MOHITKOURAV01 opened a new pull request, #9175: URL: https://github.com/apache/pouchdb/pull/9175
### Security Maintenance: Resolve Vulnerabilities & Build Restoration This PR addresses critical and high-severity security vulnerabilities discovered during a dependency audit. It also restores the build pipeline which was broken by mandatory Rollup upgrades. ## Rationale - **Security**: Resolved 27+ vulnerabilities including critical ReDoS and prototype pollution risks in transitive dependencies. - **Sustainability**: Implemented `overrides` in [package.json](cci:7://file:///Users/mohitkourav/Desktop/%20O%20S%20/pouchdb/package.json:0:0-0:0) to force secure versions of deep-nested dependencies like `qs`, `debug`, and [ms](cci:1://file:///Users/mohitkourav/Desktop/%20O%20S%20/pouchdb/tests/common-utils.js:12:0-25:2) used by legacy packages. - **Build Restoration**: Upgrading dependencies forced a move to Rollup 4. This PR includes a fix for the [build-pouchdb.js](cci:7://file:///Users/mohitkourav/Desktop/%20O%20S%20/pouchdb/bin/build-pouchdb.js:0:0-0:0) script to handle the changed API structure of Rollup 4's `bundle.generate()`. ## Changes - **package.json**: Added `overrides` section for `qs`, `debug`, [ms](cci:1://file:///Users/mohitkourav/Desktop/%20O%20S%20/pouchdb/tests/common-utils.js:12:0-25:2), `nodemon`, `cookie`, `semver`, etc. - **bin/build-pouchdb.js**: Updated [doRollup](cci:1://file:///Users/mohitkourav/Desktop/%20O%20S%20/pouchdb/bin/build-pouchdb.js:72:0-95:1) to correctly access `result.output[0].code` for Rollup 4 compatibility. - **package-lock.json**: Full refresh of the dependency tree. ## Testing Conducted - [x] Ran `npm run test-unit` (164 passing). - [x] Ran `TYPE=find ADAPTERS=memory` integration tests (349 passing). - [x] Verified full build via `npm run build` (All 31 packages built successfully). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
