security: fix 14 Dependabot vulnerabilities + upgrade pnpm to v11#86
Open
IgorShevchik wants to merge 12 commits into
Open
security: fix 14 Dependabot vulnerabilities + upgrade pnpm to v11#86IgorShevchik wants to merge 12 commits into
IgorShevchik wants to merge 12 commits into
Conversation
…, qs, devalue, ip-address, brace-expansion) - Bump nuxt ^4.4.2/4 → ^4.4.6 in docs, jssdk-nuxt, playgrounds/nuxt (fixes CVE: reflected XSS in navigateTo, cache poisoning, devalue DoS) - Add pnpm.overrides in root package.json: fast-uri >=3.1.2, hono >=4.12.18, ip-address >=10.1.1, brace-expansion >=5.0.6, ws >=8.20.1, qs >=6.15.2, devalue >=5.8.1 pnpm audit: 14 vulnerabilities → 0 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…y chain lockfile - Bump packageManager to pnpm@11.4.0 - Move pnpm.overrides from package.json to pnpm-workspace.yaml (pnpm v11 requirement: "pnpm" field in package.json no longer read) - Add allowBuilds section (pnpm v11 build-script approval system) - Regenerate pnpm-lock.yaml with pnpm v11 (fresh resolution, no supply-chain violations) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Keep alongside pnpm-workspace.yaml overrides for reference. Note: pnpm v11 reads from pnpm-workspace.yaml; package.json field is ignored but kept intentionally. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… AGENTS.md - Bump version 1.1.2 → 1.1.3 (security patch release) - Add CHANGELOG entry for v1.1.3 with all 14 CVE references - Remove dead "resolutions" field from package.json (pnpm v11 ignores it) - Remove duplicate "pnpm.overrides" from package.json (canonical location is pnpm-workspace.yaml) - Remove "packageManager" from packages/jssdk-nuxt/package.json (only root should declare it) - Fix AGENTS.md: "pnpm 10 monorepo" → "pnpm 11 monorepo" Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add jsSdk:unit vitest project — runs *.unit.spec.ts without portal credentials - Add package-jssdk:test:run-unit script - Add "Unit tests" and "Security audit" steps to ci.yml - Add axios to root devDependencies: pnpm v11 no longer hoists it from packages/jssdk, but root test files import AxiosError directly Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…e run, tighten audit scope - pnpm-workspace.yaml: drop `ignoredBuiltDependencies` / `onlyBuiltDependencies` (deprecated in pnpm v11; `allowBuilds` map already present and takes precedence) - vitest.config.ts: exclude `*.unit.spec.ts` from jsSdk:integration project so unit tests no longer run twice (once portal-free, once requiring B24_HOOK) - ci.yml: tighten security audit to `--prod --audit-level=high` to avoid false positives from dev-only transitive advisories blocking CI on every minor bump - CHANGELOG: document all chore entries for v1.1.3 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…uild devDep - package.json: fix script `package-jssdk-nuxt:typecheck` — was `--filter ./packages/jssdk` (core SDK) instead of `--filter ./packages/jssdk-nuxt`; the nuxt package typecheck was silently skipped in CI and `pnpm run typecheck` - packages/jssdk-nuxt: declare `unbuild ^3.6.0` as explicit devDependency so `nuxt typecheck` can resolve the import in `build.config.ts`; previously the module was a phantom dep via @nuxt/module-builder that pnpm v11 no longer hoists Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…sSdk:unit - Replace "Two Vitest projects" with three: jsSdk:unit / jsSdk:integration / jsSdk:underLoad - Document jsSdk:unit as portal-free; clarify it runs in CI automatically - Update the *.unit.spec.ts note: files now belong to jsSdk:unit project (not jsSdk:integration) - Replace "CI does not run tests" with accurate statement about jsSdk:unit in CI - Add unit runner to bash examples - Bump Last reviewed to 2026-05-28 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…nit from PR Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ed date - package.json: add `nuxt ^4.4.6` to root devDependencies so that root-level scripts (`nuxt prepare docs`, `nuxt dev docs`, `nuxt typecheck playgrounds/nuxt` etc.) find the binary under pnpm v11's strict isolation (v10 hoisted it automatically; v11 does not) - docs/migration/1.v1.md: bump `audited: 2026-05-28` — CHANGELOG.md was updated in this PR, which triggered the docs-lint strict check Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…install - docs/package.json: declare @bitrix24/b24icons-vue ^2.0.7, @vueuse/core ^14.3.0, reka-ui ^2.9.7 as direct dependencies; these are peer deps of @bitrix24/b24ui-nuxt that pnpm v10 hoisted automatically but pnpm v11 (strict isolation) does not — without them, `nuxt typecheck` in docs/ fails with TS2307 on every icon import - scripts/__tests__/docs-typecheck.test.mjs: skip the three integration tests when TypeScript or the SDK dist types are not installed; the docs-lint CI job installs only Node (no pnpm), so tsc is unavailable — tests exit 1 instead of 0 causing spurious docs-lint failures Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
nuxt^4.4.2/4→^4.4.6indocs,packages/jssdk-nuxt,playgrounds/nuxt(fixes reflected XSS innavigateTo(), shared-cache poisoning,devalueDoS)overridesinpnpm-workspace.yamlfor transitive deps:fast-uri >=3.1.2,hono >=4.12.18,ip-address >=10.1.1,brace-expansion >=5.0.6,ws >=8.20.1,qs >=6.15.2,devalue >=5.8.110.33.2→11.4.0; migrate"pnpm"overrides frompackage.jsontopnpm-workspace.yaml(pnpm v11 requirement)allowBuildssection (pnpm v11 build-script approval)pnpm-lock.yamlwith pnpm v11Result:
pnpm audit— 14 vulnerabilities → 0Test plan
pnpm install— no errorspnpm audit— no vulnerabilities🤖 Generated with Claude Code