fix: address dependency CVEs#1853
Conversation
Greptile SummaryThis PR addresses a batch of dependency CVEs by bumping Electron (40.7→40.9.2), drizzle-orm (0.32→0.45), vite, minimatch, posthog-js, streamdown, and several packaging peers, while removing the vulnerable Confidence Score: 4/5Safe to merge with low risk; no P0/P1 issues found — only two P2 observations about broad scope of auto-install-peers and the large drizzle-orm version jump. All findings are P2. The CVE remediations are targeted and well-documented. Validated through lint, typecheck, and a full test run. Score stays at 4/5 (P2s only ceiling). No files require special attention, though drizzle-orm usage in application code deserves a focused smoke-test given the large version jump.
|
| Filename | Overview |
|---|---|
| .npmrc | Adds auto-install-peers=false to prevent drizzle-orm's optional sqlite3 peer from pulling in the vulnerable tar@6.2.1 path; a global setting affecting all packages. |
| package.json | Bumps Electron to 40.9.2, drizzle-orm from 0.32.1 to 0.45.2 (major API jump), vite, minimatch, posthog-js, streamdown, @llamaduck/forgejo-ts, @electron/rebuild; adds explicit playwright and electron-builder-squirrel-windows devDependencies. |
| pnpm-lock.yaml | Lockfile refreshed to reflect all version bumps; tar@6.2.1 and sqlite3@5.1.7 entries removed; electron-builder-squirrel-windows aligned to 26.8.1; autoInstallPeers flipped to false. |
Flowchart
%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[pnpm install] --> B{autoInstallPeers=false}
B -->|explicit peers only| C[better-sqlite3 resolved]
B -->|removed from tree| D[sqlite3 at 5.1.7 dropped]
D --> E[tar at 6.2.1 CVE removed]
A --> F[drizzle-orm at 0.45.2]
F --> C
A --> G[electron at 40.9.2]
G --> H[native rebuild target updated]
A --> I[playwright at 1.59.1 explicit devDep]
I --> J[vitest-browser-playwright resolved]
Prompt To Fix All With AI
Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 2
.npmrc:2
**Global `auto-install-peers=false` may silently drop needed optional peers**
This setting applies to every package in the workspace, not only drizzle-orm. Any package whose optional peer was previously being auto-resolved (e.g. a UI library that optionally enhances behaviour when a peer is present) will now silently proceed without it. The PR compensates for the one known case (`playwright`), but future `pnpm install` runs for other packages won't warn about missing peers either. Consider documenting why this is safe for the full dependency tree, or add a targeted `peerDependencies` override instead.
### Issue 2 of 2
package.json:142
**drizzle-orm 0.32 → 0.45 spans multiple breaking releases**
The lockfile shows that old peers `@types/react` and `sqlite3` are gone from the resolved entry, and the query/relation APIs changed substantially across this range (e.g. `withReplicas`, `casing` option renames, iterator API). The test suite passing is a good signal, but drizzle schema migrations and runtime query shapes are not always fully covered by unit tests. If the app runs any raw `sql\`\`` or `.toSQL()` calls, or uses the `db.query.*` relational API, those paths deserve a focused smoke-test against the live SQLite database before merging.
Reviews (1): Last reviewed commit: "address dependency CVEs" | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| @@ -1 +1,2 @@ | |||
| node-linker=hoisted | |||
| auto-install-peers=false | |||
There was a problem hiding this comment.
auto-install-peers=false may silently drop needed optional peers
This setting applies to every package in the workspace, not only drizzle-orm. Any package whose optional peer was previously being auto-resolved (e.g. a UI library that optionally enhances behaviour when a peer is present) will now silently proceed without it. The PR compensates for the one known case (playwright), but future pnpm install runs for other packages won't warn about missing peers either. Consider documenting why this is safe for the full dependency tree, or add a targeted peerDependencies override instead.
Prompt To Fix With AI
This is a comment left during a code review.
Path: .npmrc
Line: 2
Comment:
**Global `auto-install-peers=false` may silently drop needed optional peers**
This setting applies to every package in the workspace, not only drizzle-orm. Any package whose optional peer was previously being auto-resolved (e.g. a UI library that optionally enhances behaviour when a peer is present) will now silently proceed without it. The PR compensates for the one known case (`playwright`), but future `pnpm install` runs for other packages won't warn about missing peers either. Consider documenting why this is safe for the full dependency tree, or add a targeted `peerDependencies` override instead.
How can I resolve this? If you propose a fix, please make it concise.There was a problem hiding this comment.
All peer dependencies (playwright in this case) were added manually to the package.json
| @@ -140,7 +142,7 @@ | |||
| "cmdk": "^1.1.1", | |||
There was a problem hiding this comment.
The lockfile shows that old peers @types/react and sqlite3 are gone from the resolved entry, and the query/relation APIs changed substantially across this range (e.g. withReplicas, casing option renames, iterator API). The test suite passing is a good signal, but drizzle schema migrations and runtime query shapes are not always fully covered by unit tests. If the app runs any raw sql\`or.toSQL()calls, or uses thedb.query.*` relational API, those paths deserve a focused smoke-test against the live SQLite database before merging.
Prompt To Fix With AI
This is a comment left during a code review.
Path: package.json
Line: 142
Comment:
**drizzle-orm 0.32 → 0.45 spans multiple breaking releases**
The lockfile shows that old peers `@types/react` and `sqlite3` are gone from the resolved entry, and the query/relation APIs changed substantially across this range (e.g. `withReplicas`, `casing` option renames, iterator API). The test suite passing is a good signal, but drizzle schema migrations and runtime query shapes are not always fully covered by unit tests. If the app runs any raw `sql\`\`` or `.toSQL()` calls, or uses the `db.query.*` relational API, those paths deserve a focused smoke-test against the live SQLite database before merging.
How can I resolve this? If you propose a fix, please make it concise.There was a problem hiding this comment.
I checked src/main and scripts for db.query.* .toSQL(), etc. none of those APIs are used. I will try to post a screenshot / video showing the local build working.
There was a problem hiding this comment.
Verified Project -> Conversation Flow
1 participant
Summary
Addresses the dependency CVE report with parent/direct package upgrades and lockfile refreshes, without using pnpm overrides.
Key changes:
drizzle-orm,vite,@electron/rebuild,@llamaduck/forgejo-ts,posthog-js,minimatch, and packaging peers.sqlite3 -> tar@6.2.1path.streamdownon the latest v1 line while refreshing its Mermaid/lodash transitive graph.CVEs Fixed
electron: CVE-2026-34775, CVE-2026-34765, CVE-2026-34768, CVE-2026-34770, CVE-2026-34773, CVE-2026-34779protobufjs: CVE-2026-41242axios: CVE-2025-62718, CVE-2026-42039lodash/lodash-es: CVE-2026-4800flatted: CVE-2026-33228, CVE-2026-32141drizzle-orm: CVE-2026-39356follow-redirects: CVE-2026-40895@xmldom/xmldom: CVE-2026-34601, CVE-2026-41672, CVE-2026-41673, CVE-2026-41674, CVE-2026-41675picomatch: CVE-2026-33671brace-expansion: CVE-2026-33750tar: CVE-2026-24842, CVE-2026-26960rollup: CVE-2026-27606vite: CVE-2026-39363Remaining / Notes
ejsCVE-2023-29827 remains viaelectron-builder; the original report says no fix is published and this is dev-only.uuidCVE-2026-41907 remains via latestmermaid, which still depends onuuid@11.minimatchmajors remain inside upstream Electron/ESLint packaging internals, but the vulnerablebrace-expansionresolutions are fixed and the direct/runtimeminimatchpath is updated.40.9.2; Electron 41 failed the localbetter-sqlite3native rebuild.Validation
pnpm run lintpnpm run typecheckpnpm run test(76 files, 495 tests)pnpm run rebuildafter tests to restore Electron-targeted native modulespnpm run formatalso completed; it still prints the existing decorator parser warning from the import-sort plugin.