Skip to content

[Snyk] Fix for 2 vulnerabilities#30

Open
revan-zhang wants to merge 1 commit into
mainfrom
snyk-fix-59e25c758580f5399e847f157f700aa1
Open

[Snyk] Fix for 2 vulnerabilities#30
revan-zhang wants to merge 1 commit into
mainfrom
snyk-fix-59e25c758580f5399e847f157f700aa1

Conversation

@revan-zhang

@revan-zhang revan-zhang commented Apr 17, 2026

Copy link
Copy Markdown
Contributor

snyk-top-banner

Snyk has created this PR to fix 2 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

  • package.json
  • yarn.lock

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

Vulnerabilities that will be fixed with an upgrade:

Issue Score
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-PICOMATCH-15765511
  585  
medium severity Prototype Pollution
SNYK-JS-PICOMATCH-15765513
  495  

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution


Open with Devin

@revan-zhang

revan-zhang commented Apr 17, 2026

Copy link
Copy Markdown
Contributor Author

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updated@​midwayjs/​koa@​3.13.0 ⏵ 4.0.379 +210075 +399 +3100
Added@​midwayjs/​core@​4.0.3871007999100

View full report

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Devin Review found 1 potential issue.

View 2 additional findings in Devin Review.

Open in Devin Review

Comment thread package.json
Comment on lines +12 to +16
"@midwayjs/core": "^4.0.3",
"@midwayjs/cross-domain": "^3.12.10",
"@midwayjs/decorator": "^3.12.3",
"@midwayjs/i18n": "3.13.7",
"@midwayjs/koa": "^3.12.0",
"@midwayjs/koa": "^4.0.0",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Partial Midway v3→v4 upgrade installs two copies of @midwayjs/core, breaking dependency injection

Only @midwayjs/core and @midwayjs/koa are upgraded to v4, while all other @midwayjs/* packages remain on v3. This causes two separate versions of @midwayjs/core to be installed simultaneously (confirmed in yarn.lock: both @midwayjs/core@3.13.0 and @midwayjs/core@4.0.3). Specifically, @midwayjs/decorator@3.13.0 depends on @midwayjs/core@^3.13.0, pulling in the v3 copy. Since decorators like @Controller, @Inject, @Provide (used throughout src/) register metadata against the v3 core instance, but the application framework (@midwayjs/koa@4.0.3) and configuration use the v4 core instance, the IoC container will not see the registered components. Additionally, bootstrap.js uses @midwayjs/bootstrap@3.13.0 (still v3) to start the app, further mixing v3 and v4 runtime contexts. The remaining v3 packages that need upgrading include: @midwayjs/bootstrap, @midwayjs/bull, @midwayjs/cross-domain, @midwayjs/decorator, @midwayjs/i18n, @midwayjs/mongoose, @midwayjs/redis, @midwayjs/validate, and @midwayjs/mock.

Prompt for agents
The PR upgrades @midwayjs/core and @midwayjs/koa to v4 but leaves all other @midwayjs/* packages on v3. This creates two copies of @midwayjs/core in the dependency tree (v3.13.0 via @midwayjs/decorator, and v4.0.3 direct), which breaks the IoC container since decorators register metadata against the wrong core instance.

To fix this, either:
1. Upgrade ALL @midwayjs/* packages to their v4 equivalents (bootstrap, bull, cross-domain, decorator, i18n, mongoose, redis, validate, mock, cli) following the official Midway v4 migration guide. Some packages may have been renamed, merged, or deprecated in v4.
2. Or revert core and koa back to v3 if the full migration is not yet ready.

Key packages in package.json that need v4 versions: @midwayjs/bootstrap, @midwayjs/bull, @midwayjs/cross-domain, @midwayjs/decorator, @midwayjs/i18n, @midwayjs/mongoose, @midwayjs/redis, @midwayjs/validate (dependencies), and @midwayjs/mock, @midwayjs/cli (devDependencies). Note that in Midway v4, @midwayjs/decorator may have been merged into @midwayjs/core, so the separate decorator dependency might need to be removed entirely.
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants