chore: override versions of dompurify, svgo and tar to prevent security issues

[Gonzo17]

Summary

• Update pnpm
• Override versions of dompurify, svgo and tar to prevent security issues

Related issue(s)

None

Type of change

• Bug fix
• Feature
• Refactor
• Docs
• CI

Checklist

• Tests added/updated
• i18n keys added/updated (if needed)
• No breaking changes

Screenshots

(If UI change)

Summary by CodeRabbit

Chores

• Updated package manager from pnpm 10.30.3 to 10.31.0.
• Tightened workspace dependency constraints for dompurify, svgo, and tar to improve stability and security.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7fff00bd-c3da-43cc-94e7-6fa2d6fe107a

📥 Commits

Reviewing files that changed from the base of the PR and between f85e057 and 136b052.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json

---

📝 Walkthrough

Walkthrough

Updates the package manager from pnpm@10.30.3 to pnpm@10.31.0 and adjusts three workspace dependency override constraints for dompurify, svgo, and tar to newer minimum versions.

Changes

Cohort / File(s)	Summary
Package Manager Update package.json	Bumps packageManager from pnpm@10.30.3 to pnpm@10.31.0.
Workspace Dependency Overrides pnpm-workspace.yaml	Updates overrides: dompurify constraint moved to >=3.3.2, svgo to >=4.0.1, and tar to >=7.5.10 (three new/adjusted override lines).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• chore: pin ajv to 6.14.0 to avoid security problem #130: Adjusts workspace overrides for transitive dependencies (adds an ajv override) — related pattern of pinning/adjusting overrides.
• chore: update dependencies and add temporary workaround for @nuxt/ui #175: Modifies the same manifest files (package.json packageManager and pnpm-workspace.yaml overrides) — directly related change set.

Poem

🐰 A nibble of change, a soft version hop,
pnpm steps ahead—no need to stop.
Dompurify, svgo, tar in a row,
I tinker the garden where dependencies grow. 🥕✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main changes: overriding versions of three packages (dompurify, svgo, tar) to address security issues, which aligns perfectly with the changeset.
Description check	✅ Passed	The description covers the main points (pnpm update and package overrides for security), includes proper CI classification, and follows the template structure with all required sections present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/audit

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

pnpm-workspace.yaml (2)

9-12: Pin these override targets instead of leaving them open-ended.

These replacements are written as >=..., so the next lockfile refresh can float to a future major instead of the first patched release. Since overrides replace the dependency spec across the graph, I'd pin the patched versions here. (pnpm.io)

♻️ Suggested change

 overrides:
-  dompurify@>=3.1.3 <=3.3.1: '>=3.3.2'
+  dompurify@>=3.1.3 <=3.3.1: '3.3.2'
   serialize-javascript@<=7.0.2: '>=7.0.3'
-  svgo@=4.0.0: '>=4.0.1'
-  tar@<=7.5.9: '>=7.5.10'
+  svgo@=4.0.0: '4.0.1'
+  tar@<=7.5.9: '7.5.10'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pnpm-workspace.yaml` around lines 9 - 12, The overrides in
pnpm-workspace.yaml use open-ended ranges (e.g., dompurify@>=3.1.3 <=3.3.1:
'>=3.3.2') which can float to future majors; update each override to pin the
patched target version instead of using '>='—for the entries referencing
dompurify, serialize-javascript, svgo, and tar, replace the replacement specs
like '>=3.3.2', '>=7.0.3', '>=4.0.1', and '>=7.5.10' with the exact patched
versions (e.g., '3.3.2', '7.0.3', '4.0.1', '7.5.10') so the overrides
consistently lock to the intended patched releases.

---

9-12: Consider using $dompurify to align the manifest with the resolved version.

package.json declares dompurify: "3.3.1", but the override in pnpm-workspace.yaml forces 3.3.2+. While the override is already preventing vulnerable versions from being resolved (confirmed in pnpm-lock.yaml), using $dompurify would eliminate the drift and make the intent clearer:

# package.json
-    "dompurify": "3.3.1",
+    "dompurify": "3.3.2",

# pnpm-workspace.yaml
-  dompurify@>=3.1.3 <=3.3.1: '>=3.3.2'
+  dompurify@>=3.1.3 <=3.3.1: '$dompurify'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pnpm-workspace.yaml` around lines 9 - 12, Replace the explicit package
selector "dompurify@>=3.1.3 <=3.3.1: '>=3.3.2'" in pnpm-workspace.yaml with the
manifest-aligned selector using the package alias variable: "$dompurify:
'>=3.3.2'"; this keeps the override that forces >=3.3.2 while matching
package.json's declared dompurify and making the intent clear (leave the other
overrides like serialize-javascript, svgo, tar unchanged).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pnpm-workspace.yaml`:
- Around line 9-12: The overrides in pnpm-workspace.yaml use open-ended ranges
(e.g., dompurify@>=3.1.3 <=3.3.1: '>=3.3.2') which can float to future majors;
update each override to pin the patched target version instead of using '>='—for
the entries referencing dompurify, serialize-javascript, svgo, and tar, replace
the replacement specs like '>=3.3.2', '>=7.0.3', '>=4.0.1', and '>=7.5.10' with
the exact patched versions (e.g., '3.3.2', '7.0.3', '4.0.1', '7.5.10') so the
overrides consistently lock to the intended patched releases.
- Around line 9-12: Replace the explicit package selector "dompurify@>=3.1.3
<=3.3.1: '>=3.3.2'" in pnpm-workspace.yaml with the manifest-aligned selector
using the package alias variable: "$dompurify: '>=3.3.2'"; this keeps the
override that forces >=3.3.2 while matching package.json's declared dompurify
and making the intent clear (leave the other overrides like
serialize-javascript, svgo, tar unchanged).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 870d0356-3dc2-4667-a071-6f021c2ab3ff

📥 Commits

Reviewing files that changed from the base of the PR and between 6ecc951 and f85e057.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• package.json
• pnpm-workspace.yaml

[Copilot]

Pull request overview

This PR updates the repository’s package management configuration to mitigate known security issues by bumping pnpm and forcing patched versions of select dependencies via pnpm overrides.

Changes:

• Bumped the pinned pnpm version (packageManager) to pnpm@10.31.0.
• Added pnpm overrides for dompurify, svgo, and tar in the workspace config.
• Updated the lockfile to reflect the new overrides and resulting resolved versions.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

File	Description
pnpm-workspace.yaml	Adds dependency overrides to force patched versions of vulnerable packages.
pnpm-lock.yaml	Records the overrides and updates resolved dependency versions accordingly.
package.json	Updates the pinned pnpm version via packageManager.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

In the lockfile importer, dompurify now has specifier: '>=3.3.2', but the root package.json still declares dompurify: "3.3.1". With --frozen-lockfile this can fail because the lockfile no longer matches the manifest. Please either bump the manifest dependency to a compatible range/version (e.g. 3.3.2) or regenerate the lockfile so the specifier remains consistent while the override controls the resolved version.

Suggested change

	specifier: '>=3.3.2'
	specifier: 3.3.1

[Copilot]

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.