[Snyk] Security upgrade @changesets/cli from 2.26.2 to 2.29.6#180
[Snyk] Security upgrade @changesets/cli from 2.26.2 to 2.29.6#180Dustin4444 wants to merge 1 commit into
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-TMP-16881240
|
Important Review skippedAuto reviews are limited based on label configuration. 🏷️ Required labels (at least one) (1)
Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the @changesets/cli dependency in package.json from version 2.26.2 to 2.29.6. Feedback highlights two critical issues: first, this upgrade breaks an existing custom patch on @changesets/assemble-release-plan due to a dependency version mismatch; second, the pnpm-lock.yaml lockfile was not updated, which will cause CI build failures.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| "packageManager": "pnpm@10.33.2", | ||
| "dependencies": { | ||
| "@changesets/cli": "2.26.2", | ||
| "@changesets/cli": "2.29.6", |
There was a problem hiding this comment.
There are two critical issues with this upgrade:\n\n1. Broken Patch Dependency: Upgrading @changesets/cli to 2.29.6 pulls in a newer version of @changesets/assemble-release-plan. The repository currently applies a custom patch to @changesets/assemble-release-plan@5.2.4 (line 80). Because the upgraded CLI uses a newer version of this dependency, the existing patch will not be applied, silently breaking the custom release plan logic. Re-apply or update the patch for the new version of @changesets/assemble-release-plan to maintain the custom behavior.\n2. Missing Lockfile Update: The pull request does not include updates to pnpm-lock.yaml. Merging this change as-is will result in an out-of-sync lockfile, causing CI build failures. Run pnpm install locally to update the lockfile and commit the changes before merging.
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the pnpm dependencies of this project.
Snyk changed the following file(s):
package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-TMP-16881240
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Directory Traversal
This change is