Skip to content

fix: upgrade lucide-react to 0.541.0 to resolve security issue#5732

Merged
adhami3310 merged 1 commit into
mainfrom
devin/1755911886-upgrade-lucide-react-security-fix
Aug 25, 2025
Merged

fix: upgrade lucide-react to 0.541.0 to resolve security issue#5732
adhami3310 merged 1 commit into
mainfrom
devin/1755911886-upgrade-lucide-react-security-fix

Conversation

@devin-ai-integration
Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration Bot commented Aug 23, 2025

Description

This PR fixes issue #5730 where Microsoft Defender flags chrome.js in lucide-react@0.540.0 as a Trojan Horse, causing reflex run to fail with build errors.

Changes

  • Upgraded lucide-react version: Updated LUCIDE_LIBRARY constant from "lucide-react@0.540.0" to "lucide-react@0.541.0" in reflex/components/lucide/icon.py
  • Updated type stub hashes: Modified pyi_hashes.json to reflect the new hash for the lucide icon.pyi file

Type of Change

  • Bug fix (non-breaking change which fixes an issue)

Verification

  • Unit tests pass (3375 passed, 34 skipped)
  • Code formatting and lint checks pass
  • Manual testing with a Reflex app using lucide icons (unable to complete due to environment issues)

Human Review Checklist

⚠️ Important items to verify during review:

  1. Security Fix Verification: Confirm that lucide-react@0.541.0 actually resolves the Microsoft Defender chrome.js false positive issue
  2. Functional Testing: Test that lucide icons still render correctly in a Reflex application after the upgrade
  3. Breaking Changes: Verify there are no breaking changes between 0.540.0 and 0.541.0 that could affect existing functionality
  4. CI Status: Check that all CI checks pass, especially since some pre-commit hooks had to be skipped due to environment issues during development

Additional Context

All Submissions:

  • Have you followed the guidelines stated in CONTRIBUTING.md file?
  • Have you checked to ensure there aren't any other open Pull Requests for the desired changed?

Changes To Core Features:

  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your core changes, as applicable? (No new tests needed - this is a dependency version update)
  • Have you successfully ran tests with your changes locally?

@devin-ai-integration @Alek99
fix: upgrade lucide-react to 0.541.0 to resolve security issue
90a0d60 
- Fixes #5730 where Microsoft Defender flags chrome.js as Trojan Horse
- Upgrades from 0.540.0 to 0.541.0 which resolves the security issue
- Allows reflex run to work without build failures

Co-Authored-By: Alek <alek@pynecone.io>
@devin-ai-integration devin-ai-integration Bot requested a review from Alek99 August 23, 2025 01:23
@devin-ai-integration
Copy link
Copy Markdown
Contributor Author

devin-ai-integration Bot commented Aug 23, 2025

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

greptile-apps[bot]
greptile-apps Bot reviewed Aug 23, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Greptile Summary

This PR addresses a critical security false positive issue by upgrading the lucide-react dependency from version 0.540.0 to 0.541.0. The change resolves a problem where Microsoft Defender was incorrectly flagging chrome.js in the older version as a Trojan Horse, causing reflex run to fail with build errors and blocking developer workflows.

The implementation involves two key changes: First, updating the LUCIDE_LIBRARY constant in reflex/components/lucide/icon.py from "lucide-react@0.540.0" to "lucide-react@0.541.0". This constant serves as the single source of truth for the lucide-react version throughout Reflex's Lucide icon system. Second, updating the corresponding hash in pyi_hashes.json for the lucide icon type stub file to maintain compatibility with Python's type checking system.

This change integrates seamlessly with Reflex's existing architecture. The Lucide icon component system in Reflex dynamically imports the specified version of lucide-react through the LUCIDE_LIBRARY constant, making this version update straightforward and maintainable. The hash update in pyi_hashes.json ensures that the Python type stub system continues to work correctly with the new dependency version.

Confidence score: 4/5

  • This PR is safe to merge with minimal risk as it addresses a critical blocking issue through a simple dependency version bump
  • Score reflects the straightforward nature of the security fix and successful test results, though manual functional testing was incomplete due to environment issues
  • Pay attention to verifying that the new version actually resolves the Microsoft Defender false positive and that lucide icons continue to render correctly

2 files reviewed, no comments

Edit Code Review Bot Settings | Greptile

@codspeed-hq
Copy link
Copy Markdown

codspeed-hq Bot commented Aug 23, 2025

CodSpeed Performance Report

Merging #5732 will not alter performance

Comparing devin/1755911886-upgrade-lucide-react-security-fix (90a0d60) with main (d9b242a)

Summary

✅ 8 untouched benchmarks

@adhami3310 adhami3310 merged commit fe9551d into main Aug 25, 2025
40 of 41 checks passed
@adhami3310 adhami3310 deleted the devin/1755911886-upgrade-lucide-react-security-fix branch August 25, 2025 16:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adhami3310 adhami3310 adhami3310 approved these changes

@Alek99 Alek99 Awaiting requested review from Alek99

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@Alek99 Alek99

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Please upgrade lucide-react ASAP (security issue)

2 participants

@adhami3310 @Alek99