From 9537c7657c141fcea60c97d25eabc3117c130560 Mon Sep 17 00:00:00 2001 From: Johannes Marbach Date: Mon, 15 Jun 2026 12:29:20 +0200 Subject: [PATCH 1/3] Switch to pnpm 11.6.0 --- package.json | 14 +------------- pnpm-workspace.yaml | 20 +++++++++++++++++--- 2 files changed, 18 insertions(+), 16 deletions(-) diff --git a/package.json b/package.json index 01f77d0ff..2deb7ee4b 100644 --- a/package.json +++ b/package.json @@ -147,17 +147,5 @@ "vitest": "^4.1.5", "vitest-axe": "^1.0.0-pre.3" }, - "pnpm": { - "overrides": { - "@livekit/components-core>rxjs": "^7.8.1", - "@livekit/track-processors>@mediapipe/tasks-vision": "^0.10.18", - "minimatch": "^10.2.3", - "tar": "^7.5.11", - "glob": "^10.5.0", - "qs": "^6.14.1", - "js-yaml": "^4.1.1", - "esbuild": "^0.28.0" - } - }, - "packageManager": "pnpm@10.33.0" + "packageManager": "pnpm@11.6.0+sha512.9a36518224080c6fe5165afdcfe79bfa118c29be703f3f462b1e32efe1e98e47e8750b148e08286250aad4113cc7993ca413c4e2cd447752708c2ee5751bc95f" } diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index 3fbe34a8a..1ac90cf2f 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -1,3 +1,17 @@ -# dependencies where we use branches and hashes in the package.json. But that also use a pre/post install script. -onlyBuiltDependencies: - - "matrix-js-sdk" +allowBuilds: + "@parcel/watcher": true + "@sentry/cli": true + "@swc/core": true + "core-js": true + "esbuild": true + "matrix-js-sdk@https://codeload.github.com/matrix-org/matrix-js-sdk/tar.gz/8c95727b6278fe7942c20d0b9485f984dd0694b7": true + "protobufjs": true +overrides: + "@livekit/components-core>rxjs": "^7.8.1" + "@livekit/track-processors>@mediapipe/tasks-vision": "^0.10.18" + "minimatch": "^10.2.3" + "tar": "^7.5.11" + "glob": "^10.5.0" + "qs": "^6.14.1" + "js-yaml": "^4.1.1" + "esbuild": "^0.28.0" From dc6511b99e87ac240c68a722135c93b5d855e675 Mon Sep 17 00:00:00 2001 From: Johannes Marbach Date: Wed, 17 Jun 2026 15:27:59 +0200 Subject: [PATCH 2/3] Document why we override resolved versions --- pnpm-workspace.yaml | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index c26569f58..56a458675 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -7,13 +7,29 @@ allowBuilds: "matrix-js-sdk@https://codeload.github.com/matrix-org/matrix-js-sdk/tar.gz/8c95727b6278fe7942c20d0b9485f984dd0694b7": true "protobufjs": true overrides: + # We need compatible versions of RxJS in our dependencies and LiveKit's dependencies, but + # LiveKit has pinned it to a very specific version which is now holding us back from updating. + # See livekit/components-js#1101 for a request for a proper solution. "@livekit/components-core>rxjs": "^7.8.1" + # Dedupe Mediapipe dependencies. "@livekit/track-processors>@mediapipe/tasks-vision": "^0.10.18" - "minimatch": "^10.2.3" + # Security fix: https://security-tracker.debian.org/tracker/CVE-2026-31802 "tar": "^7.5.11" + # Security fixes: + # - https://github.com/advisories/GHSA-7r86-cg39-jmmj + # - https://github.com/advisories/GHSA-23c5-xmqv-rm74 + "minimatch": "^10.2.3" + # Security fix: https://github.com/element-hq/element-call/security/dependabot/109 "glob": "^10.5.0" + # Security fixes: + # - https://github.com/element-hq/element-call/security/dependabot/110 + # - https://github.com/element-hq/element-call/security/dependabot/122 "qs": "^6.14.1" + # Security fix: https://github.com/element-hq/element-call/security/dependabot/106 "js-yaml": "^4.1.1" + # Storybook declares support for 0.27.0 only but empirically works fine with 0.28.0. "esbuild": "^0.28.0" - "flatted": "^3.4.2" - "undici": "^6.24.0" \ No newline at end of file + # Multiple security fixes: https://github.com/nodejs/undici/releases/tag/v6.24.0 + "undici": "^6.24.0" + # Security fix: https://github.com/advisories/GHSA-rf6f-7fwh-wjgh + "flatted": "^3.4.2" \ No newline at end of file From 669f4264c7ea02ec42535ae5ace02eb2af5ba9fd Mon Sep 17 00:00:00 2001 From: Johannes Marbach Date: Wed, 17 Jun 2026 15:35:47 +0200 Subject: [PATCH 3/3] Reformat Signed-off-by: Johannes Marbach --- pnpm-workspace.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index 56a458675..75cfc0b0d 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -32,4 +32,4 @@ overrides: # Multiple security fixes: https://github.com/nodejs/undici/releases/tag/v6.24.0 "undici": "^6.24.0" # Security fix: https://github.com/advisories/GHSA-rf6f-7fwh-wjgh - "flatted": "^3.4.2" \ No newline at end of file + "flatted": "^3.4.2"