// Fix pnpm audit vulnerabilities. Upgrades packages, adds overrides, handles minimumReleaseAge restrictions, and cleans up stale overrides.
Browser automation CLI for AI agents. Use when the user needs to interact with websites, including navigating pages, filling forms, clicking buttons, taking screenshots, extracting data, testing web apps, or automating any browser task. Triggers include requests to "open a website", "fill out a form", "click a button", "take a screenshot", "scrape data from a page", "test this web app", "login to a site", "automate browser actions", or any task requiring programmatic web interaction.
Write and maintain SDK documentation in packages/docs/content/. Use when adding new doc pages, updating existing docs, or modifying the documentation structure. Ensures frontmatter, meta.json, and LLM index stay in sync.
Fix bugs or add features in the @mysten/sui client layer (gRPC, JSON-RPC, GraphQL). Ensures all three transport implementations stay in sync.
| name | fix-audit |
| description | Fix pnpm audit vulnerabilities. Upgrades packages, adds overrides, handles minimumReleaseAge restrictions, and cleans up stale overrides. |
| user-invocable | true |
| allowed-tools | Bash, Read, Edit, Write, Grep, Glob |
Fix all vulnerabilities reported by pnpm audit. Follow each phase in order.
pnpm audit --json and capture the output.For each vulnerability, attempt a direct upgrade first:
package.json), run:
pnpm update <package>@<fixed-version> --filter <workspace>
pnpm update <package> --recursive
pnpm audit --json again to check which vulnerabilities remain.For vulnerabilities not fixed by direct upgrades:
pnpm.overrides from the root package.json."pnpm": {
"overrides": {
"<package>": "<fixed-version>"
}
}
"brace-expansion@>=4": ">=5.0.5"
"brace-expansion": ">=5.0.5" would force ALL consumers to 5.x, breaking packages that depend on 1.x or 2.x APIs.pnpm install to apply the overrides.If pnpm install fails because a package version cannot be found (error messages like ERR_PNPM_FETCH_404, No matching version found, or package not found), this is likely because the fixed version was published recently and is blocked by minimumReleaseAge: 2880 in pnpm-workspace.yaml.
To work around this:
pnpm-workspace.yaml and note the current minimumReleaseAge value.minimumReleaseAge line (and its preceding comment lines):
# minimumReleaseAge: 2880
pnpm install to update the lockfile.minimumReleaseAge line to its original value:
minimumReleaseAge: 2880
pnpm install that the lockfile is now consistent with the age restriction re-enabled. If this second install fails, the package truly cannot be resolved — remove that override and report the issue to the user.CRITICAL: Never leave minimumReleaseAge commented out. Always restore it, even if subsequent steps fail.
Alternative: Use minimumReleaseAgeExclude in pnpm-workspace.yaml instead of commenting out the age restriction:
minimumReleaseAgeExclude:
- path-to-regexp
This is safer but should still be removed after the lockfile is updated.
After the lockfile is updated, check whether any existing overrides in pnpm.overrides are now unnecessary:
pnpm.overrides from root package.json.pnpm install to regenerate the lockfile, then run pnpm audit --json.pnpm install to apply.Important: You must run pnpm install after changing overrides because pnpm audit checks the lockfile, and the lockfile retains previously resolved versions until regenerated. Simply removing an override and running audit without install will show the old (safe) versions and give a false "stale" result.
Run pnpm manypkg fix to ensure any upgraded packages have consistent version ranges across all workspace package.json files.
pnpm audit one final time and report the results.pnpm install --frozen-lockfile to verify the lockfile is consistent.