fix: prevent vulnerable peer dependencies

[thisisnithin]

Summary by CodeRabbit

• Chores
  • Tightened transitive dependency versions to ensure more predictable, stable builds.
  • Maintains existing behavior with no changes to the app’s features or public interfaces.
  • Improves overall compatibility across environments by standardizing dependency resolutions.
  • Reduces risk of regressions from unexpected upstream updates.

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/cosmo-docs.
• I have read the Contributors Guide.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Added pnpm.overrides in package.json to constrain multiple transitive dependencies to specific upper-bound versions; retained existing zod override at 3.24.2. No changes to patchedDependencies beyond existing GraphQL patch. No direct dependency or public API changes.

Changes

Cohort / File(s)

Summary of changes

Dependency overrides package.json

Added pnpm.overrides with upper-bound constraints for: chalk (<5.6.1), debug (<4.4.2), ansi-styles (<6.2.2), strip-ansi (<7.1.1), supports-color (<10.2.1), ansi-regex (<6.2.1), wrap-ansi (<9.0.1), color-convert (<3.1.1), color-name (<2.0.1), is-arrayish (<0.3.3), slice-ansi (<7.1.1), color (<5.0.1), color-string (<2.1.1), simple-swizzle (<0.2.3), supports-hyperlinks (<4.1.1), has-ansi (<6.0.1), chalk-template (<1.1.1), backslash (<0.2.1). Existing zod override remains at 3.24.2. No other config changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks (1 passed, 1 warning, 1 inconclusive)

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The current description contains only a generic contributor template and placeholder text without any details about the changes made to package.json or the pnpm overrides block. It fails to summarize the introduced dependency overrides, version constraints, or the security rationale. As a result, it is completely unrelated to the actual changeset.	Please update the description to include a concise summary of the actual changes, such as the added pnpm.overrides entries, the specific versions being constrained, and the security issues being addressed, so maintainers can immediately grasp the intent and scope of the patch.
Title Check	❓ Inconclusive	The title "fix: prevent vulnerable peer dependencies" relates broadly to addressing dependency vulnerabilities but does not specifically capture the introduction of pnpm overrides for transitive dependencies. It also incorrectly refers to peer dependencies rather than the transitive overrides being implemented. This makes the title vague and only partially representative of the primary changeset.	Consider renaming the title to something more precise like "chore(deps): pin transitive dependencies via pnpm.overrides to mitigate vulnerabilities" so it clearly reflects the core changeset and improves clarity in the repository history.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Router image scan passed

✅ No security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-4afa468d663fd47d75077c7cf09123587a842cf5

[github-actions]

Router-nonroot image scan passed

✅ No security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-0f9d433a2e75864b33c41f1e9b55d5195330d6c0-nonroot

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

package.json (2)

73-91: Reduce blast radius by scoping overrides.

Scope to specific parents when possible (e.g., "chalk>ansi-regex": "6.0.1") to avoid unintended downgrades elsewhere in the tree and to ease future upgrades. pnpm supports path selectors in overrides. (dimava.github.io)

Example:

-      "ansi-regex@<6.0.1": ">=6.0.1",
+      "chalk>ansi-regex@<6.0.1": ">=6.0.1",

---

73-91: Prefer exact pins for determinism in CI.

Open ranges (>= / <) can churn when a new patch publishes; pin exact known-safe versions after auditing to keep reproducible installs, then bump deliberately. pnpm allows exact versions in overrides. (cuyl.github.io, mrfoxpro.github.io)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a52c215 and 3c32e69.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (10)

• GitHub Check: Analyze (go)
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: build_push_image
• GitHub Check: build_push_image (nonroot)
• GitHub Check: build_test
• GitHub Check: integration_test (./. ./fuzzquery ./lifecycle ./modules)
• GitHub Check: image_scan
• GitHub Check: integration_test (./telemetry)
• GitHub Check: integration_test (./events)
• GitHub Check: image_scan (nonroot)

🔇 Additional comments (3)

package.json (3)

73-91: Clarify intent: overrides don’t change peerDependency ranges.

If the goal is “prevent vulnerable peer dependencies,” note that overrides affect resolved versions but do not modify peer ranges or peer warnings; for peers you’ll need packageExtensions (to tighten/widen peer ranges) or to surface safe versions as direct deps. Otherwise this might not achieve the stated goal. (github.com, pnpm.io)

I can propose targeted packageExtensions once you point out which peers must be constrained.

---

73-73: zod override unchanged — OK.

Keeping zod pinned at 3.24.2 is fine; just ensure consumers don’t require a conflicting peer range. No action required.

---

73-91: Provide resolved versions for flagged packages
Audit still reports multiple vulnerabilities; please include the output of

pnpm why ansi-regex strip-ansi wrap-ansi debug chalk supports-color  
pnpm list ansi-regex strip-ansi wrap-ansi debug chalk supports-color  

to confirm the actual versions installed and that your constraints are correct.