Files
readest/pnpm-workspace.yaml
T
Huang Xin 607e646bc6 chore(deps): bump shell-quote to 1.8.4 and qs to 6.15.2 for security (#4523)
Raise the pnpm overrides so the patched transitive versions are pulled:

- shell-quote >=1.8.4 fixes GHSA-w7jw-789q-3m8p / CVE-2026-9277 (critical):
  quote() failed to escape newlines in object .op values, allowing shell
  command injection. Pulled in via cpx2.
- qs >=6.15.2 fixes GHSA-q8mj-m7cp-5q26 / CVE-2026-8723 (medium):
  qs.stringify DoS on null/undefined entries in comma-format arrays with
  encodeValuesOnly. The prior >=6.14.2 pin still allowed vulnerable 6.15.1.
  Pulled in via express, body-parser, googleapis-common.

Resolves Dependabot alerts:
- https://github.com/readest/readest/security/dependabot/237 (shell-quote)
- https://github.com/readest/readest/security/dependabot/235 (qs)

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-10 17:19:25 +02:00

53 lines
1.2 KiB
YAML

packages:
- apps/*
- apps/readest-app/workers/send-email
- apps/readest-app/extensions/*
- packages/foliate-js
allowBuilds:
core-js: true
edgedriver: true
esbuild: true
geckodriver: true
protobufjs: true
sharp: true
workerd: true
onlyBuiltDependencies:
- sharp
patchedDependencies:
'@ai-sdk/provider-utils@3.0.25': patches/@ai-sdk__provider-utils@3.0.25.patch
'@ai-sdk/provider-utils@4.0.27': patches/@ai-sdk__provider-utils@4.0.27.patch
mdast-util-gfm-autolink-literal@2.0.1: patches/mdast-util-gfm-autolink-literal@2.0.1.patch
overrides:
glob: '>=11.1.0'
jws: '>=4.0.1'
vite: '>=7.3.2 <8'
srvx: '>=0.11.13'
rollup: '>=4.59.0'
undici: '>=7.24.0'
flatted: '>=3.4.2'
body-parser: '>=2.2.1'
dompurify: '>=3.4.0'
i18next-http-backend: '>=3.0.5'
picomatch: '>=4.0.4'
path-to-regexp: '>=8.4.0'
protobufjs: '>=7.5.5'
serialize-javascript: 7.0.5
fast-xml-parser: '>=5.7.0'
lodash: '>=4.18.0'
lodash-es: '>=4.18.0'
postcss: 8.5.14
basic-ftp: '>=5.3.0'
qs: '>=6.15.2'
shell-quote: '>=1.8.4'
'@babel/runtime': '>=7.26.10'
'@babel/helpers': '>=7.26.10'
mdast-util-gfm-autolink-literal: 2.0.1
uuid: '>=14.0.0'
ws: 8.20.1
'@emnapi/core': 1.8.1
'@emnapi/runtime': 1.8.1