Skip to content

Add overrides to pnpm workspace for compat installs to address CVEs#27293

Merged
alexvy86 merged 4 commits into
microsoft:mainfrom
alexvy86:overrides-in-compat-workspace
May 15, 2026
Merged

Add overrides to pnpm workspace for compat installs to address CVEs#27293
alexvy86 merged 4 commits into
microsoft:mainfrom
alexvy86:overrides-in-compat-workspace

Conversation

@alexvy86
Copy link
Copy Markdown
Contributor

@alexvy86 alexvy86 commented May 12, 2026

Description

Adds a few overrides to the pnpm workspace for compat installs. We got an alert for axios 0.28.1, so that was the main thing to fix, but applied a few others that we also have in other places.

Reviewer Guidance

The review process is outlined on this wiki page.

@alexvy86 alexvy86 requested review from Abe27342, Copilot and shlevari May 12, 2026 22:46
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 12, 2026
edited
Loading

Hi! Thank you for opening this PR. Want me to review it?

Based on the diff (339 lines, 3 files), I've queued these reviewers:

  • Correctness — logic errors, race conditions, lifecycle issues
  • Security — vulnerabilities, secret exposure, injection
  • API Compatibility — breaking changes, release tags, type design
  • Performance — algorithmic regressions, memory leaks
  • Testing — coverage gaps, hollow tests

How this works

  • Adjust the reviewer set by ticking/unticking boxes above. Reviewer toggles alone don't trigger anything.

  • Tick Start review below to dispatch the review fleet.

  • After review finishes, tick Start review again to request another run — it auto-resets after each dispatch.

  • This comment updates as new commits land; your reviewer selections are preserved.

  • Start review

Copilot AI reviewed May 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds pnpm workspace-level overrides in the test-version-utils compat workspace to force patched dependency versions (primarily addressing an axios 0.28.1 security alert), and regenerates the committed lockfile to reflect the new resolution.

Changes:

  • Add pnpm overrides in compat-workspaces/full/pnpm-workspace.yaml to pin safer versions of axios, jsrsasign, serialize-javascript, and uuid.
  • Regenerate compat-workspaces/full/pnpm-lock.yaml so the resolved versions (and the overrides block) match the new configuration.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
packages/test/test-version-utils/compat-workspaces/full/pnpm-workspace.yaml Adds override rules to force patched dependency versions during compat workspace installs.
packages/test/test-version-utils/compat-workspaces/full/pnpm-lock.yaml Updates the lockfile to reflect the new overrides and resulting resolved versions.
Files not reviewed (1)
  • packages/test/test-version-utils/compat-workspaces/full/pnpm-lock.yaml: Language not supported

Comment thread packages/test/test-version-utils/compat-workspaces/full/pnpm-workspace.yaml Outdated
@alexvy86
Copy link
Copy Markdown
Contributor Author

alexvy86 commented May 15, 2026

FYI @ChumpChief @jason-ha . Where possible we've been starting to use pnpm-workspace.yaml for overrides so we can comment them better. We couldn't do it in the client release group because syncpack didn't quite support catalogs and/or the pnpm-workspace.yaml file. Syncpack 15 seems to have added the necessary support so maybe we can do it now :).

Josmithr
Josmithr reviewed May 15, 2026
View reviewed changes
Comment thread packages/test/test-version-utils/compat-workspaces/full/pnpm-workspace.yaml
@alexvy86 alexvy86 merged commit 5c0b0c6 into microsoft:main May 15, 2026
31 checks passed
@alexvy86 alexvy86 deleted the overrides-in-compat-workspace branch May 15, 2026 21:50
@alexvy86
Copy link
Copy Markdown
Contributor Author

alexvy86 commented May 15, 2026

FYI @ChumpChief @jason-ha . Where possible we've been starting to use pnpm-workspace.yaml for overrides so we can comment them better. We couldn't do it in the client release group because syncpack didn't quite support catalogs and/or the pnpm-workspace.yaml file. Syncpack 15 seems to have added the necessary support so maybe we can do it now :).

#27320

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Josmithr Josmithr Josmithr approved these changes

@kian-thompson kian-thompson kian-thompson approved these changes

@Abe27342 Abe27342 Awaiting requested review from Abe27342

@shlevari shlevari Awaiting requested review from shlevari

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@alexvy86 @Josmithr @kian-thompson