fix(deps): replace tailwind-merge aliases with peer dependency#1675
fix(deps): replace tailwind-merge aliases with peer dependency#1675Rishikesh183 wants to merge 1 commit into
Conversation
tailwind-merge-v2 and tailwind-merge-v3 are malicious packages on npm (GHSA-53q4-wj32-3vv9, GHSA-3679-84c2-v5xm). Using them as npm aliases caused security scanners to flag downstream projects even though the malicious packages were never installed. Replace both aliased deps with a single tailwind-merge peer dependency. Users install the version matching their Tailwind CSS (^2 for TW3, ^3 for TW4). BREAKING CHANGE: tailwind-merge must now be installed explicitly.
|
@Rishikesh183 is attempting to deploy a commit to the Bergside Team on Vercel. A member of the Team first needs to authorize it. |
|
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThe PR removes versioned tailwind-merge package aliases from dependencies and adds tailwind-merge as a peer dependency supporting both v2 and v3. The twMerge helper is refactored to use a single extendTailwindMerge implementation and simplified caching by prefix only, eliminating version-detection logic. ChangesTailwind Merge Refactor
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Possibly related issues
Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 ESLint
packages/ui/src/helpers/tailwind-merge.tsOops! Something went wrong! :( ESLint: 8.57.0 ESLint couldn't find the plugin "eslint-plugin-react". (The package "eslint-plugin-react" was not found when loaded as a Node module from the directory "/packages/ui".) It's likely that the plugin isn't installed correctly. Try reinstalling by running the following: The plugin "eslint-plugin-react" was referenced from the config file in "packages/ui/.eslintrc.cjs". If you still can't figure out the problem, please stop by https://eslint.org/chat/help to chat with the team. Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
1 participant
Summary
tailwind-merge-v2andtailwind-merge-v3aliased dependencies frompackages/ui/package.jsontailwind-mergeas a peer dependency (^2 || ^3)src/helpers/tailwind-merge.tsto import fromtailwind-mergedirectlyMotivation
tailwind-merge-v2andtailwind-merge-v3are malicious packages on the npm registry (GHSA-53q4-wj32-3vv9, GHSA-3679-84c2-v5xm). Although npm aliases prevented the malicious packages from ever being installed, security scanners (GitHub Advanced Security, npm audit) read the package names frompackage.jsonand flag any downstream project that uses flowbite-react — blocking PRs in corporate environments.Fixes the concern raised in #1665.
Breaking change
tailwind-mergemust now be installed explicitly:npm install tailwind-merge@^2npm install tailwind-merge@^3Summary by CodeRabbit
tailwind-mergedependency structure. The package now requirestailwind-merge(v2 or v3) as a peer dependency, giving consumers flexibility in version selection. Simplified internal dependency resolution logic.