[Snyk] Security upgrade lerna from 3.0.0-rc.0 to 6.4.1#16
[Snyk] Security upgrade lerna from 3.0.0-rc.0 to 6.4.1#16MHxGH-ServiceAccount wants to merge 1 commit into
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AJV-15274295
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
The upgrade from Lerna v3 to v6 is a major undertaking with significant breaking changes. Lerna's stewardship was transferred to Nrwl (the creators of Nx), and its core functionality has been fundamentally re-architected. Key Breaking Changes:
Recommendation: This is a high-effort migration that will require significant changes to your repository's setup and CI/CD workflows.
Source: Lerna GitHub Releases, Lerna Documentation
|
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| }, | ||
| "dependencies": { | ||
| "lerna": "^3.0.0-rc.0" | ||
| "lerna": "^6.4.1" |
There was a problem hiding this comment.
Lockfile still pins vulnerable Lerna version
Medium Severity
package.json upgrades lerna to ^6.4.1, but yarn.lock still resolves lerna@^3.0.0-rc.0. This leaves installs pinned to the old vulnerable dependency and can fail in environments using a frozen lockfile, so the security remediation is not actually applied.


Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
package.jsonNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-AJV-15274295
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)
Note
Medium Risk
Dependency-only change, but
lernahas major-version differences that can affect release/publish tooling and CI behavior.Overview
Upgrades the
lernadependency inpackage.jsonfrom^3.0.0-rc.0to^6.4.1to address a reported security vulnerability.Written by Cursor Bugbot for commit ebde03a. This will update automatically on new commits. Configure here.