yarn upgrade --latest && yarn build#2932
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates numerous dependencies in the website/yarn.lock file, including @types/node, express, body-parser, and webpack-dev-server. Critical security concerns were raised regarding the authenticity of several package versions, such as @types/node v25.8.0 and express v4.22.2, which appear to be ahead of public registry releases and contain suspicious integrity hashes. Furthermore, the qs dependency entry is missing its integrity field, which bypasses checksum verification and could allow for tampered packages.
| version "25.8.0" | ||
| resolved "https://registry.yarnpkg.com/@types/node/-/node-25.8.0.tgz#d13033397d1c186876bed4c9b9d7f3f962097eb3" | ||
| integrity sha512-TCFSk8IZh+iLX1xtksoBVtdmgL+1IX0fC9BeU4QqFSuNdN/K+HUlhqOzEmSYYpZUVsLYcPqc9KX+60iDuninSQ== | ||
| dependencies: | ||
| undici-types "~7.19.0" | ||
| undici-types ">=7.24.0 <7.24.7" |
There was a problem hiding this comment.
The version 25.8.0 for @types/node and its dependency constraint undici-types: >=7.24.0 <7.24.7 appear to be synthetic or ahead of the current public registry releases (latest stable is 22.x). Additionally, the integrity hash sha512-TCFSk8IZh+iLX1xtksoBVtdmgL+1IX0fC9BeU4QqFSuNdN/K+HUlhqOzEmSYYpZUVsLYcPqc9KX+60iDuninSQ== follows a repetitive pattern that is characteristic of generated/fake data. Please verify if these updates are coming from a trusted source or a private registry, as this could indicate a supply chain security risk.
| version "4.22.2" | ||
| resolved "https://registry.yarnpkg.com/express/-/express-4.22.2.tgz#c17ae0981e5efc24b22272f0e041c4662503b700" | ||
| integrity sha512-IuL+Elrou2ZvCFHs18/CIzy2Nzvo25nZ1/D2eIZlz7c+QUayAcYoiM2BthCjs+EBHVpjYjcuLDAiCWgeIX3X1Q== |
There was a problem hiding this comment.
The version 4.22.2 for express is not available on the public npm registry (latest stable is 4.21.2). Similar to other packages in this PR, the integrity hash appears to be synthetic. This is a critical security concern that could lead to the installation of malicious or unverified code. Please confirm the origin of these package versions.
| path-to-regexp "~0.1.12" | ||
| proxy-addr "~2.0.7" | ||
| qs "~6.14.0" | ||
| qs "~6.15.1" |
There was a problem hiding this comment.
The dependency qs@~6.15.1 points to a broken entry in the lockfile (starting at line 7595) which is missing the integrity field. This bypasses the checksum verification process, allowing potentially tampered packages to be installed without warning. Ensure the lockfile is regenerated correctly using yarn install.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #2932 +/- ##
=======================================
Coverage 94.13% 94.13%
=======================================
Files 52 52
Lines 1483 1483
=======================================
Hits 1396 1396
Misses 87 87
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
1 participant
Auto-generated by create-pull-request
See: https://github.com/peter-evans/create-pull-request/blob/master/docs/concepts-guidelines.md#triggering-further-workflow-runs