Skip to content

[Snyk] Fix for 2 vulnerabilities#111

Open
revan-zhang wants to merge 1 commit into
mainfrom
snyk-fix-07f83f5dc25ab856e5018d6d9b4453fc
Open

[Snyk] Fix for 2 vulnerabilities#111
revan-zhang wants to merge 1 commit into
mainfrom
snyk-fix-07f83f5dc25ab856e5018d6d9b4453fc

Conversation

@revan-zhang

@revan-zhang revan-zhang commented Mar 8, 2026

Copy link
Copy Markdown
Contributor

snyk-top-banner

Snyk has created this PR to fix 2 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

  • package.json
  • yarn.lock

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

Vulnerabilities that will be fixed with an upgrade:

Issue Score
high severity Arbitrary Code Injection
SNYK-JS-SERIALIZEJAVASCRIPT-570062
  610  
medium severity Incorrect Control Flow Scoping
SNYK-JS-TOOTALLNATEONCE-15250612
  515  

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Arbitrary Code Injection


Open with Devin

Note

Medium Risk
Upgrades several core build/test dependencies with major version jumps (css-minimizer-webpack-plugin, jest, workbox-webpack-plugin), which can change build/test behavior and asset output even though no app code changes.

Overview
Updates dependency versions to address reported vulnerabilities by bumping build/test tooling in package.json (notably css-minimizer-webpack-plugin 3→8, jest 27→28, workbox-webpack-plugin 6→7, and terser-webpack-plugin to 5.3.17).

Regenerates yarn.lock to pull in the new transitive dependency graph (including updated serialize-javascript via the CSS minimizer).

Written by Cursor Bugbot for commit 2400567. This will update automatically on new commits. Configure here.

@revan-zhang

revan-zhang commented Mar 8, 2026

Copy link
Copy Markdown
Contributor Author

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedjest@​27.5.1 ⏵ 28.1.310010068 +191100
Updatedworkbox-webpack-plugin@​6.5.4 ⏵ 7.4.09910073 +186100
Addedterser-webpack-plugin@​5.3.179910010092100
Updatedcss-minimizer-webpack-plugin@​3.4.1 ⏵ 8.0.099 +110010093 +1100

View full report

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Comment thread package.json
"html-webpack-plugin": "^5.5.0",
"identity-obj-proxy": "^3.0.0",
"jest": "^27.4.3",
"jest": "^28.0.0",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Jest upgrade leaves companion packages at incompatible versions

High Severity

Upgrading jest to ^28.0.0 while leaving babel-jest at ^27.4.2, jest-resolve at ^27.4.2, and @types/jest at ^27.5.2 creates a major version mismatch. These packages are part of the Jest monorepo and must share the same major version. Additionally, jest-watch-typeahead at ^1.0.0 only supports Jest 28 starting from version 1.1.0. This will cause test suite failures.

Additional Locations (2)

Fix in Cursor Fix in Web

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Devin Review found 1 potential issue.

View 4 additional findings in Devin Review.

Open in Devin Review

Comment thread package.json
"html-webpack-plugin": "^5.5.0",
"identity-obj-proxy": "^3.0.0",
"jest": "^27.4.3",
"jest": "^28.0.0",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 jest upgraded to ^28 but babel-jest and jest-resolve left at ^27, causing version mismatch

The PR upgrades jest from ^27.4.3 to ^28.0.0 (resolves to 28.1.3), but the companion packages babel-jest (line 34, still ^27.4.2, resolves to 27.5.1) and jest-resolve (line 66, still ^27.4.2, resolves to 27.5.1) were not updated. The file config/jest/babelTransform.js:3 does require('babel-jest').default, which will resolve to the top-level babel-jest@27.5.1. This babel-jest@27 was built against jest@27's @jest/transform interface, but jest@28 changed the transformer contract (e.g., different TransformOptions shape, new async methods). This version mismatch between the test runner and its transformer can lead to test failures or subtle behavioral differences.

Prompt for agents
In package.json, update babel-jest (line 34) from "^27.4.2" to "^28.0.0" and jest-resolve (line 66) from "^27.4.2" to "^28.0.0" to match the jest major version. Also consider updating @types/jest (line 23) from "^27.5.2" to "^28.0.0" for type compatibility.
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants