Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,11 @@
"axios": "1.18.0",
"protobufjs@7": "7.6.4",
"protobufjs@8": "8.6.4",
"@asyncapi/specs@6.11.2": "6.11.1",
"@asyncapi/specs@6.11.2-alpha.1": "6.11.1",
"@asyncapi/generator@3.3.1": "3.3.0",
"@asyncapi/generator-helpers@1.1.1": "1.1.0",
"@asyncapi/generator-components@0.7.1": "0.7.0",
Comment on lines +143 to +147

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

2. Baseline bypasses overrides 🐞 Bug ⛨ Security

The new pnpm.overrides mitigation is not applied in visual-baseline.yml because the workflow
checks out ref: stable and does not bring in the updated root package.json/pnpm-lock.yaml
before running pnpm install --no-frozen-lockfile. This leaves a CI path (with secrets exported)
where dependency re-resolution is not protected by the overrides added in this PR.
Agent Prompt
### Issue description
This PR adds security overrides in the repo root `package.json`/`pnpm-lock.yaml`, but `visual-baseline.yml` installs dependencies from the `stable` branch and never checks out the updated manifest/lockfile. As a result, the workflow’s `pnpm install --no-frozen-lockfile` does not use these overrides.

### Issue Context
- The mitigation is implemented via `pnpm.overrides` in the repo root.
- `visual-baseline.yml` checks out `stable`, then runs an unfrozen install.
- The job exports multiple secrets as environment variables.

### Fix Focus Areas
- package.json[126-154]
- pnpm-lock.yaml[304-331]
- .github/workflows/visual-baseline.yml[31-52]

### Suggested fix
Update `.github/workflows/visual-baseline.yml` so the install step uses a revision that contains the new overrides, e.g.:
- also checkout `package.json` and `pnpm-lock.yaml` from `main` in the "Get visual test infrastructure from main" step (similar to how it already checks out `tests/visual pnpm-workspace.yaml patches/`), **or**
- stop installing from `stable` for this job (checkout `main`), **or**
- alternatively, inject equivalent pnpm override configuration in the workflow before `pnpm install`.

Keep `--no-frozen-lockfile` only if it’s required for the cross-branch file mix; otherwise prefer using a consistent lockfile + `--frozen-lockfile` to avoid re-resolution.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Comment on lines +143 to +147

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Don’t rely on version-qualified overrides as exact-version guards

When the lockfile is regenerated, pnpm 10.25 matches pkg@range override keys against each dependency's declared range by intersection, not against the version that would have been resolved; the current @asyncapi/parser@3.4.0 declares @asyncapi/specs: ^6.8.0, which intersects 6.11.2. These entries therefore rewrite that broad edge to 6.11.1 rather than only replacing an actually resolved 6.11.2, so an unfrozen refresh such as .github/workflows/visual-baseline.yml's pnpm install --ignore-scripts --no-frozen-lockfile will turn this into a broad/stale pin that also suppresses future safe 6.11.3/6.12.x resolutions. If the intent is an exact bad-version block, use a lockfile/advisory check; if the intent is a temporary safe pin, make the broad pin explicit and easy to remove.

Useful? React with 👍 / 👎.

"superdoc": "workspace:*",
"@superdoc-dev/react": "workspace:*",
"@superdoc-dev/superdoc-yjs-collaboration": "workspace:*",
Expand Down
5 changes: 5 additions & 0 deletions pnpm-lock.yaml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading