Address security audit report and fix docker build

[tk-o]

Lite PR

Tip: Review docs on the ENSNode PR process

Summary

• Relevant NPM dependencies were upgraded to address the security audit report from the OSV scanner.
• ENSRainbow docker image was updated to copy files required for AI-related tooling from PR AI Agent Configuration Overhaul #2287 to run correctly.

---

Why

• We need all docker images to be built successfully.
• All security updates need to be applied as soon as possible.

---

Testing

• Ran static code checks and integration tests.
• Ran a successful docker build for ENSRainbow.

---

Notes for Reviewer (Optional)

• Anything non-obvious or worth a heads-up.

---

Pre-Review Checklist (Blocking)

• This PR does not introduce significant changes and is low-risk to review quickly.
• Relevant changesets are included (or are not required)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
enskit-react-example.ensnode.io	Ready	Preview, Comment	Jun 16, 2026 12:12pm

3 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
admin.ensnode.io	Skipped		Jun 16, 2026 12:12pm
ensnode.io	Skipped		Jun 16, 2026 12:12pm
ensrainbow.io	Skipped		Jun 16, 2026 12:12pm

[changeset-bot]

⚠️ No Changeset found

Latest commit: 6594dd9

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Warning

Review limit reached

@tk-o, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 31 minutes and 37 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 205490f6-fd4e-46b5-a86b-a7872f80d46a

📥 Commits

Reviewing files that changed from the base of the PR and between 4e6acc2 and 6594dd9.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (4)

• apps/ensapi/package.json
• apps/ensrainbow/Dockerfile
• package.json
• pnpm-workspace.yaml

📝 Walkthrough

Walkthrough

Bumps @opentelemetry/core in apps/ensapi, updates drizzle-orm and vite catalog versions in pnpm-workspace.yaml, expands and adjusts multiple pnpm.overrides version constraints and peerDependencyRules.allowedVersions in the root package.json, and adds skills-npm.config.ts to the apps/ensrainbow Dockerfile COPY step.

Changes

Dependency version bumps and pnpm override updates

Layer / File(s)	Summary
Workspace catalog and root pnpm overrides/peer rules pnpm-workspace.yaml, package.json	drizzle-orm catalog bumped from 0.41.0 to ^0.45.2; vite catalog bumped from ^7.3.2 to ^7.3.5; pnpm.overrides expanded with updated version ranges for esbuild, tar, kysely, yaml, vite/vite-node via ponder, dompurify, protobufjs, postcss, ws, and others; peerDependencyRules.allowedVersions extended with @scalar/astro>astro and ponder>vite-tsconfig-paths>vite.
ensapi dependency bump and ensrainbow Dockerfile COPY update apps/ensapi/package.json, apps/ensrainbow/Dockerfile	@opentelemetry/core bumped from ^2.7.1 to ^2.8.0 in apps/ensapi; skills-npm.config.ts added to the COPY step in the ensrainbow Dockerfile before pnpm install --frozen-lockfile.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• namehash/ensnode#2116: Directly updates the same drizzle-orm catalog entry in pnpm-workspace.yaml (0.41.0 → 0.45.2).
• namehash/ensnode#2095: Also bumps @opentelemetry/core in apps/ensapi, the previous step in the same version chain.
• namehash/ensnode#2013: Modifies the same pnpm.overrides audit-driven dependency resolution rules in the root package.json.

Suggested labels

dependencies

Poem

🐇 Hop hop, the deps have grown,
A version here, a patch there sown,
drizzle-orm leaps to .45,
opentelemetry stays alive!
The lockfile's frozen, all is right—
This bunny keeps the builds tight. 🌟

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main changes: addressing a security audit report and fixing Docker build issues. It is concise and specific.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description follows the required template structure with all key sections present: Summary, Why, Testing, Notes for Reviewer, and Pre-Review Checklist. All required blocking items are checked.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/ci-workflow-issues

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/ensapi/package.json`:
- Line 37: OpenTelemetry packages in the dependencies are at misaligned
versions, with `@opentelemetry/core` at ^2.8.0 while `@opentelemetry/resources`,
`@opentelemetry/sdk-metrics`, `@opentelemetry/sdk-trace-base`, and
`@opentelemetry/sdk-trace-node` remain at ^2.7.1. Since OpenTelemetry packages are
released as a synchronized set, update all four misaligned packages from ^2.7.1
to ^2.8.0 to match `@opentelemetry/core` and prevent version skew.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 031e41f6-a4e5-4ed0-a359-c98ffcd69e40

📥 Commits

Reviewing files that changed from the base of the PR and between d43bc70 and 4e6acc2.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (4)

• apps/ensapi/package.json
• apps/ensrainbow/Dockerfile
• package.json
• pnpm-workspace.yaml

[Copilot]

Pull request overview

This PR updates monorepo dependency versions/overrides in response to a security audit and adjusts the ENSRainbow Docker build inputs so dependency installation can succeed in the container build context.

Changes:

• Bump workspace catalog versions (notably drizzle-orm and vite) and update the lockfile accordingly.
• Expand pnpm.overrides (and related peer rules) to address multiple audit findings across transitive dependencies.
• Update apps/ensrainbow/Dockerfile to copy skills-npm.config.ts into the build context prior to pnpm install.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
pnpm-workspace.yaml	Updates catalog versions (drizzle-orm, vite).
pnpm-lock.yaml	Regenerated lockfile reflecting updated catalogs/overrides.
package.json	Expands pnpm.overrides and peer dependency allowances for audit remediation.
apps/ensrainbow/Dockerfile	Adjusts pre-install copy set for Docker builds (adds skills-npm.config.ts).
apps/ensapi/package.json	Bumps @opentelemetry/core dependency.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.

[tk-o]

@greptile review

[greptile-apps]

Greptile Summary

This PR addresses an OSV security audit by upgrading vulnerable transitive dependencies via pnpm overrides and fixes the ENSRainbow Docker build by adding the files required for the prepare lifecycle hook introduced in PR #2287.

• Security overrides (package.json, pnpm-lock.yaml): Replaces open-ended >= floor ranges with ^ semver ranges and expands affected-version selectors for tar, dompurify, and protobufjs; adds new overrides for ws, @babel/core, @grpc/grpc-js, js-yaml, markdown-it, form-data, vite@7, and @opentelemetry/core.
• Dockerfile (apps/ensrainbow/Dockerfile): Copies skills-npm.config.ts, .agents/, and scripts/ before pnpm install so the skills-npm and link-local-skills.mjs steps in the root prepare script can run inside the build container.
• OTel bump (apps/ensapi/package.json): Direct @opentelemetry/* stable-line packages updated from ^2.7.1 to ^2.8.0, consistent with the new workspace-level override.

Confidence Score: 4/5

Safe to merge — dependency upgrades are straightforward security patches and the Dockerfile fix has been smoke-tested by the author.

The dependency override changes are well-scoped and the lock file is consistent. The Dockerfile change correctly wires up the prepare-hook files, though it copies the entire root scripts/ directory when only one file is needed, and the skills-npm step during pnpm install fetches from the npm registry, introducing a minor non-determinism in the image build.

apps/ensrainbow/Dockerfile — the COPY scripts/ instruction and the network-dependent prepare hook are the only things worth a second look.

Important Files Changed

Filename	Overview
apps/ensrainbow/Dockerfile	Adds COPY instructions for skills-npm.config.ts, .agents/, and scripts/ so the root prepare lifecycle hook (skills-npm + link-local-skills.mjs) can run during pnpm install --frozen-lockfile. The .agents/ directory is empty at build time but that is expected — skills-npm populates it during prepare.
package.json	Security override overhaul: replaces open-ended >= ranges with ^ semver ranges, expands affected version selectors (e.g. tar <=7.5.10 → <7.5.16), and adds new overrides for ws, @babel/core, @grpc/grpc-js, js-yaml, markdown-it, form-data, protobufjs v7, and vite@7 to address the OSV audit report.
apps/ensapi/package.json	Bumps all direct @opentelemetry/* stable-line packages (core, resources, sdk-metrics, sdk-trace-base, sdk-trace-node) from ^2.7.1 to ^2.8.0, consistent with the workspace-level override added in package.json.
pnpm-lock.yaml	Lock file regenerated in sync with the updated overrides and direct-dependency bumps; all resolved versions reflect the new constraints (protobufjs 8.6.0, esbuild 0.28.1, vite 7.3.5, OTel 2.8.x, etc.).
pnpm-workspace.yaml	Updates the catalog vite specifier from ^7.3.2 to ^7.3.5, in line with the new vite security override and hono catalog pin.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant D as Docker Build
    participant FS as Build Context
    participant P as pnpm install
    participant S as skills-npm
    participant L as link-local-skills.mjs

    D->>FS: COPY package.json pnpm-lock.yaml pnpm-workspace.yaml skills-npm.config.ts
    D->>FS: COPY .agents/ .agents/
    D->>FS: COPY packages/ patches/ scripts/
    D->>FS: COPY apps/ensrainbow/package.json
    D->>P: RUN pnpm install --frozen-lockfile
    P-->>P: Install all workspace dependencies
    P->>S: prepare - skills-npm --cwd .
    S-->>S: "Download npm skills into .agents/skills/npm-*"
    S->>L: prepare - node scripts/link-local-skills.mjs
    L-->>L: "Symlink .agents/skills/* into .claude/skills/*"
    P-->>D: Install complete
    D->>FS: COPY apps/ensrainbow/src/ and scripts/

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant D as Docker Build
    participant FS as Build Context
    participant P as pnpm install
    participant S as skills-npm
    participant L as link-local-skills.mjs

    D->>FS: COPY package.json pnpm-lock.yaml pnpm-workspace.yaml skills-npm.config.ts
    D->>FS: COPY .agents/ .agents/
    D->>FS: COPY packages/ patches/ scripts/
    D->>FS: COPY apps/ensrainbow/package.json
    D->>P: RUN pnpm install --frozen-lockfile
    P-->>P: Install all workspace dependencies
    P->>S: prepare - skills-npm --cwd .
    S-->>S: "Download npm skills into .agents/skills/npm-*"
    S->>L: prepare - node scripts/link-local-skills.mjs
    L-->>L: "Symlink .agents/skills/* into .claude/skills/*"
    P-->>D: Install complete
    D->>FS: COPY apps/ensrainbow/src/ and scripts/

Loading

_{Reviews (1): Last reviewed commit: "Bump related `"@opentelemetry/*` package..." | Re-trigger Greptile}

[Copilot]

Pull request overview

Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.

[greptile-apps]

Greptile Summary

This PR addresses an OSV security audit by upgrading transitive dependencies via pnpm overrides (adding @babel/core, @grpc/grpc-js, form-data, js-yaml, markdown-it, ws, and others; updating esbuild, vite, dompurify, protobufjs, tar, etc.) and bumps OpenTelemetry packages in ensapi to 2.8.x. It also fixes the ENSRainbow Docker build by copying skills-npm.config.ts, .agents/, and the repo-level scripts/ directory into the image.

• Security overrides: Nine new entries added and several existing ones tightened; protobufjs now has separate overrides for the v7 and v8 ranges, and the catalog vite pin is advanced to ^7.3.5 to stay ahead of the new override floor.
• Dockerfile fix: Three new COPY instructions ensure the AI-tooling config and shared scripts are present before pnpm install runs; the .agents/ directory is empty in the current tree (populated by the prepare hook at install time) so that COPY is a no-op until tracked content lands there.

Confidence Score: 4/5

Safe to merge; changes are scoped to dependency version bumps and a Dockerfile copy fix with no logic changes to application code.

All application logic is untouched — the diff is entirely dependency overrides, a lock file regeneration, and three extra COPY lines in the Dockerfile. The one minor concern is that COPY .agents/ .agents/ currently copies an empty directory, meaning the stated goal of supporting AI tooling in the image is not fully realized until tracked content exists there; the build itself succeeds and runtime behaviour is unaffected.

The apps/ensrainbow/Dockerfile warrants a quick check once PR #2287 lands to confirm .agents/ carries the expected files.

Important Files Changed

Filename	Overview
apps/ensrainbow/Dockerfile	Adds copies of skills-npm.config.ts, .agents/, and scripts/ to support AI tooling; .agents/ is currently empty in the repo so the COPY adds no files today, though it is harmless.
package.json	Adds new pnpm overrides for vulnerable transitive dependencies (@babel/core, @grpc/grpc-js, form-data, js-yaml, markdown-it, ws, etc.) and tightens existing ones; looks correct.
apps/ensapi/package.json	Bumps OpenTelemetry core/resources/sdk packages from 2.7.x to 2.8.x to pick up the security fix covered by the @opentelemetry/core@<2.8.0 override.
pnpm-workspace.yaml	Bumps catalog vite version from ^7.3.2 to ^7.3.5 to match the new vite@>=7.0.0 <=7.3.4 security override.
pnpm-lock.yaml	Lock file regenerated to reflect all package bumps; consistent with the declared overrides and catalog changes.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Docker build context] --> B[COPY package files\npackage.json / pnpm-lock.yaml\npnpm-workspace.yaml\nskills-npm.config.ts]
    A --> C[COPY .agents/ — empty dir]
    A --> D[COPY packages/ patches/ scripts/]
    A --> E[COPY apps/ensrainbow/package.json]
    B & C & D & E --> F[pnpm install --frozen-lockfile\n runs prepare hook:\n  skills-npm populates .agents/skills/\n  link-local-skills.mjs]
    F --> G[COPY app source\nsrc/ scripts/ tsconfig.json vitest.config.ts]
    G --> H[chmod +x download-prebuilt-database.sh]
    H --> I[ENTRYPOINT: pnpm run entrypoint]

    style C fill:#ffe0b2,stroke:#e65100

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[Docker build context] --> B[COPY package files\npackage.json / pnpm-lock.yaml\npnpm-workspace.yaml\nskills-npm.config.ts]
    A --> C[COPY .agents/ — empty dir]
    A --> D[COPY packages/ patches/ scripts/]
    A --> E[COPY apps/ensrainbow/package.json]
    B & C & D & E --> F[pnpm install --frozen-lockfile\n runs prepare hook:\n  skills-npm populates .agents/skills/\n  link-local-skills.mjs]
    F --> G[COPY app source\nsrc/ scripts/ tsconfig.json vitest.config.ts]
    G --> H[chmod +x download-prebuilt-database.sh]
    H --> I[ENTRYPOINT: pnpm run entrypoint]

    style C fill:#ffe0b2,stroke:#e65100

Loading

_{Reviews (2): Last reviewed commit: "Bump related `"@opentelemetry/*` package..." | Re-trigger Greptile}

[lightwalker-eth]

@tk-o Thank you! 🫡