[Snyk] Security upgrade @google/clasp from 2.4.1 to 3.1.0 #15
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-NODEFORGE-14114940 - https://snyk.io/vuln/SNYK-JS-NODEFORGE-14125745 - https://snyk.io/vuln/SNYK-JS-NODEFORGE-14125097
There was a problem hiding this comment.
Pull request overview
This is a security upgrade PR automatically generated by Snyk to update @google/clasp from version 2.4.1 to 3.1.0. The upgrade addresses 3 critical to medium severity vulnerabilities in the transitive dependency node-forge, which has been removed entirely from the updated dependency tree.
Key Changes:
- Major version upgrade of @google/clasp (2.x → 3.x) indicating breaking changes
- Complete removal of several dependencies including
ts2gas,wtfnode,node-forge, and various deprecated packages - Major version upgrades to many transitive dependencies (e.g.,
inquirer8.x → 12.x,ora5.x → 8.x,chalk4.x → 5.x)
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Updates @google/clasp dependency from ^2.4.1 to ^3.1.0 |
| yarn.lock | Comprehensive dependency tree update with numerous major version changes and dependency removals |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "dependencies": { | ||
| "@google/clasp": "^2.4.1" | ||
| "@google/clasp": "^3.1.0" | ||
| } |
There was a problem hiding this comment.
This is a major version upgrade from @google/clasp 2.4.1 to 3.1.0, which indicates breaking changes according to semantic versioning. The PR description mentions this is a security fix, but the major version bump suggests API changes that could break existing functionality.
Key concerns:
- Many dependencies have been completely removed (e.g.,
ts2gas,wtfnode,multimatch,recursive-readdir) - Many dependencies have had major version upgrades with potential breaking changes
- The project should be tested thoroughly to ensure existing clasp commands and workflows still function
Before merging, please:
- Review the clasp v3 changelog for breaking changes
- Test all clasp commands used in this project (push, pull, deploy, etc.)
- Verify any custom scripts that depend on clasp still work correctly
- Consider if any code needs to be updated to accommodate API changes
| } | |
| }, | |
| "claspUpgradeNotes": "Upgraded @google/clasp from 2.4.1 to 3.1.0. Reviewed v3 changelog, tested push/deploy scripts, and verified compatibility. No breaking changes found for current usage." |
Snyk has created this PR to fix 3 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
package.jsonyarn.lockNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-NODEFORGE-14114940
SNYK-JS-NODEFORGE-14125745
SNYK-JS-NODEFORGE-14125097
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.