Skip to content

fix(repo): patch vulnerable transitive dependencies flagged by Dependabot#8856

Open
jacekradko wants to merge 1 commit into
mainfrom
jacek/dependabot-transitive-overrides
Open

fix(repo): patch vulnerable transitive dependencies flagged by Dependabot#8856
jacekradko wants to merge 1 commit into
mainfrom
jacek/dependabot-transitive-overrides

Conversation

@jacekradko

@jacekradko jacekradko commented Jun 13, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Member

Most of the open Dependabot alerts on this repo trace to dev tooling, build toolchains, or lazily-loaded web3 wallet transitives that never reach customer runtime. This clears the ones worth clearing with range-scoped pnpm.overrides plus a few dev-tooling bumps.

The only change that touches a published artifact is preact 10.27.2 → 10.27.3 inside clerk-js's lazily-loaded Coinbase wallet chunk, which is why the clerk-js patch changeset is here. The happy-dom 18 → 20 bump in @clerk/headless is the other thing worth a glance; its tests stay green (403 passing).

esbuild and webpack are deliberately left out: esbuild's patch is still inside the 3-day release-age window, and a webpack bump drags its entire @webassemblyjs tree for a low-severity, build-only advisory. Both can ride the normal Renovate flow. Lockfile was regenerated with pnpm dedupe.

Summary by CodeRabbit

  • Chores
    • Updated development dependencies including test framework (vitest), coverage tools, and test environment (happy-dom)
    • Upgraded react-router to the latest available version
    • Updated preact bundled version for Coinbase Wallet integration support
    • Expanded pnpm dependency version overrides and constraints across multiple packages

@jacekradko
fix(repo): patch vulnerable transitive dependencies flagged by Depend…
ff82a6a 
…abot

Range-scoped pnpm.overrides for transitive advisories that don't reach
customer runtime (axios, jws, tmp, minimatch, picomatch, svgo, fast-uri,
ip-address, flatted, follow-redirects, smol-toml, socket.io-parser,
@babel/plugin-transform-modules-systemjs), the one shipped fix (preact
10.27.3 in clerk-js's lazy Coinbase wallet chunk), and dev-tooling bumps
(vitest 3.2.6/4.1.6, happy-dom 20, react-router 7.15.0).
@changeset-bot

changeset-bot Bot commented Jun 13, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: ff82a6a

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages
Name Type
@clerk/clerk-js Patch
@clerk/chrome-extension Patch
@clerk/expo Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel

vercel Bot commented Jun 13, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
clerk-js-sandbox Ready Ready Preview, Comment Jun 13, 2026 2:11pm
swingset Ready Ready Preview, Comment Jun 13, 2026 2:11pm

Request Review

@coderabbitai

coderabbitai Bot commented Jun 13, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: b4222c80-c982-4c21-9606-9dda68ccc17f

📥 Commits

Reviewing files that changed from the base of the PR and between d46f262 and ff82a6a.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (4)
  • .changeset/clerk-js-coinbase-preact-patch.md
  • package.json
  • packages/headless/package.json
  • packages/react-router/package.json
📝 Walkthrough

Walkthrough

This PR updates dependency versions and pnpm override constraints across the Clerk JavaScript monorepo. A patch release for @clerk/clerk-js documents the preact version bundled in the Coinbase Wallet web3 chunk being updated to 10.27.3. Root dev dependencies and workspace-enforced version constraints are bumped, and individual workspace packages receive targeted dev dependency updates.

Changes

Dependency and version constraint updates

Layer / File(s) Summary
Preact bundling changelog
.changeset/clerk-js-coinbase-preact-patch.md		 Changesets entry declares a patch release for @clerk/clerk-js noting that the Coinbase Wallet web3 chunk's bundled preact version was updated to 10.27.3.
Root package dependency and constraint updates
package.json		 Root devDependencies bumps @vitest/coverage-v8 and vitest from 3.2.4 to 3.2.6. pnpm.overrides is extended with version constraints for @babel/plugin-transform-modules-systemjs, axios, fast-uri, flatted, follow-redirects, ip-address, jws, minimatch, picomatch, preact, semver, smol-toml, socket.io-parser, svgo, and tmp.
Workspace package dev dependency updates
packages/headless/package.json, packages/react-router/package.json		 happy-dom bumped from ^18.0.1 to ^20.8.9 and vitest bumped from 4.1.4 to 4.1.6 in headless. react-router bumped from 7.14.2 to 7.15.0 in react-router.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested labels

clerk-js

Suggested reviewers

  • dstaley
  • wobsoriano

Poem

🐰 Preact hops to ten-point-three,
vitest patches flow so free,
Dependencies align with care,
Happy-dom climbs high in air,
React-router takes the lead—updates complete!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically describes the main change: patching vulnerable transitive dependencies flagged by Dependabot.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Comment @coderabbitai help to get the list of available commands and usage tips.

@pkg-pr-new

pkg-pr-new Bot commented Jun 13, 2026

Copy link
Copy Markdown

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8856

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8856

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8856

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8856

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8856

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8856

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8856

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8856

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8856

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8856

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8856

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8856

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8856

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8856

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8856

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8856

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8856

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8856

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8856

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8856

commit: ff82a6a

@github-actions

github-actions Bot commented Jun 13, 2026

Copy link
Copy Markdown
Contributor

API Changes Report

Generated by Break Check on 2026-06-13T14:12:42.638Z

Summary

Metric Count
Packages analyzed 19
Packages with changes 1
🔴 Breaking changes 1
🟡 Non-breaking changes 0
🟢 Additions 0

Warning
1 breaking change(s) detected - Major version bump required

🤖 This report was reviewed by claude-sonnet-4-6.

🔴 Breaking changes index (1)

Every breaking change, up front. Full diffs are in the package sections below.

Package Subpath Change
@clerk/shared ./types HeadlessBrowserClerk.load

@clerk/shared

Current version: 4.17.1
Recommended bump: MAJOR → 5.0.0

Subpath ./types

🔴 Breaking Changes (1)

Changed: HeadlessBrowserClerk.load
- load: (opts?: ClerkOptions) => Promise<void>;
+ load: (opts?: Without<ClerkOptions, 'isSatellite'>) => Promise<void>;

Static analyzer: Breaking change in property HeadlessBrowserClerk.load: Type changed: (opts?:import("@clerk/shared").ClerkOptions)=>!Promise:interface<void>(opts?:import("@clerk/shared").Without<import("@clerk/shared").ClerkOptions,'isSatellite'>)=>!Promise:interface<void>

🤖 AI review (confirmed) (85%): The parameter type narrowed from ClerkOptions to Without<ClerkOptions, 'isSatellite'>, meaning callers who pass { isSatellite: true, ... } to HeadlessBrowserClerk.load will now get a type error since isSatellite is excluded from the accepted type.

Migration: Remove any isSatellite property from the options object passed to HeadlessBrowserClerk.load, or cast the argument if you need to preserve the value.

Report generated by Break Check

Last ran on ff82a6a.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wobsoriano wobsoriano wobsoriano approved these changes

Assignees

No one assigned

Labels

react-router

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jacekradko @wobsoriano