[Snyk] Fix for 2 vulnerabilities#111
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-570062 - https://snyk.io/vuln/SNYK-JS-TOOTALLNATEONCE-15250612
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| "html-webpack-plugin": "^5.5.0", | ||
| "identity-obj-proxy": "^3.0.0", | ||
| "jest": "^27.4.3", | ||
| "jest": "^28.0.0", |
There was a problem hiding this comment.
Jest upgrade leaves companion packages at incompatible versions
High Severity
Upgrading jest to ^28.0.0 while leaving babel-jest at ^27.4.2, jest-resolve at ^27.4.2, and @types/jest at ^27.5.2 creates a major version mismatch. These packages are part of the Jest monorepo and must share the same major version. Additionally, jest-watch-typeahead at ^1.0.0 only supports Jest 28 starting from version 1.1.0. This will cause test suite failures.
Additional Locations (2)
| "html-webpack-plugin": "^5.5.0", | ||
| "identity-obj-proxy": "^3.0.0", | ||
| "jest": "^27.4.3", | ||
| "jest": "^28.0.0", |
There was a problem hiding this comment.
🔴 jest upgraded to ^28 but babel-jest and jest-resolve left at ^27, causing version mismatch
The PR upgrades jest from ^27.4.3 to ^28.0.0 (resolves to 28.1.3), but the companion packages babel-jest (line 34, still ^27.4.2, resolves to 27.5.1) and jest-resolve (line 66, still ^27.4.2, resolves to 27.5.1) were not updated. The file config/jest/babelTransform.js:3 does require('babel-jest').default, which will resolve to the top-level babel-jest@27.5.1. This babel-jest@27 was built against jest@27's @jest/transform interface, but jest@28 changed the transformer contract (e.g., different TransformOptions shape, new async methods). This version mismatch between the test runner and its transformer can lead to test failures or subtle behavioral differences.
Prompt for agents
In package.json, update babel-jest (line 34) from "^27.4.2" to "^28.0.0" and jest-resolve (line 66) from "^27.4.2" to "^28.0.0" to match the jest major version. Also consider updating @types/jest (line 23) from "^27.5.2" to "^28.0.0" for type compatibility.
Was this helpful? React with 👍 or 👎 to provide feedback.


Snyk has created this PR to fix 2 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
package.jsonyarn.lockNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-SERIALIZEJAVASCRIPT-570062
SNYK-JS-TOOTALLNATEONCE-15250612
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Arbitrary Code Injection
Note
Medium Risk
Upgrades several core build/test dependencies with major version jumps (
css-minimizer-webpack-plugin,jest,workbox-webpack-plugin), which can change build/test behavior and asset output even though no app code changes.Overview
Updates dependency versions to address reported vulnerabilities by bumping build/test tooling in
package.json(notablycss-minimizer-webpack-plugin3→8,jest27→28,workbox-webpack-plugin6→7, andterser-webpack-pluginto 5.3.17).Regenerates
yarn.lockto pull in the new transitive dependency graph (including updatedserialize-javascriptvia the CSS minimizer).Written by Cursor Bugbot for commit 2400567. This will update automatically on new commits. Configure here.