Skip to content

fix(docs): update mintlify dev script #1535

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tk-o merged 4 commits into from
Jan 15, 2026
Merged

fix(docs): update mintlify dev script #1535

tk-o merged 4 commits into from
Jan 15, 2026
+94 −4,569

Conversation

@tk-o
Copy link
Contributor

@tk-o tk-o commented Jan 15, 2026
edited
Loading

Lite PR

Summary

This PR:

  • Changes the way the Mintlify CLI is linked to in the user system when running locally.
  • Updates relevant docs.

Why

  • Including mintlify CLI with devDependencies causes multiple dependency audit issues.
Details 
❯ pnpm audit --audit-level=low
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ body-parser vulnerable to denial of service when url   │
│                     │ encoding is enabled                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ body-parser                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <1.20.3                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=1.20.3                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ docs__docs.ensnode.io>mint>@mintlify/cli>@mintlify/    │
│                     │ previewing>express>body-parser                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-qwcr-r2fm-qrc7      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ path-to-regexp outputs backtracking regular            │
│                     │ expressions                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ path-to-regexp                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <0.1.10                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=0.1.10                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ docs__docs.ensnode.io>mint>@mintlify/cli>@mintlify/    │
│                     │ previewing>express>path-to-regexp                      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-9wv6-86v2-598j      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ path-to-regexp contains a ReDoS                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ path-to-regexp                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <0.1.12                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=0.1.12                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ docs__docs.ensnode.io>mint>@mintlify/cli>@mintlify/    │
│                     │ previewing>express>path-to-regexp                      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-rhx6-c78j-4q9w      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ high                │ qs's arrayLimit bypass in its bracket notation allows  │
│                     │ DoS via memory exhaustion                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ qs                                                     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <6.14.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=6.14.1                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ docs__docs.ensnode.io>mint>@mintlify/cli>@mintlify/    │
│                     │ previewing>express>qs                                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-6rw7-vpxm-498p      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Denial of service while parsing a tar file due to lack │
│                     │ of folders count validation                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ tar                                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <6.2.1                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=6.2.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ docs__docs.ensnode.io>mint>@mintlify/cli>@mintlify/    │
│                     │ previewing>tar                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-f5x3-32g6-xq36      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Zod denial of service vulnerability                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ zod                                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <=3.22.2                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=3.22.3                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ docs__docs.ensnode.io>mint>@mintlify/cli>@mintlify/    │
│                     │ link-rot>@mintlify/scraping>zod                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-m95q-7qp3-xv42      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ js-yaml has prototype pollution in merge (<<)          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ js-yaml                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=4.0.0 <4.1.1                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.1.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ docs__docs.ensnode.io>mint>@mintlify/cli>js-yaml       │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-mh29-5h37-fv8m      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ Express.js Open Redirect in malformed URLs             │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ express                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.19.2                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.19.2                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ docs__docs.ensnode.io>mint>@mintlify/cli>@mintlify/    │
│                     │ previewing>express                                     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-rv95-896h-c2vc      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ serve-static vulnerable to template injection that can │
│                     │ lead to XSS                                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ serve-static                                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <1.16.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=1.16.0                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ docs__docs.ensnode.io>mint>@mintlify/cli>@mintlify/    │
│                     │ previewing>express>serve-static                        │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-cm22-4g7w-348p      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ express vulnerable to XSS via response.redirect()      │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ express                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <4.20.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.20.0                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ docs__docs.ensnode.io>mint>@mintlify/cli>@mintlify/    │
│                     │ previewing>express                                     │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-qw6h-vgh9-j6wx      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ cookie accepts cookie name, path, and domain with out  │
│                     │ of bounds characters                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ cookie                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <0.7.0                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=0.7.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ docs__docs.ensnode.io>mint>@mintlify/cli>@mintlify/    │
│                     │ previewing>express>cookie                              │
│                     │                                                        │
│                     │ docs__docs.ensnode.io>mint>@mintlify/cli>@mintlify/    │
│                     │ previewing>socket.io>engine.io>cookie                  │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-pxg6-pf52-xh8x      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ send vulnerable to template injection that can lead to │
│                     │ XSS                                                    │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ send                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <0.19.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=0.19.0                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ docs__docs.ensnode.io>mint>@mintlify/cli>@mintlify/    │
│                     │ previewing>express>send                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-m6fv-jmcg-4jfg      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ jsdiff has a Denial of Service vulnerability in        │
│                     │ parsePatch and applyPatch                              │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ diff                                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <8.0.3                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=8.0.3                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ docs__docs.ensnode.io>mint>@mintlify/cli>@mintlify/    │
│                     │ common>tailwindcss>postcss-load-config>ts-node>diff    │
│                     │                                                        │
│                     │ docs__ensnode.io>astro>diff                            │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-73rr-hh4g-fpgx      │
└─────────────────────┴────────────────────────────────────────────────────────┘
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ low                 │ Undici has an unbounded decompression chain in HTTP    │
│                     │ responses on Node.js Fetch API via Content-Encoding    │
│                     │ leads to resource exhaustion                           │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ undici                                                 │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ <6.23.0                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=6.23.0                                               │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ docs__ensnode.io>astro-icon>@iconify/                  │
│                     │ tools>cheerio>undici                                   │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-g9mf-h72j-4rw9      │
└─────────────────────┴────────────────────────────────────────────────────────┘
16 vulnerabilities found
Severity: 8 low | 4 moderate | 4 high

Testing

  • I ran pnpm i to update pnpm-lock.yaml file and then executed pnpm audit --audit-level=moderate command with the following result:
3 vulnerabilities found
Severity: 3 low

It means no issues with at least moderate level.

Notes for Reviewer (Optional)

  • pnpm dlx is a useful method for executing dev scripts/binaries without defining explicit devDependencies.

Checklist

  • This PR does not change runtime behavior or semantics
  • This PR is low-risk and safe to review quickly

@tk-o
fix(docs): update mintlify dev script
86a2469 
Replace devDependency with `pnpm dlx` command.
@tk-o tk-o requested a review from a team as a code owner January 15, 2026 15:47
@changeset-bot
Copy link

changeset-bot bot commented Jan 15, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 73ac244

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 18 packages
Name Type
@docs/mintlify Patch
ensindexer Patch
ensadmin Patch
ensrainbow Patch
ensapi Patch
fallback-ensapi Patch
@ensnode/datasources Patch
@ensnode/ensrainbow-sdk Patch
@ensnode/ponder-metadata Patch
@ensnode/ensnode-schema Patch
@ensnode/ensnode-react Patch
@ensnode/ponder-subgraph Patch
@ensnode/ensnode-sdk Patch
@ensnode/shared-configs Patch
@docs/ensnode Patch
@docs/ensrainbow Patch
@namehash/ens-referrals Patch
@namehash/namehash-ui Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel
Copy link

vercel bot commented Jan 15, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
admin.ensnode.io Ready Ready Preview, Comment Jan 15, 2026 4:06pm
ensnode.io Ready Ready Preview, Comment Jan 15, 2026 4:06pm
ensrainbow.io Ready Ready Preview, Comment Jan 15, 2026 4:06pm

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Jan 15, 2026
edited
Loading

Greptile Summary

This PR eliminates security vulnerabilities by removing the mintlify package from devDependencies and using pnpm dlx to execute it on-demand instead. Previously, including mintlify as a devDependency brought in 16 vulnerable transitive dependencies (4 high, 4 moderate, 8 low severity), including issues with body-parser, path-to-regexp, qs, tar, zod, js-yaml, express, and others. The new approach uses pnpm dlx mint@^4.1.0 which downloads and executes the CLI temporarily without installing it permanently.

Key changes:

  • Removed mintlify from devDependencies in package.json
  • Changed script from dev: "mintlify dev" to mint: "pnpm dlx mint@^4.1.0"
  • Updated README to reflect new command: pnpm mint dev instead of pnpm dev
  • Simplified troubleshooting section, removing reference to mintlify install
  • Cleaned up pnpm-lock.yaml by removing all mintlify-related entries

After this change, running pnpm audit --audit-level=moderate shows only 3 low-severity issues (down from 16 total), successfully addressing the security concerns while maintaining the same functionality.

Confidence Score: 5/5

  • This PR is safe to merge with minimal risk - it's a straightforward dependency management improvement with no runtime behavior changes
  • The changes are well-contained and focused on removing vulnerable dependencies. The pnpm dlx approach is a standard practice for executing CLI tools without permanent installation. The README documentation is properly updated to reflect the new command. No production code or runtime behavior is affected - this only impacts the local development workflow for documentation. The lock file changes confirm all vulnerable transitive dependencies have been removed.
  • No files require special attention

Important Files Changed

Filename Overview
docs/docs.ensnode.io/package.json Removed mintlify from devDependencies and changed script from dev: "mintlify dev" to mint: "pnpm dlx mint@^4.1.0"
docs/docs.ensnode.io/README.md Updated development instructions to use pnpm mint dev and simplified troubleshooting section
pnpm-lock.yaml Removed all mintlify and its vulnerable transitive dependencies from the lock file

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant PNPM as pnpm
    participant Registry as npm Registry
    participant Mint as mint CLI
    participant Docs as Local Docs Server

    Note over Dev,Docs: Before (with devDependencies)
    Dev->>PNPM: pnpm install
    PNPM->>Registry: Download mintlify + dependencies
    Note right of Registry: Includes vulnerable deps:<br/>body-parser, path-to-regexp,<br/>qs, tar, zod, js-yaml, etc.
    PNPM->>Dev: Install complete
    Dev->>PNPM: pnpm dev
    PNPM->>Mint: mintlify dev
    Mint->>Docs: Start server on :3000

    Note over Dev,Docs: After (with pnpm dlx)
    Dev->>PNPM: pnpm mint dev
    PNPM->>Registry: Download mint@^4.1.0 (temporary)
    Note right of Registry: No install to node_modules<br/>No audit issues
    Registry->>PNPM: Return mint package
    PNPM->>Mint: Execute: mint dev
    Mint->>Docs: Start server on :3000
    Note right of Docs: Same functionality,<br/>cleaner dependencies
Loading

greptile-apps[bot]
greptile-apps bot reviewed Jan 15, 2026
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 file reviewed, 1 comment

Edit Code Review Agent Settings | Greptile

@tk-o
fix(docs): simplify Mintlify CLI usage
5c53fb3 
Also, updates relevant docs.
@tk-o
Copy link
Contributor Author

tk-o commented Jan 15, 2026

@greptile re-review

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Jan 15, 2026

Greptile found no issues!

From now on, if a review finishes and we haven't found any issues, we will not post anything, but you can confirm that we reviewed your changes in the status check section.

This feature can be toggled off in your Code Review Settings by deselecting "Create a status check for each PR".

lightwalker-eth
lightwalker-eth approved these changes Jan 15, 2026
View reviewed changes
Copy link
Member

@lightwalker-eth lightwalker-eth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tk-o Nice! Looks good to me 😄

@tk-o tk-o merged commit de666e0 into main Jan 15, 2026
16 checks passed
@tk-o tk-o deleted the fix/mintlify-deps-audit-issues branch January 15, 2026 19:25
@github-actions github-actions bot mentioned this pull request Jan 15, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lightwalker-eth lightwalker-eth lightwalker-eth approved these changes

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tk-o @lightwalker-eth