OfficeDev · jekloudaMSFT · Mar 11, 2026 · Mar 17, 2026 · Mar 17, 2026 · Mar 23, 2026
@@ -115,6 +115,7 @@
   "pnpm": {
     "overrides": {
       "@azure/identity": ">=4.2.1",
+      "basic-ftp": ">=5.2.0",
       "cookie": ">=0.7.0",
       "cross-spawn": ">=7.0.5",
       "dns-packet": "^1.3.2",
@@ -147,6 +148,7 @@
     },
     "overrides-explanation": {
       "WHAT IS THIS SECTION": "pnpm ignores this section and comments aren't allowed in JSON files. This section documents why the above overrides have been put in place. If you add an override, describe it in this section.",
+      "basic-ftp": "There is a vulnerability with basic-ftp versions less than 5.2.0. This package is consumed by @size-limit/preset-big-lib.",
       "cookie": "There is a vulnerability with cookie versions less than 0.7.0. This package is currently being consumed in @types/webpack and needs to be updated there. For now we will override this until that is fixed.",
       "cross-spawn": "There is a vulnerability with cross-spawn versions less than 7.0.5 This package is currently being consumed in @types/webpack and needs to be updated there. For now we will override this until that is fixed.",
       "express": "There is a vulnerability in older versions of the express package that is consumed by webpack-dev-server, this has been patched in a later version of express that webpack-dev-server has not updated yet. Once they update this package, we can remove this override",