Fix brace-expansion vuln

[lucperkins]

Summary by CodeRabbit

• Chores
  • Optimized development environment with refined tooling configuration and dependency management.
  • Implemented dependency version constraints to ensure consistent builds across the project.
  • Updated code formatter configuration to exclude additional workspace files.

[coderabbitai]

📝 Walkthrough

Walkthrough

Configuration updates across three files: adding pnpm-workspace.yaml to Prettier's ignore list, restructuring the Nix flake configuration with modified inputs and outputs, and implementing dependency version override rules for brace-expansion in the pnpm workspace.

Changes

Cohort / File(s)	Summary
Formatter Ignore Configuration .prettierignore	Added pnpm-workspace.yaml to Prettier's ignore list alongside existing ignored entries.
Nix Flake Configuration flake.nix	Updated nixpkgs.url from specific tarball to version selector format, refactored outputs function signature to use { self, ... }@inputs pattern, replaced schemas output with new devShells and formatter outputs, modified dev shell packages by removing nixfmt and typescript-language-server, and added per-system formatter output using pkgs.nixfmt.
pnpm Dependency Overrides pnpm-workspace.yaml	Added overrides rules to enforce specific brace-expansion version resolution: versions <1.1.13 resolve to >=1.1.13, and versions in >=2.0.0,<2.0.3 range resolve to >=2.0.3.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Poem

🐰 Through prettier paths I hop with glee,
Nix flakes reformatted, you see!
Versions of brace-expansion aligned,
Configuration refined and designed,
Clean code gardens, rabbit-inspected! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Fix brace-expansion vuln' is directly related to the main change in the PR, which addresses a brace-expansion vulnerability through dependency version pinning in pnpm-workspace.yaml.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-vuln

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

.prettierignore (1)

5-5: Consider keeping pnpm-workspace.yaml under Prettier formatting.

Ignoring this config file is not wrong, but keeping it formatted usually improves consistency for dependency-policy edits.

Optional cleanup

 dist/
 lib/
 node_modules/
 pnpm-lock.yaml
-pnpm-workspace.yaml

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.prettierignore at line 5, The .prettierignore currently excludes
pnpm-workspace.yaml which prevents Prettier from formatting that config; open
the .prettierignore file and remove the "pnpm-workspace.yaml" entry so Prettier
will include and format the workspace manifest, then run your formatter (or a
repo-wide Prettier pass) to apply consistent formatting to pnpm-workspace.yaml.

pnpm-workspace.yaml (1)

1-3: Use exact patch-level override targets to reduce regression risk.

The override rules are designed to protect against specific vulnerable ranges, but open-ended targets (>=1.1.13, >=2.0.3) could allow unexpected major version jumps beyond the patched versions. For security-focused remediation, pinning to exact patch versions is the safer approach.

Proposed safer override pinning

 overrides:
-  brace-expansion@<1.1.13: ">=1.1.13"
-  brace-expansion@>=2.0.0 <2.0.3: ">=2.0.3"
+  brace-expansion@<1.1.13: "1.1.13"
+  brace-expansion@>=2.0.0 <2.0.3: "2.0.3"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pnpm-workspace.yaml` around lines 1 - 3, The override entries for
brace-expansion currently use open-ended targets (the keys
"brace-expansion@<1.1.13" and "brace-expansion@>=2.0.0 <2.0.3" in the overrides
block) which can permit unintended version ranges; change each override to pin
to a specific patched patch version (e.g., replace the open-ended values like
">=1.1.13" and ">=2.0.3" with the exact patch versions you intend to enforce) so
the overrides map a single concrete version for brace-expansion rather than a
range.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.prettierignore:
- Line 5: The .prettierignore currently excludes pnpm-workspace.yaml which
prevents Prettier from formatting that config; open the .prettierignore file and
remove the "pnpm-workspace.yaml" entry so Prettier will include and format the
workspace manifest, then run your formatter (or a repo-wide Prettier pass) to
apply consistent formatting to pnpm-workspace.yaml.

In `@pnpm-workspace.yaml`:
- Around line 1-3: The override entries for brace-expansion currently use
open-ended targets (the keys "brace-expansion@<1.1.13" and
"brace-expansion@>=2.0.0 <2.0.3" in the overrides block) which can permit
unintended version ranges; change each override to pin to a specific patched
patch version (e.g., replace the open-ended values like ">=1.1.13" and ">=2.0.3"
with the exact patch versions you intend to enforce) so the overrides map a
single concrete version for brace-expansion rather than a range.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 53d04f73-e656-412b-8815-234f59c8e848

📥 Commits

Reviewing files that changed from the base of the PR and between 2e32b6d and 45a7185.

⛔ Files ignored due to path filters (3)

• dist/index.js is excluded by !**/dist/**
• flake.lock is excluded by !**/*.lock
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (3)

• .prettierignore
• flake.nix
• pnpm-workspace.yaml