pnpm-workspace.yaml

overrides:
  # Fix CVE-2025-13465 / GHSA-xxjr-mmjv-4gpg: Lodash Prototype Pollution in _.unset and _.omit
  # Transitive via @mintlify/common
  "lodash@<4.17.23": "4.17.23"
  # Fix CVE-2026-0540 / GHSA-v2wj-7wpq-c8vv: DOMPurify XSS via missing rawtext elements
  "dompurify@<3.3.2": "3.3.2"
  # Fix CVE-2024-29041 / GHSA-rv95-896h-c2vc: Express open redirect in malformed URLs
  # Fix CVE-2024-43796 / GHSA-qw6h-vgh9-j6wx: Express XSS via response.redirect()
  # Transitive via mintlify -> @mintlify/previewing
  "express@>=4.0.0 <4.20.0": "4.21.2"
  # Fix CVE-2023-4316 / GHSA-m95q-7qp3-xv42: Zod ReDoS in email validation
  "zod@<3.22.3": "3.22.3"
  # Fix CVE-2025-64718 / GHSA-mh29-5h37-fv8m: js-yaml Prototype Pollution via merge
  # Transitive via @mintlify/cli and @mintlify/common
  "js-yaml@>=4.0.0 <4.1.1": "4.1.1"
  # Fix CVE-2025-15284 / GHSA-6rw7-vpxm-498p: qs arrayLimit bypass in bracket notation
  # Fix CVE-2026-2391 / GHSA-w7fw-mjwx-w883: qs arrayLimit bypass in comma parsing
  # Transitive via express -> body-parser
  "qs@<6.14.2": "6.14.2"
  # Fix CVE-2024-43799 / GHSA-m6fv-jmcg-4jfg: send template injection leading to XSS
  # Transitive via express -> serve-static
  "send@>=0.0.0 <0.19.0": "0.19.0"
  # Fix CVE-2024-43800 / GHSA-cm22-4g7w-348p: serve-static template injection leading to XSS
  # Transitive via express
  "serve-static@>=1.0.0 <1.16.0": "1.16.0"
  # Fix CVE-2024-47764 / GHSA-pxg6-pf52-xh8x: cookie out of bounds characters in name/path/domain
  # Transitive via express
  "cookie@<0.7.0": "0.7.0"
  # Fix CVE-2024-45296 / GHSA-9wv6-86v2-598j and CVE-2024-52798 / GHSA-rhx6-c78j-4q9w: path-to-regexp ReDoS vulnerability
  # Transitive via mintlify -> @mintlify/previewing -> express@4.18.2
  "path-to-regexp@<0.1.12": "0.1.12"
  # Fix CVE-2026-29063 / GHSA-wf6x-7x77-mvgw: immutable Prototype Pollution vulnerability
  # Transitive via sass and sass-embedded
  "immutable@>=5.0.0 <5.1.5": "5.1.5"
  # Fix CVE-2026-26996 / GHSA-3ppc-4f35-3m26: minimatch ReDoS vulnerability
  # Transitive via @stoplight/spectral-core
  "minimatch@<3.1.5": "3.1.5"
  # Fix CVE-2026-25639 / GHSA-43fc-jf86-j433: axios DoS via __proto__ in mergeConfig
  # Fix CVE-2025-58754 / GHSA-4hjh-wcwx-xvwj: axios DoS vulnerability via data: URI
  # Transitive via mintlify -> @mintlify/models
  "axios@<1.13.5": "1.13.5"
  # Fix CVE-2026-29074 / GHSA-xpqw-6gx7-v673: SVGO DoS through entity expansion in DOCTYPE (Billion Laughs)
  # Transitive via @svgr/webpack -> @svgr/plugin-svgo -> svgo
  "svgo@>=3.0.0 <3.3.3": "3.3.3"
  # Fix CVE-2024-45590 / GHSA-qwcr-r2fm-qrc7: body-parser DoS vulnerability
  # Transitive via express@4.18.2
  "body-parser@<1.20.3": "1.20.3"
  # Fix CVE-2026-23745, CVE-2026-23950, CVE-2026-24842, CVE-2026-26960, CVE-2026-29786: various tar path traversal/hardlink vulnerabilities
  # Fix CVE-2024-28863 / GHSA-f5x3-32g6-xq36: tar DoS via excessive nested folder depth
  "tar@<7.5.10": "7.5.10"
  # @mintlify/previewing uses `import tar from 'tar'` (ESM default import) which only works with tar@6.x
  # Dev-only tool; no exploitation risk
  "@mintlify/previewing>tar": "6.2.1"

packages:
  - apps/agentstack-ui
  - apps/beeai-web
  - apps/lint-config
  - apps/agentstack-sdk-ts
  - apps/agentstack-sdk-ts/examples/chat-ui
  - apps/keycloak-theme
  - docs

catalog:
  '@carbon/icons-react': ^11.75.0
  '@carbon/layout': ^11.48.0
  '@carbon/react': ^1.101.0
  '@carbon/styles': ^1.100.0
  '@ibm/plex': ^6.4.1
  '@svgr/webpack': ^8.1.0
  '@tanstack/react-query': ^5.90.21
  '@types/lodash': ^4.17.24
  '@types/node': ^24.0.0
  '@types/react': ^19.2.14
  '@types/react-dom': ^19.2.3
  babel-plugin-react-compiler: 1.0.0
  clsx: ^2.1.1
  eslint: ^9.39.3
  lodash: ^4.17.23
  next: ^16.1.6
  prettier: ^3.8.1
  react: ^19.2.4
  react-dom: ^19.2.4
  sass-embedded: ^1.97.3
  stylelint: ^17.0.0
  typescript: ^5.9.3
  usehooks-ts: ^3.1.1