to ensure minimum safe version

Security Context

Recent security advisories identified malicious code in specific versions of these packages:

  • eslint-config-prettier: 8.10.1, 9.1.1, 10.1.6, 10.1.7
  • eslint-plugin-prettier: 4.2.2, 4.2.3 (plus transitive dependencies synckit@0.11.9, @pkgr/core@0.2.8)

Impact

  • Prevents any package in the monorepo from installing vulnerable versions
  • Forces resolution to safe versions across all workspace packages
  • No breaking changes expected as overrides specify minimum versions beyond the vulnerable ranges

@CalebGerman CalebGerman requested a review from a team as a code owner July 24, 2025 19:57
@CalebGerman CalebGerman requested a review from diegopinate July 24, 2025 19:57
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Jul 24, 2025
edited
Loading

🦋 Changeset detected

Latest commit: 5213db7

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 0 packages

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

naronchen
naronchen reviewed Jul 24, 2025
View reviewed changes
sarah-pontier
sarah-pontier reviewed Jul 24, 2025
View reviewed changes
@CalebGerman CalebGerman merged commit 61284a8 into master Jul 24, 2025
4 checks passed
@CalebGerman CalebGerman deleted the cgerman/package_vulnerability_fix branch July 24, 2025 21:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@naronchen naronchen naronchen left review comments

@sarah-pontier sarah-pontier sarah-pontier approved these changes

@diegopinate diegopinate Awaiting requested review from diegopinate diegopinate is a code owner automatically assigned from iTwin/changed-elements

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@CalebGerman @naronchen @sarah-pontier