[Snyk] Security upgrade shakapacker from 6.5.5 to 9.5.0#26
[Snyk] Security upgrade shakapacker from 6.5.5 to 9.5.0#26karimkawambwa wants to merge 1 commit intomasterfrom
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-SHAKAPACKER-14912582
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
| "sass": "^1.37.5", | ||
| "sass-loader": "^12.1.0", | ||
| "shakapacker": "6.5.5", | ||
| "shakapacker": "9.5.0", |
There was a problem hiding this comment.
Bug: The shakapacker NPM package version (9.5.0) is incompatible with the locked Ruby gem version (6.5.5), which will cause runtime failures during asset compilation.
Severity: CRITICAL
Suggested Fix
Update the shakapacker gem in the Gemfile to match the NPM package version (9.5.0). Remove the conflicting @rails/webpacker dependency from package.json. Update bin/webpacker and bin/webpacker-dev-server scripts to use the new Shakapacker:: constants and require "shakapacker" path. Finally, run bundle install and yarn install to update the lockfiles.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: package.json#L24
Potential issue: The `shakapacker` NPM package is being upgraded to version 9.5.0, but
the corresponding Ruby gem in `Gemfile.lock` remains at version 6.5.5. This major
version mismatch will cause runtime failures during asset compilation or when starting
the development server. The Ruby gem (v6.5.5) and the NPM package (v9.5.0) have
incompatible APIs. Specifically, the `bin/webpacker` and `bin/webpacker-dev-server`
scripts rely on the older gem's API, while the webpack configuration will use the newer
NPM package's API, leading to conflicts. Additionally, the `package.json` retains a
dependency on `@rails/webpacker`, which is incompatible with `shakapacker` and will
cause build configuration conflicts.
Did we get this right? 👍 / 👎 to inform future reviews.
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
package.jsonNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-SHAKAPACKER-14912582
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.