From 5986026abde0db04fda48185b30ecb4f28f36eac Mon Sep 17 00:00:00 2001 From: Gandalf the Greybeard Date: Sat, 30 May 2026 23:53:37 +0000 Subject: [PATCH] Remove ineffective elliptic pnpm.overrides entry MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The override "elliptic": ">=6.6.1" was added in PR #26 to address GHSA-848j-6mx2-7j84 (CVE-2025-14505), but it is a no-op because elliptic@6.6.1 IS the vulnerable version and no patched version exists. No upstream fix is available — elliptic@6.6.1 is the latest release. CTO decision: remove the no-op override, accept residual build-time risk. Dependency is build-time only and not shipped to production. Ref: PRI-1758, PRI-923 --- package.json | 3 +-- pnpm-lock.yaml | 1 - 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/package.json b/package.json index 753b3f1..eaf7886 100644 --- a/package.json +++ b/package.json @@ -33,8 +33,7 @@ "overrides": { "tar": "^7.5.11", "undici": "^7.24.3", - "flatted": "^3.4.2", - "elliptic": ">=6.6.1" + "flatted": "^3.4.2" } }, "devDependencies": { diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 569ae31..2e17be9 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -8,7 +8,6 @@ overrides: tar: ^7.5.11 undici: ^7.24.3 flatted: ^3.4.2 - elliptic: '>=6.6.1' importers: