thiagoelg commented on code in PR #3562: URL: https://github.com/apache/incubator-kie-tools/pull/3562#discussion_r3201871497
########## pnpm-workspace.yaml: ########## @@ -25,3 +25,8 @@ overrides: # CVE-2026-1526, CVE-2026-2229, CVE-2026-1528, CVE-2026-1527, CVE-2026-1525, CVE-2026-2203: Fix security vulnerability in undici # Waiting for @openapi-contrib/openapi-schema-to-json-schema to release patched version "undici": "^6.24.0" + # CVE-2026-33532: Fix security vulnerability in yaml + # Override cosmiconfig>[email protected] with patched version 1.10.3 + "cosmiconfig>yaml": "1.10.3" + # Override yaml@^2 (including yaml-language-server [email protected]) used by helm charts, monaco-yaml, vite, and langchain dependencies with patched version 2.8.3 + "yaml@^2": "^2.8.3" Review Comment: These comments do not follow the [guidelines](https://github.com/apache/incubator-kie-tools/blob/main/repo/DEPENDENCY_MANAGEMENT.md). --- - `cosmiconfig` is the dependency of what modules? Can these modules be updated? Also, if you check the lockfile, it's already using version `1.10.3`, so this override is not needed. - All `yaml` entries in the lockfile for version 2+ are already using `^2.8.3`; this override is also not needed. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
