[Snyk] Fix for 2 vulnerabilities#30
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-PICOMATCH-15765511 - https://snyk.io/vuln/SNYK-JS-PICOMATCH-15765513
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
| "@midwayjs/core": "^4.0.3", | ||
| "@midwayjs/cross-domain": "^3.12.10", | ||
| "@midwayjs/decorator": "^3.12.3", | ||
| "@midwayjs/i18n": "3.13.7", | ||
| "@midwayjs/koa": "^3.12.0", | ||
| "@midwayjs/koa": "^4.0.0", |
There was a problem hiding this comment.
🔴 Partial Midway v3→v4 upgrade installs two copies of @midwayjs/core, breaking dependency injection
Only @midwayjs/core and @midwayjs/koa are upgraded to v4, while all other @midwayjs/* packages remain on v3. This causes two separate versions of @midwayjs/core to be installed simultaneously (confirmed in yarn.lock: both @midwayjs/core@3.13.0 and @midwayjs/core@4.0.3). Specifically, @midwayjs/decorator@3.13.0 depends on @midwayjs/core@^3.13.0, pulling in the v3 copy. Since decorators like @Controller, @Inject, @Provide (used throughout src/) register metadata against the v3 core instance, but the application framework (@midwayjs/koa@4.0.3) and configuration use the v4 core instance, the IoC container will not see the registered components. Additionally, bootstrap.js uses @midwayjs/bootstrap@3.13.0 (still v3) to start the app, further mixing v3 and v4 runtime contexts. The remaining v3 packages that need upgrading include: @midwayjs/bootstrap, @midwayjs/bull, @midwayjs/cross-domain, @midwayjs/decorator, @midwayjs/i18n, @midwayjs/mongoose, @midwayjs/redis, @midwayjs/validate, and @midwayjs/mock.
Prompt for agents
The PR upgrades @midwayjs/core and @midwayjs/koa to v4 but leaves all other @midwayjs/* packages on v3. This creates two copies of @midwayjs/core in the dependency tree (v3.13.0 via @midwayjs/decorator, and v4.0.3 direct), which breaks the IoC container since decorators register metadata against the wrong core instance.
To fix this, either:
1. Upgrade ALL @midwayjs/* packages to their v4 equivalents (bootstrap, bull, cross-domain, decorator, i18n, mongoose, redis, validate, mock, cli) following the official Midway v4 migration guide. Some packages may have been renamed, merged, or deprecated in v4.
2. Or revert core and koa back to v3 if the full migration is not yet ready.
Key packages in package.json that need v4 versions: @midwayjs/bootstrap, @midwayjs/bull, @midwayjs/cross-domain, @midwayjs/decorator, @midwayjs/i18n, @midwayjs/mongoose, @midwayjs/redis, @midwayjs/validate (dependencies), and @midwayjs/mock, @midwayjs/cli (devDependencies). Note that in Midway v4, @midwayjs/decorator may have been merged into @midwayjs/core, so the separate decorator dependency might need to be removed entirely.
Was this helpful? React with 👍 or 👎 to provide feedback.
Snyk has created this PR to fix 2 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
package.jsonyarn.lockNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-PICOMATCH-15765511
SNYK-JS-PICOMATCH-15765513
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution