Skip to content

[Snyk] Fix for 3 vulnerabilities#27

Open
revan-zhang wants to merge 1 commit into
mainfrom
snyk-fix-b938854187709a04caa792c9f9568379
Open

[Snyk] Fix for 3 vulnerabilities#27
revan-zhang wants to merge 1 commit into
mainfrom
snyk-fix-b938854187709a04caa792c9f9568379

Conversation

@revan-zhang

@revan-zhang revan-zhang commented Mar 27, 2026

Copy link
Copy Markdown
Contributor

snyk-top-banner

Snyk has created this PR to fix 3 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

  • package.json
  • yarn.lock

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

Vulnerabilities that will be fixed with an upgrade:

Issue Score
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-PICOMATCH-15765511
  635  
medium severity Prototype Pollution
SNYK-JS-PICOMATCH-15765513
  545  
medium severity Uncontrolled Recursion
SNYK-JS-YAML-15765520
  540  

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution


Open with Devin

Note

Medium Risk
Upgrades core HTTP framework dependencies (@midwayjs/koa -> v4 pulling in koa v3 and new router/session/cookie stacks), which may introduce runtime/typing breaking changes. Remaining changes are lockfile refreshes for lint-staged and transitive packages to remediate reported vulnerabilities.

Overview
Updates dependencies to remediate Snyk-reported issues by upgrading @midwayjs/koa from v3 to v4 and bumping lint-staged.

The yarn.lock refresh pulls in new major versions across the Koa stack (notably koa v3, @koa/router v12, and @midwayjs/session/@midwayjs/cookies v4/v1.3) plus updated transitive tooling deps (e.g., yaml).

Written by Cursor Bugbot for commit 1f7a101. This will update automatically on new commits. Configure here.

@revan-zhang

revan-zhang commented Mar 27, 2026

Copy link
Copy Markdown
Contributor Author

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updated@​midwayjs/​koa@​3.13.0 ⏵ 4.0.079 +210075 +399 +3100
Updatedlint-staged@​15.2.2 ⏵ 15.5.299 +1100100 +197 +2100

View full report

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Fix All in Cursor

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Comment thread package.json
"@midwayjs/decorator": "^3.12.3",
"@midwayjs/i18n": "3.13.7",
"@midwayjs/koa": "^3.12.0",
"@midwayjs/koa": "^4.0.0",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Major version bump breaks compatibility with v3 ecosystem

High Severity

Upgrading @midwayjs/koa from v3 to ^4.0.0 while all other @midwayjs/* packages remain at v3 will break the application. The official Midway v4 migration guide requires upgrading all packages together (@midwayjs/core, @midwayjs/bootstrap, @midwayjs/decorator, @midwayjs/mock, etc.) to v4 simultaneously. Additionally, @midwayjs/koa v4 pulls in koa@3.0.3 (up from v2), and the project's @types/koa at ^2.13.12 conflicts with the bundled @types/koa@3.0.0. Midway v4 also requires Node.js v20+, but the project declares >=18.0.0. The Snyk metadata itself flags isBreakingChange: true.

Additional Locations (1)
Fix in Cursor Fix in Web

Comment thread yarn.lock

__metadata:
version: 8
version: 6

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lockfile metadata version downgraded from Yarn 4 to 3 format

High Severity

The yarn.lock metadata version was downgraded from 8 (Yarn 4 format) to 6 (Yarn 3 format), but the project specifies "packageManager": "yarn@4.0.2" in package.json. Snyk likely generated the lockfile changes using Yarn 3. This will cause yarn install --immutable to fail in CI, and any developer running yarn install with Yarn 4 will see the entire lockfile reformatted back to version 8, producing a massive diff unrelated to their work. The mixed checksum formats (some prefixed 8/, some not) further confirm format inconsistency.

Fix in Cursor Fix in Web

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Devin Review found 1 potential issue.

View 3 additional findings in Devin Review.

Open in Devin Review

Comment thread package.json
"@midwayjs/decorator": "^3.12.3",
"@midwayjs/i18n": "3.13.7",
"@midwayjs/koa": "^3.12.0",
"@midwayjs/koa": "^4.0.0",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Major version mismatch: @midwayjs/koa v4 paired with all other @midwayjs/ packages at v3*

Upgrading @midwayjs/koa to ^4.0.0 while keeping every other @midwayjs/* package on v3 (@midwayjs/core: ^3.13.0, @midwayjs/bootstrap: ^3.12.5, @midwayjs/mock: ^3.12.10, @midwayjs/cross-domain: ^3.12.10, @midwayjs/bull: 3, @midwayjs/mongoose: 3, @midwayjs/redis: 3, @midwayjs/validate: 3, @midwayjs/i18n: 3.13.7, @midwayjs/decorator: ^3.12.3) creates a cross-major-version mismatch. Per the yarn.lock, @midwayjs/koa@4.0.0 depends on koa@3.0.3, whereas all the v3 midway ecosystem packages were built and tested against koa v2. This will likely cause runtime incompatibilities across middleware, filters, and the test harness (the test files at test/user/user.entity.test.ts:2 and test/user/user.controller.test.ts:2 import { Application, Framework } from @midwayjs/koa, which may not be compatible with the v4 API). All @midwayjs/* packages should be upgraded to v4 together, or @midwayjs/koa should remain on v3.

Prompt for agents
In package.json line 16, either revert @midwayjs/koa back to ^3.12.0 to match all other @midwayjs/* packages at v3, or upgrade ALL @midwayjs/* dependencies (core, bootstrap, bull, cross-domain, decorator, i18n, mongoose, redis, validate, mock, cli) to their v4 equivalents simultaneously. The midway framework expects all its packages to be on the same major version. Additionally, if upgrading to v4, update @types/koa in devDependencies from ^2.13.12 to match the v3 koa types that @midwayjs/koa@4 depends on.
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants