[Snyk] Fix for 3 vulnerabilities#28
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-LODASH-15869625 - https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-15789759 - https://snyk.io/vuln/SNYK-JS-LODASH-15869619
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| "@typegoose/typegoose": "^11.7.1", | ||
| "dotenv": "^16.3.1", | ||
| "glob": "^10.3.10", | ||
| "glob": "^12.0.0", |
There was a problem hiding this comment.
🔴 glob v12 requires Node >=20 but project builds and runs on Node 18
Upgrading glob from ^10.3.10 to ^12.0.0 introduces a Node.js version incompatibility. glob@12.0.0 declares engines: { node: '20 || >=22' }, but the project's Dockerfile (Dockerfile:1 and Dockerfile:14) uses node:18-alpine for both build and runtime stages, and package.json:50 declares "node": ">=18.0.0". glob v12 uses Node 20+ features internally, so import { glob } from 'glob' at src/utils/register-model.ts:4 will likely fail at runtime on Node 18 with syntax or API errors, breaking model registration and application startup.
Prompt for agents
The glob package was bumped from ^10.3.10 to ^12.0.0, but glob v12 requires Node.js 20 or >=22. The project currently targets Node 18 (see Dockerfile lines 1 and 14 using node:18-alpine, and package.json engines field specifying >=18.0.0). There are two possible fixes:
1. Revert glob to a version compatible with Node 18 (e.g. keep ^10.3.10, or use ^11.x which also supports Node 18).
2. Upgrade the Node.js version across the project: update the Dockerfile FROM lines to node:20-alpine (or higher), and update the engines field in package.json to >=20.0.0.
The glob import is used in src/utils/register-model.ts:4 and called at line 12.
Was this helpful? React with 👍 or 👎 to provide feedback.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| "@typegoose/typegoose": "^11.7.1", | ||
| "dotenv": "^16.3.1", | ||
| "glob": "^10.3.10", | ||
| "glob": "^12.0.0", |
There was a problem hiding this comment.
Glob v12 incompatible with project's Node.js 18 minimum
High Severity
Upgrading glob from ^10.3.10 to ^12.0.0 introduces a Node.js version incompatibility. glob v11+ requires Node.js 20 or higher, but the project's engines field declares "node": ">=18.0.0". This means the application will fail at install time or runtime for anyone using Node.js 18.x, which the project explicitly supports.
Additional Locations (1)
|
|
||
| __metadata: | ||
| version: 8 | ||
| version: 6 |
There was a problem hiding this comment.
yarn.lock metadata version downgraded from 8 to 6
Medium Severity
The yarn.lock metadata version was changed from 8 to 6. Version 8 is the lockfile format for Yarn 4 (the project uses "packageManager": "yarn@4.0.2"), while version 6 corresponds to Yarn 3. This indicates the Snyk bot regenerated the lockfile with an incompatible Yarn version, which can cause cache mismatches, resolution inconsistencies, or unexpected behavior with Yarn 4.
2 participants
Snyk has created this PR to fix 3 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
package.jsonyarn.lockNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-LODASH-15869625
SNYK-JS-BRACEEXPANSION-15789759
SNYK-JS-LODASH-15869619
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Prototype Pollution
🦉 Arbitrary Code Injection
Note
Medium Risk
Dependency upgrades include a major bump of
glob(v10→v12) and alodashversion change, which could introduce runtime or tooling incompatibilities despite being security-motivated.Overview
Updates production dependencies to remediate reported Snyk issues by upgrading
globto^12.0.0andlodashto^4.18.1.Regenerates
yarn.lockto reflect the new transitive dependency graph (notably newglob@12-related packages and updated lockfile metadata).Written by Cursor Bugbot for commit 640f2de. This will update automatically on new commits. Configure here.