stacklok / toolhive-studio / 25722153104
68%
main: 70%

LAST BUILD BRANCH: renovate/vitejs-plugin-react-6.x
DEFAULT BRANCH: main
Ran
Jobs 1
Files 505
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 67.958%. Remained the same
25722153104

Pull #2218

github

peppescg 
fix(security): override mermaid >=11.15.0 and pin @tanstack/history 1.161.6

Resolves outstanding pnpm audit findings on main.

**mermaid** (5x moderate: GHSA-6m6c-36f7-fhxh, GHSA-xcj9-5m2h-648r,
GHSA-87f9-hvmw-gh4p, GHSA-ghcm-xqfw-q4vr, GHSA-ipv4-3wmr-h2v9)
Transitive via @streamdown/mermaid (and streamdown). Upstream
@streamdown/mermaid@1.0.2 declares `mermaid: ^11.12.2`, which is
compatible with 11.15.x. Add `"mermaid": ">=11.15.0"` to pnpm.overrides;
both consumers now resolve to 11.15.0.

**@tanstack/history** (critical: GHSA-rmmr-r34h-pfm5, malware)
Malicious 1.161.9 / 1.161.12 have already been unpublished from npm,
and the lockfile resolves to the clean 1.161.6. The advisory keeps an
open-ended `>=0` range to cover possible future malicious republishes
from the compromised maintainer account, so add a pin to 1.161.6 in
pnpm.overrides and a scoped `.grype.yaml` ignore. Drop both once
TanStack ships a clean follow-up and the advisory range is narrowed.

Remaining `pnpm audit` findings are intentional:
- fast-xml-parser pinned to 5.5.8 (PR #2096) due to AWS SDK regression
  in 5.7.x — already covered by `.grype.yaml`.
- @tanstack/history flagged via advisory's open `>=0` range — covered
  by the new `.grype.yaml` ignore scoped to 1.161.6.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Pull Request #2218: fix(security): override mermaid >=11.15.0 and pin @tanstack/history 1.161.6

4712 of 7478 branches covered (63.01%)

7033 of 10349 relevant lines covered (67.96%)

120.56 hits per line

Jobs
ID Job ID Ran Files Coverage
1 25722153104.1 505
67.96
 GitHub Action Run
Source Files on build 25722153104