All 3 open dependabot alerts on main trace to a single stale file:
pnpm-lock.yaml (2026-05-07), which lists outdated transitive versions.
The repo doesn't use pnpm — no workflow, husky hook, package script, or
packageManager field references it.
| # | Severity | Package | Locked | Patched | Lockfile |
|---|---|---|---|---|---|
| 105 | HIGH | fast-uri | 3.1.0 | ≥ 3.1.2 | pnpm-lock.yaml |
| 100 | HIGH | fast-uri | 3.1.0 | ≥ 3.1.1 | pnpm-lock.yaml |
| 91 | MED | ip-address | 10.1.0 | ≥ 10.1.1 | pnpm-lock.yaml |
package-lock.json (npm, recently modified) has:
fast-uri 3.1.2 and ip-address 10.2.0 — both above
the patched floors. The actual node_modules/ shipped to dev
machines and CI runners is fine.
Dependabot scans both lockfiles independently. The dead pnpm-lock.yaml is the only thing keeping the alerts open.
| Surface | References pnpm? |
|---|---|
| .github/workflows/*.yml | ✅ no matches |
| .husky/* | ✅ no matches |
| scripts/*, bin/* | ✅ no matches |
package.json (packageManager field) | ✅ absent |
| .npmrc, .pnpmrc | ✅ absent |
git rm pnpm-lock.yaml → all 3 alerts auto-close on next dependabot scan.
No code change. No build change. No CI change.