[Snyk] Fix for 5 vulnerabilities#451
Conversation
…duce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-H3-15683856 - https://snyk.io/vuln/SNYK-JS-H3-15692482 - https://snyk.io/vuln/SNYK-JS-H3-15692480 - https://snyk.io/vuln/SNYK-JS-NEXT-15674556 - https://snyk.io/vuln/SNYK-JS-NEXT-15674558
⛔ Snyk checks have failed. 10 issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 4 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| "msw": "^2.4.1", | ||
| "near-api-js": "^0.44.2", | ||
| "next": "^13.5.9", | ||
| "next": "^16.1.7", |
There was a problem hiding this comment.
Next.js 16 requires React 19, project uses React 18
High Severity
Upgrading next from ^13.5.9 to ^16.1.7 introduces a peer dependency conflict. Next.js 16 requires React 19.2, but the project still specifies "react": "^18.3.1" and "react-dom": "^18.3.1". This version mismatch will cause runtime failures, hydration issues, or build errors since Next.js 16 relies on React 19 APIs not present in React 18.
Additional Locations (1)
| "@uniswap/default-token-list": "^12.23.0", | ||
| "@walletconnect/core": "^2.13.0", | ||
| "@walletconnect/sign-client": "^2.13.0", | ||
| "@walletconnect/sign-client": "^2.21.9", |
There was a problem hiding this comment.
Build script uses removed next export command
High Severity
The build script uses next build && next export, but next export was removed in Next.js 14. With next upgraded to ^16.1.7, the build command will fail with an error. The migration path requires setting output: 'export' in next.config.js and removing the next export command from the build script.
Additional Locations (1)
| "msw": "^2.4.1", | ||
| "near-api-js": "^0.44.2", | ||
| "next": "^13.5.9", | ||
| "next": "^16.1.7", |
There was a problem hiding this comment.
Custom webpack config incompatible with Next.js 16 Turbopack
Medium Severity
Next.js 16 defaults to Turbopack as the bundler, which doesn't support custom webpack configuration in next.config.js. The project's custom webpack config (adding ProvidePlugin and asyncWebAssembly) will cause builds to fail unless explicitly opting into webpack with --webpack flag or migrating the config to Turbopack equivalents.
| "@uniswap/default-token-list": "^12.23.0", | ||
| "@walletconnect/core": "^2.13.0", | ||
| "@walletconnect/sign-client": "^2.13.0", | ||
| "@walletconnect/sign-client": "^2.21.9", |
There was a problem hiding this comment.
WalletConnect package versions significantly mismatched across dependencies
Medium Severity
@walletconnect/sign-client was upgraded to ^2.21.9 (resolves to 2.23.8), but @walletconnect/core and @walletconnect/types remain at ^2.13.0 (resolving to 2.17.4). The application code imports RELAYER_EVENTS from core and type interfaces like PairingTypes, SessionTypes, ProposalTypes from types at the old version, while the sign-client internally uses 2.23.8 versions of these packages. This version skew can cause runtime type mismatches or missing/changed constants.
Additional Locations (2)
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| "msw": "^2.4.1", | ||
| "near-api-js": "^0.44.2", | ||
| "next": "^13.5.9", | ||
| "next": "^16.1.7", |
There was a problem hiding this comment.
🔴 Upgrading Next.js to v16 breaks the next export build command
The next dependency is bumped from ^13.5.9 to ^16.1.7 (resolving to 16.2.1 per the lockfile), but the build script at packages/example/package.json:9 still uses next build && next export. The next export CLI command was removed as a functional command in Next.js 14 — the dist/cli/next-export.js file that ships with next@16.2.1 is only 626 bytes (a stub that prints an error), not a working export implementation. Running yarn build in the example package will fail at the next export step.
To fix this, either add output: 'export' to next.config.js and remove && next export from the build script, or don't bump next this far.
Prompt for agents
Two changes are needed to fix the broken build:
1. In packages/example/package.json line 9, remove the `&& next export` from the build script. Change:
"build": "cross-env NODE_OPTIONS=--openssl-legacy-provider next build && next export"
to:
"build": "cross-env NODE_OPTIONS=--openssl-legacy-provider next build"
2. In packages/example/next.config.js, add `output: 'export'` to the nextConfig object (around line 15-26) so that `next build` produces a static export. For example:
const nextConfig = {
output: 'export',
productionBrowserSourceMaps: true,
...
};
Alternatively, if a static export is not needed, simply remove `&& next export` from the build script without adding the output config.
Was this helpful? React with 👍 or 👎 to provide feedback.
2 participants
Snyk has created this PR to fix 5 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
packages/example/package.jsonpackages/example/yarn.lockNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-H3-15683856
SNYK-JS-H3-15692482
SNYK-JS-H3-15692480
SNYK-JS-NEXT-15674556
SNYK-JS-NEXT-15674558
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Directory Traversal
🦉 CRLF Injection
🦉 Allocation of Resources Without Limits or Throttling
Note
High Risk
Upgrades
nextacross major versions (13 → 16), which can introduce breaking runtime/build behavior changes for the example app despite being dependency-only. Also bumps@walletconnect/sign-clientand pulls in updated transitive crypto/logging deps, so wallet-connection flows may regress if assumptions changed.Overview
Updates the example app’s dependencies to remediate reported vulnerabilities by upgrading
nextfrom^13.5.9to^16.1.7and bumping@walletconnect/sign-clientfrom^2.13.0to^2.21.9.Regenerates
yarn.lockto align transitive packages with these upgrades, including newer@walletconnect/*components and new/updated Next-related tooling (e.g.,@next/env,@next/swc-*,styled-jsx) plus added optionalsharpbinaries.Written by Cursor Bugbot for commit e645892. This will update automatically on new commits. Configure here.