[PR #290] [MERGED] chore: prune npm overrides that are no longer load-bearing #2922

New Issue

GiteaMirror · 2026-05-17T19:23:38-05:00

GiteaMirror commented

2026-05-17 19:23:38 -05:00

📋 Pull Request Information

Original PR: https://github.com/RayLabsHQ/gitea-mirror/pull/290
Author: @arunavo4
Created: 5/16/2026
Status: ✅ Merged
Merged: 5/16/2026
Merged by: @arunavo4

Base: main ← Head: chore/audit-npm-overrides

📝 Commits (1)

6c7b617 chore: prune npm overrides that are no longer load-bearing

📊 Changes

2 files changed (+1 additions, -11 deletions)

View changed files

📝 bun.lock (+0 -5)
📝 package.json (+1 -6)

📄 Description

Summary

Follow-up to #289. Audited every entry in package.json overrides to see which still affect the dep tree, and removed 5 that don't.

Method

For each candidate override I:

Captured the resolved version (and any duplicate copies) with the override in place: bun pm ls --all | grep <pkg>
Removed the override, re-ran bun install
Re-captured the tree
Removed the override only if the resolved version and tree shape were identical

Removed (5)

Override	Old constraint	Resolved with override	Resolved without override	Verdict
`defu`	`^6.1.7`	`6.1.7`	`6.1.7`	redundant
`fast-xml-parser`	`^5.5.6`	`5.5.6`	`5.5.6`	redundant
`node-forge`	`^1.3.3`	not in tree	not in tree	dead — package isn't a transitive of anything we depend on
`rollup`	`>=4.59.0`	`4.59.0`	`4.59.0`	redundant
`svgo`	`^4.0.1`	`4.0.1`	`4.0.1`	redundant

Kept

@esbuild-kit/esm-loader → npm:tsx@^4.21.0 — deliberate replacement shim, not a pin
@xmldom/xmldom, devalue, fast-uri, fast-xml-builder, kysely — active CVE pins just landed in #289
lodash ^4.18.1 — load-bearing; pins the newer 4.18.x line over legacy 4.17.x that several transitives still ask for
picomatch ^4.0.4 — load-bearing; without it, picomatch@2.3.2 reappears as a duplicate copy via a transitive that asks for 2.x

Safety net

Future drift (a transitive bump asking for a lower or vulnerable version) is caught by:

Dependabot alerts on the default branch
Weekly Docker Scout scan (cron 0 0 * * 0)
CodeQL on every push

If any of those flag a regression on one of the removed overrides, restoring it is one line.

Test plan

bun install — lockfile in sync, no changes after removal
bun pm ls --all — verified resolved versions identical to pre-removal baseline
bun test — 243 pass, 4 skip, 0 fail
bunx --bun astro build — completes cleanly
CI re-runs the same checks

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/RayLabsHQ/gitea-mirror/pull/290 **Author:** [@arunavo4](https://github.com/arunavo4) **Created:** 5/16/2026 **Status:** ✅ Merged **Merged:** 5/16/2026 **Merged by:** [@arunavo4](https://github.com/arunavo4) **Base:** `main` ← **Head:** `chore/audit-npm-overrides` --- ### 📝 Commits (1) - [`6c7b617`](https://github.com/RayLabsHQ/gitea-mirror/commit/6c7b6173379eefce5553fde47291933a14c73b94) chore: prune npm overrides that are no longer load-bearing ### 📊 Changes **2 files changed** (+1 additions, -11 deletions) <details> <summary>View changed files</summary> 📝 `bun.lock` (+0 -5) 📝 `package.json` (+1 -6) </details> ### 📄 Description ## Summary Follow-up to #289. Audited every entry in `package.json` `overrides` to see which still affect the dep tree, and removed 5 that don't. ## Method For each candidate override I: 1. Captured the resolved version (and any duplicate copies) **with** the override in place: `bun pm ls --all | grep <pkg>` 2. Removed the override, re-ran `bun install` 3. Re-captured the tree 4. Removed the override only if the resolved version and tree shape were identical ## Removed (5) | Override | Old constraint | Resolved with override | Resolved without override | Verdict | |---|---|---|---|---| | `defu` | `^6.1.7` | `6.1.7` | `6.1.7` | redundant | | `fast-xml-parser` | `^5.5.6` | `5.5.6` | `5.5.6` | redundant | | `node-forge` | `^1.3.3` | _not in tree_ | _not in tree_ | dead — package isn't a transitive of anything we depend on | | `rollup` | `>=4.59.0` | `4.59.0` | `4.59.0` | redundant | | `svgo` | `^4.0.1` | `4.0.1` | `4.0.1` | redundant | ## Kept - **`@esbuild-kit/esm-loader` → `npm:tsx@^4.21.0`** — deliberate replacement shim, not a pin - **`@xmldom/xmldom`, `devalue`, `fast-uri`, `fast-xml-builder`, `kysely`** — active CVE pins just landed in #289 - **`lodash ^4.18.1`** — load-bearing; pins the newer 4.18.x line over legacy 4.17.x that several transitives still ask for - **`picomatch ^4.0.4`** — load-bearing; without it, `picomatch@2.3.2` reappears as a duplicate copy via a transitive that asks for 2.x ## Safety net Future drift (a transitive bump asking for a lower or vulnerable version) is caught by: - Dependabot alerts on the default branch - Weekly Docker Scout scan (cron `0 0 * * 0`) - CodeQL on every push If any of those flag a regression on one of the removed overrides, restoring it is one line. ## Test plan - [x] `bun install` — lockfile in sync, no changes after removal - [x] `bun pm ls --all` — verified resolved versions identical to pre-removal baseline - [x] `bun test` — 243 pass, 4 skip, 0 fail - [x] `bunx --bun astro build` — completes cleanly - [ ] CI re-runs the same checks --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-05-17 19:23:38 -05:00

GiteaMirror closed this issue

2026-05-17 19:23:40 -05:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea-mirror#2922