[Snyk] Fix for 1 vulnerabilities #39
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-QS-14724253
Learn moreAll Green is an AI agent that automatically: ✅ Addresses code review comments ✅ Fixes failing CI checks ✅ Resolves merge conflicts |
There was a problem hiding this comment.
Pull request overview
This is a Snyk-generated PR that attempts to fix a high-severity vulnerability (SNYK-JS-QS-14724253, score 828) related to "Allocation of Resources Without Limits or Throttling" in the qs dependency. However, the proposed fix downgrades two @PolkaDot packages to significantly older versions, which creates critical version compatibility issues.
Key changes:
- Downgrade
@polkadot/apps-configfrom^0.166.2-7-xto^0.68.1(approximately 98 minor versions back) - Downgrade
@polkadot/react-signerfrom^0.166.2-7-xto^0.34.1(approximately 132 minor versions back)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "dependencies": { | ||
| "@acala-network/chopsticks-core": "^1.2.1", | ||
| "@polkadot/apps-config": "^0.166.2-7-x", | ||
| "@polkadot/apps-config": "^0.68.1", |
There was a problem hiding this comment.
Downgrading @polkadot/apps-config from ^0.166.2-7-x to ^0.68.1 creates a severe version mismatch. This package is nearly 100 minor versions behind the other @PolkaDot dependencies in this file (which are all at ^0.166.2-7-x). This will likely cause API incompatibilities, TypeScript errors, and runtime failures since the package ecosystem expects all @PolkaDot packages to be at the same major version. Instead of downgrading, the qs vulnerability should be fixed by upgrading to a newer version that resolves the security issue while maintaining compatibility with the rest of the @PolkaDot ecosystem.
| "@polkadot/apps-config": "^0.68.1", | |
| "@polkadot/apps-config": "^0.166.2-7-x", |
| "@polkadot/react-params": "^0.166.2-7-x", | ||
| "@polkadot/react-query": "^0.166.2-7-x", | ||
| "@polkadot/react-signer": "^0.166.2-7-x", | ||
| "@polkadot/react-signer": "^0.34.1", |
There was a problem hiding this comment.
Downgrading @polkadot/react-signer from ^0.166.2-7-x to ^0.34.1 creates a severe version mismatch. This package is over 130 minor versions behind the other @PolkaDot dependencies in this file (which are all at ^0.166.2-7-x). This will likely cause API incompatibilities, TypeScript errors, and runtime failures since the package ecosystem expects all @PolkaDot packages to be at the same major version. Instead of downgrading, the qs vulnerability should be fixed by upgrading to a newer version that resolves the security issue while maintaining compatibility with the rest of the @PolkaDot ecosystem.
| "@polkadot/react-signer": "^0.34.1", | |
| "@polkadot/react-signer": "^0.166.2-7-x", |
Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
packages/apps/package.jsonNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-QS-14724253
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Allocation of Resources Without Limits or Throttling