Skip to content

feat(ci): add pnpm audit --prod check #28592

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jkomyno merged 4 commits into from
Nov 20, 2025
Merged

feat(ci): add pnpm audit --prod check #28592

jkomyno merged 4 commits into from
Nov 20, 2025
+175 −222

Conversation

@jkomyno
Copy link
Contributor

@jkomyno jkomyno commented Nov 20, 2025

This PR:

@jkomyno jkomyno added this to the 7.0.1 milestone Nov 20, 2025
Copilot AI review requested due to automatic review settings November 20, 2025 10:16
@jkomyno jkomyno changed the title Feat/pnpm audit feat(ci): add pnpm audit --prod check Nov 20, 2025
Copilot AI reviewed Nov 20, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses security vulnerabilities by upgrading dependencies and implementing automated security checks in CI. The changes fix CVE vulnerabilities in hono, form-data, and tar-fs packages.

  • Adds pnpm overrides to enforce minimum secure versions for vulnerable packages
  • Updates hono from 4.9.4 to 4.10.6
  • Updates form-data to 4.0.5 and tar-fs to 3.1.1
  • Adds pnpm audit --prod command to CI workflow for continuous security monitoring

Reviewed Changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated no comments.

Show a summary per file
File Description
pnpm-lock.yaml Updates lockfile with new dependency versions and adds override declarations for security patches
package.json Adds pnpm overrides section to enforce minimum versions for vulnerable dependencies
packages/query-plan-executor/package.json Updates hono dependency to version 4.10.6
packages/cli/package.json Updates hono dependency to version 4.10.6
.github/workflows/test-template.yml Adds pnpm audit check for production dependencies to CI pipeline
Files not reviewed (1)
  • pnpm-lock.yaml: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-actions
Copy link
Contributor

github-actions bot commented Nov 20, 2025
edited
Loading

size-limit report 📦

Path Size
packages/client/runtime/index-browser.js 2.23 KB (0%)
packages/client/runtime/index-browser.d.ts 3.28 KB (0%)
packages/cli/build/index.js 2.51 MB (-0.76% 🔽)
packages/client/prisma-client-0.0.0.tgz 10.22 MB (+0.01% 🔺)
packages/cli/prisma-0.0.0.tgz 6.71 MB (-0.07% 🔽)
packages/bundle-size/da-workers-libsql/output.tgz 804.7 KB (0%)
packages/bundle-size/da-workers-neon/output.tgz 859.16 KB (0%)
packages/bundle-size/da-workers-pg/output.tgz 852.02 KB (0%)
packages/bundle-size/da-workers-planetscale/output.tgz 803.84 KB (0%)
packages/bundle-size/da-workers-d1/output.tgz 787.59 KB (0%)

jacek-prisma
jacek-prisma previously approved these changes Nov 20, 2025
View reviewed changes
@jkomyno jkomyno merged commit 92609ce into main Nov 20, 2025
180 checks passed
@jkomyno jkomyno deleted the feat/pnpm-audit branch November 20, 2025 15:38
jkomyno added a commit that referenced this pull request Nov 25, 2025
@jkomyno
feat(ci): add pnpm audit --prod check (#28592)
5432783 
This PR:
- fixes #28568 (tracked in
[TML-1608](https://linear.app/prisma-company/issue/TML-1608/upgrade-hono-audit-dependencies-in-ci))
- adds `pnpm audit --prod`
- fixes vulnerable deps by updating to newer versions

---------

Co-authored-by: jkomyno <[email protected]>
jkomyno added a commit that referenced this pull request Nov 25, 2025
@jkomyno
feat(ci): add pnpm audit --prod check (#28592)
4b400f1 
This PR:
- fixes #28568 (tracked in
[TML-1608](https://linear.app/prisma-company/issue/TML-1608/upgrade-hono-audit-dependencies-in-ci))
- adds `pnpm audit --prod`
- fixes vulnerable deps by updating to newer versions

---------

Co-authored-by: jkomyno <[email protected]>
This was referenced Nov 25, 2025
Closed
Closed
This was referenced Dec 3, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jacek-prisma jacek-prisma jacek-prisma approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

7.0.1

Development

Successfully merging this pull request may close these issues.

Security vulnerability in the Hono dependency

2 participants

@jkomyno @jacek-prisma