[Snyk] Security upgrade react-router from 7.14.2 to 7.15.0#168
[Snyk] Security upgrade react-router from 7.14.2 to 7.15.0#168kagan-agent wants to merge 1 commit into
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-REACTROUTER-17138701
Greptile SummaryThis PR updates the web app's React Router dependency. The main change is:
Confidence Score: 4/5This should be fixed before merging.
|
| Filename | Overview |
|---|---|
| packages/web/package.json | Updates the declared react-router dependency, but the matching pnpm lockfile entry was not changed. |
Prompt To Fix All With AI
Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 1
packages/web/package.json:39
**Lockfile still pins old router** The manifest now asks for `react-router` `^7.15.0`, but the tracked `pnpm-lock.yaml` was not updated and still resolves the web package to `react-router` `7.14.2`. With frozen pnpm installs, this can fail because the manifest and lockfile disagree; without a frozen install, the deployed dependency still comes from an uncommitted lockfile update, so this PR does not reliably apply the security upgrade.
Reviews (1): Last reviewed commit: "fix: packages/web/package.json to reduce..." | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| "react-hook-form": "^7.72.1", | ||
| "react-resizable-panels": "^4.10.0", | ||
| "react-router": "^7.14.1", | ||
| "react-router": "^7.15.0", |
There was a problem hiding this comment.
react-router ^7.15.0, but the tracked pnpm-lock.yaml was not updated and still resolves the web package to react-router 7.14.2. With frozen pnpm installs, this can fail because the manifest and lockfile disagree; without a frozen install, the deployed dependency still comes from an uncommitted lockfile update, so this PR does not reliably apply the security upgrade.
Prompt To Fix With AI
This is a comment left during a code review.
Path: packages/web/package.json
Line: 39
Comment:
**Lockfile still pins old router** The manifest now asks for `react-router` `^7.15.0`, but the tracked `pnpm-lock.yaml` was not updated and still resolves the web package to `react-router` `7.14.2`. With frozen pnpm installs, this can fail because the manifest and lockfile disagree; without a frozen install, the deployed dependency still comes from an uncommitted lockfile update, so this PR does not reliably apply the security upgrade.
How can I resolve this? If you propose a fix, please make it concise.
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the pnpm dependencies of this project.
Snyk changed the following file(s):
packages/web/package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-REACTROUTER-17138701
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Allocation of Resources Without Limits or Throttling