[Snyk] Fix for 3 vulnerabilities#27
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-PICOMATCH-15765511 - https://snyk.io/vuln/SNYK-JS-PICOMATCH-15765513 - https://snyk.io/vuln/SNYK-JS-YAML-15765520
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| "@midwayjs/decorator": "^3.12.3", | ||
| "@midwayjs/i18n": "3.13.7", | ||
| "@midwayjs/koa": "^3.12.0", | ||
| "@midwayjs/koa": "^4.0.0", |
There was a problem hiding this comment.
Major version bump breaks compatibility with v3 ecosystem
High Severity
Upgrading @midwayjs/koa from v3 to ^4.0.0 while all other @midwayjs/* packages remain at v3 will break the application. The official Midway v4 migration guide requires upgrading all packages together (@midwayjs/core, @midwayjs/bootstrap, @midwayjs/decorator, @midwayjs/mock, etc.) to v4 simultaneously. Additionally, @midwayjs/koa v4 pulls in koa@3.0.3 (up from v2), and the project's @types/koa at ^2.13.12 conflicts with the bundled @types/koa@3.0.0. Midway v4 also requires Node.js v20+, but the project declares >=18.0.0. The Snyk metadata itself flags isBreakingChange: true.
Additional Locations (1)
|
|
||
| __metadata: | ||
| version: 8 | ||
| version: 6 |
There was a problem hiding this comment.
Lockfile metadata version downgraded from Yarn 4 to 3 format
High Severity
The yarn.lock metadata version was downgraded from 8 (Yarn 4 format) to 6 (Yarn 3 format), but the project specifies "packageManager": "yarn@4.0.2" in package.json. Snyk likely generated the lockfile changes using Yarn 3. This will cause yarn install --immutable to fail in CI, and any developer running yarn install with Yarn 4 will see the entire lockfile reformatted back to version 8, producing a massive diff unrelated to their work. The mixed checksum formats (some prefixed 8/, some not) further confirm format inconsistency.
| "@midwayjs/decorator": "^3.12.3", | ||
| "@midwayjs/i18n": "3.13.7", | ||
| "@midwayjs/koa": "^3.12.0", | ||
| "@midwayjs/koa": "^4.0.0", |
There was a problem hiding this comment.
🔴 Major version mismatch: @midwayjs/koa v4 paired with all other @midwayjs/ packages at v3*
Upgrading @midwayjs/koa to ^4.0.0 while keeping every other @midwayjs/* package on v3 (@midwayjs/core: ^3.13.0, @midwayjs/bootstrap: ^3.12.5, @midwayjs/mock: ^3.12.10, @midwayjs/cross-domain: ^3.12.10, @midwayjs/bull: 3, @midwayjs/mongoose: 3, @midwayjs/redis: 3, @midwayjs/validate: 3, @midwayjs/i18n: 3.13.7, @midwayjs/decorator: ^3.12.3) creates a cross-major-version mismatch. Per the yarn.lock, @midwayjs/koa@4.0.0 depends on koa@3.0.3, whereas all the v3 midway ecosystem packages were built and tested against koa v2. This will likely cause runtime incompatibilities across middleware, filters, and the test harness (the test files at test/user/user.entity.test.ts:2 and test/user/user.controller.test.ts:2 import { Application, Framework } from @midwayjs/koa, which may not be compatible with the v4 API). All @midwayjs/* packages should be upgraded to v4 together, or @midwayjs/koa should remain on v3.
Prompt for agents
In package.json line 16, either revert @midwayjs/koa back to ^3.12.0 to match all other @midwayjs/* packages at v3, or upgrade ALL @midwayjs/* dependencies (core, bootstrap, bull, cross-domain, decorator, i18n, mongoose, redis, validate, mock, cli) to their v4 equivalents simultaneously. The midway framework expects all its packages to be on the same major version. Additionally, if upgrading to v4, update @types/koa in devDependencies from ^2.13.12 to match the v3 koa types that @midwayjs/koa@4 depends on.
Was this helpful? React with 👍 or 👎 to provide feedback.


Snyk has created this PR to fix 3 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
package.jsonyarn.lockNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-PICOMATCH-15765511
SNYK-JS-PICOMATCH-15765513
SNYK-JS-YAML-15765520
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
Note
Medium Risk
Upgrades core HTTP framework dependencies (
@midwayjs/koa-> v4 pulling inkoav3 and new router/session/cookie stacks), which may introduce runtime/typing breaking changes. Remaining changes are lockfile refreshes forlint-stagedand transitive packages to remediate reported vulnerabilities.Overview
Updates dependencies to remediate Snyk-reported issues by upgrading
@midwayjs/koafrom v3 to v4 and bumpinglint-staged.The
yarn.lockrefresh pulls in new major versions across the Koa stack (notablykoav3,@koa/routerv12, and@midwayjs/session/@midwayjs/cookiesv4/v1.3) plus updated transitive tooling deps (e.g.,yaml).Written by Cursor Bugbot for commit 1f7a101. This will update automatically on new commits. Configure here.