[Snyk] Security upgrade @polkadot/react-hooks from 0.0.0-use.local to 0.37.1 #41
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-QS-14724253
Learn moreAll Green is an AI agent that automatically: ✅ Addresses code review comments ✅ Fixes failing CI checks ✅ Resolves merge conflicts |
There was a problem hiding this comment.
Pull request overview
This Snyk-generated security PR attempts to address a high-severity vulnerability (SNYK-JS-QS-14724253) by updating @polkadot/react-hooks. However, the proposed change introduces a critical version incompatibility issue.
Key changes:
- Attempts to change
@polkadot/react-hooksfrom^0.166.2-7-xto^0.37.1(a downgrade) - Note: PR description mentions upgrading from "0.0.0-use.local" but the actual diff shows different source version
- Snyk warning indicates yarn.lock update failed
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@polkadot/phishing": "^0.25.20", | ||
| "@polkadot/react-components": "^0.166.2-7-x", | ||
| "@polkadot/react-hooks": "^0.166.2-7-x", | ||
| "@polkadot/react-hooks": "^0.37.1", |
There was a problem hiding this comment.
This version change appears to be incorrect and will likely break the application. The change downgrades from version 0.166.2-7-x to 0.37.1, which is a significant downgrade and inconsistent with the rest of the codebase.
Issues identified:
- All other @PolkaDot packages in this file use version ^0.166.2-7-x (react-components, test-support)
- The @polkadot/react-hooks package itself is at version 0.166.2-7-x in packages/react-hooks/package.json
- Other packages in the monorepo (e.g., packages/apps/package.json) use ^0.166.2-7-x for @polkadot/react-hooks
- The PR description mentions upgrading from "0.0.0-use.local" but the actual diff shows changing from "^0.166.2-7-x"
This change will create a version mismatch and may not actually address the security vulnerability if the vulnerability exists in the transitive dependencies. The version should remain at ^0.166.2-7-x to maintain consistency with the monorepo.
| "@polkadot/react-hooks": "^0.37.1", | |
| "@polkadot/react-hooks": "^0.166.2-7-x", |
Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
packages/page-accounts/package.jsonNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-QS-14724253
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Allocation of Resources Without Limits or Throttling