fix: add pnpm overrides for high-severity transitive dependency alerts

[devin-ai-integration]

Description

Adds pnpm overrides to force patched versions of 8 transitive dependencies flagged by Dependabot with high-severity vulnerabilities. No application or library code is changed — only the root package.json overrides and the regenerated pnpm-lock.yaml.

Dependabot alerts resolved:

Alert	Package	Vulnerability	Patched Version
#434	@isaacs/brace-expansion	Uncontrolled Resource Consumption	5.0.1
#411, #414, #417	tar (v6 & v7)	Path traversal / symlink poisoning	6.2.1 / 7.5.7
#410	h3	Request Smuggling	1.15.5
#405	@remix-run/router	XSS via Open Redirects	1.23.2
#403	@remix-run/react	SSR XSS in ScrollRestoration	2.17.3
#402	preact	JSON VNode Injection	10.28.2
#401	qs	arrayLimit bypass DoS	6.14.1

Reviewer checklist:

• All existing overrides are preserved (no removals)
• @remix-run/react 2.17.3 override pins the version in apps/auth/remix-ssr — verify this is acceptable (was ^2.16.8, now resolved to 2.17.3 which is a patch bump within range)
• h3 bump introduced [email protected] as a new transitive dep alongside existing 1.6.1 — expected, since h3 1.15.5 depends on newer ufo
• No files modified in packages/ or apps/ directories

Link to Devin run: https://crossmint.devinenterprise.com/sessions/eed33987ea7f43dc85f54b2f37edee1b
Requested by: unknown ()

Test plan

No published packages are changed — only root-level pnpm overrides and the lockfile. Validation:

• CI build (pnpm build) confirms no compilation breakage from forced dependency versions
• pnpm lint passes locally with no errors
• pnpm install completed successfully with the new overrides applied to the lockfile

Package updates

No changesets needed — no published packages are modified. Only transitive dependency versions are overridden at the workspace root level.

[devin-ai-integration]

Original prompt from API User

Fix multiple Dependabot high-severity alerts for transitive dependencies in the Crossmint/crossmint-sdk repository by adding pnpm overrides.

Context: Several transitive dependencies in the pnpm-lock.yaml have high-severity vulnerabilities. These are NOT direct dependencies - they are pulled in transitively. The fix is to add pnpm overrides in the root package.json to force the patched versions.

Alerts to resolve:
- #434: @isaacs/brace-expansion <= 5.0.0 → needs 5.0.1 (Uncontrolled Resource Consumption)
- #411, #414, #417: tar <= 7.5.2 → needs 7.5.7 (multiple path traversal and symlink poisoning CVEs)
- #410: h3 <= 1.15.4 → needs 1.15.5 (Request Smuggling)
- #405: @remix-run/router <= 1.23.1 → needs 1.23.2 (XSS via Open Redirects)
- #403: @remix-run/react < 2.17.3 → needs 2.17.3 (SSR XSS in ScrollRestoration)
- #402: preact >= 10.28.0, < 10.28.2 → needs 10.28.2 (JSON VNode Injection)
- #401: qs < 6.14.1 → needs 6.14.1 (arrayLimit bypass DoS)

The root package.json already has a pnpm.overrides section. You need to ADD new entries to it.

Existing overrides in root package.json (DO NOT remove these):

"pnpm": {
"overrides": {
"axios@0": "0.30.0",
"axios@1": "1.12.2",
"elliptic@6": "6.6.1",
"form-data@3": "3.0.4",
"form-data@4": "4.0.4",
"path-to-regexp@0": "0.1.12",
"react-native": "0.82.1",
"@types/react": "19.1.10",
"@types/react-dom": "19.1.0",
"pbkdf2": "3.1.3",
"trim@0": "0.0.3",
"ws@7": "7.5.10",
"ws@8": "8.18.2",
"react": "19.1.2",
"react-dom": "19.1.2",
"expo-demo>react": "19.1.1",
"expo-demo>react-dom": "19.1.1",
"@crossmint/client-sdk-react-native-ui>react": "19.1.1",
"@crossmint/client-sdk-rn-window>react": "19.1.1",
"@crossmint/client-sdk-rn-window>react-dom": "19.1.1"
}
}

New overrides to ADD:

"@isaacs/brace-expansion": "5.0.1",
"tar@6": "6.2.1",
"tar@7": "7.5.7",
"h3": "1.15.5... (999 chars truncated...)

</details>

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[changeset-bot]

⚠️ No Changeset found

Latest commit: 4bdf637

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[greptile-apps]

_{2 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (2)

package.json
Invalid Co-Author trailer
The commit message includes Co-Authored-By: unknown <>, which is not a valid trailer (empty email) and can break tooling that parses commit metadata / DCO checks. Please remove the invalid trailer or replace it with a real name+email before merging.

Prompt To Fix With AI

This is a comment left during a code review.
Path: package.json
Line: 1:3

Comment:
**Invalid Co-Author trailer**
The commit message includes `Co-Authored-By: unknown <>`, which is not a valid trailer (empty email) and can break tooling that parses commit metadata / DCO checks. Please remove the invalid trailer or replace it with a real name+email before merging.

How can I resolve this? If you propose a fix, please make it concise.

---

pnpm-lock.yaml
Lockfile pins workspace dep
This lockfile change turns apps/auth/remix-ssr's @remix-run/react specifier from ^2.16.8 to an exact 2.17.3 (see importers section). That’s a behavior change (it prevents future patch/minor resolutions within the allowed range) and is not required to apply a pnpm override. Consider reverting the importer specifier back to ^2.16.8 and relying on the root pnpm.overrides to force 2.17.3.

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

Prompt To Fix With AI

This is a comment left during a code review.
Path: pnpm-lock.yaml
Line: 135:137

Comment:
**Lockfile pins workspace dep**
This lockfile change turns `apps/auth/remix-ssr`'s `@remix-run/react` specifier from `^2.16.8` to an exact `2.17.3` (see `importers` section). That’s a behavior change (it prevents future patch/minor resolutions within the allowed range) and is not required to apply a pnpm override. Consider reverting the importer specifier back to `^2.16.8` and relying on the root `pnpm.overrides` to force `2.17.3`.

<sub>Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!</sub>

How can I resolve this? If you propose a fix, please make it concise.

[github-actions]

🔥 Smoke Test Results

✅ Status: Passed

Statistics

• Total Tests: 5
• Passed: 5 ✅
• Failed: 0
• Skipped: 0
• Duration: 4.63 min

✅ All smoke tests passed!

All critical flows are working correctly.

---

This is a non-blocking smoke test. Full regression tests run separately.

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (1)

pnpm-lock.yaml
Lockfile mutates peer range

This PR changes @remix-run/[email protected]’s peerDependencies['@remix-run/react'] from ^2.17.0 to the pinned 2.17.3 (see pnpm-lock.yaml:4822-4824). Since the @remix-run/[email protected] version and resolution.integrity are unchanged vs base, this is a lockfile metadata mutation rather than an actual package change. It should stay ^2.17.0; the override should only affect resolution, not rewrite the package’s declared peer range.

Prompt To Fix With AI

This is a comment left during a code review.
Path: pnpm-lock.yaml
Line: 4818:4824

Comment:
**Lockfile mutates peer range**

This PR changes `@remix-run/[email protected]`’s `peerDependencies['@remix-run/react']` from `^2.17.0` to the pinned `2.17.3` (see `pnpm-lock.yaml:4822-4824`). Since the `@remix-run/[email protected]` version and `resolution.integrity` are unchanged vs base, this is a lockfile metadata mutation rather than an actual package change. It should stay `^2.17.0`; the override should only affect resolution, not rewrite the package’s declared peer range.

How can I resolve this? If you propose a fix, please make it concise.