Skip to content

[Snyk] Security upgrade lerna from 3.0.0-rc.0 to 6.4.1#21

Open
MHxGH-ServiceAccount wants to merge 1 commit into
masterfrom
snyk-fix-db84364adafbbb2e52a3640dbe8db072
Open

[Snyk] Security upgrade lerna from 3.0.0-rc.0 to 6.4.1#21
MHxGH-ServiceAccount wants to merge 1 commit into
masterfrom
snyk-fix-db84364adafbbb2e52a3640dbe8db072

Conversation

@MHxGH-ServiceAccount

@MHxGH-ServiceAccount MHxGH-ServiceAccount commented Mar 12, 2026

Copy link
Copy Markdown

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

  • package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning
Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

Issue Score
high severity Symlink Attack
SNYK-JS-TAR-15456201
  157  

Breaking Change Risk

Merge Risk: High

Notice: This assessment is enhanced by AI.


Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.


Note

Medium Risk
Medium risk because this is a major-version jump in release tooling (lerna publish) that could break publishing/monorepo workflows even though runtime code is unchanged.

Overview
Upgrades lerna from ^3.0.0-rc.0 to ^6.4.1 in package.json to remediate a security issue.

This may affect release/publish workflows that rely on lerna commands due to the major-version change.

Written by Cursor Bugbot for commit 422658c. This will update automatically on new commits. Configure here.

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-TAR-15456201
@MHxGH-ServiceAccount

Copy link
Copy Markdown
Author

Merge Risk: High

The upgrade from Lerna v3 to v6 is a major undertaking with significant breaking changes. Lerna's stewardship was transferred to Nrwl (the creators of Nx), and its core functionality has been fundamentally re-architected.

Key Breaking Changes:

  • Removal of lerna bootstrap: The iconic lerna bootstrap, lerna add, and lerna link commands have been removed in favor of using your package manager's native workspaces (npm, yarn, or pnpm). All dependency installation and linking is now expected to be handled by your package manager's install command.
  • Nx Task Runner by Default: Lerna v6 uses the Nx task runner by default (useNx: true). This changes the behavior of lerna run and enables powerful caching capabilities, but it also makes several flags like --sort, --parallel, and --include-dependencies obsolete as Nx manages the task graph.
  • New Configuration: A new nx.json file is required to configure task caching and pipelines. A helper command, lerna repair, is available to help migrate your lerna.json file.
  • Node.js Version Support: Support for older Node.js versions has been dropped. Lerna v5 dropped support for Node 10 and 12, and subsequent versions have continued to drop end-of-life (EOL) versions.

Recommendation:

This is a high-effort migration that will require significant changes to your repository's setup and CI/CD workflows.

  1. Migrate to Package Manager Workspaces: Update your root package.json to define workspaces and remove all calls to lerna bootstrap from your scripts, replacing them with npm install, yarn install, or pnpm install.
  2. Configure Nx: Run npx lerna add-caching to generate a nx.json file and configure task caching.
  3. Update lerna.json: Run lerna repair to update your configuration and remove obsolete properties.
  4. Review lerna run commands: Check your scripts for obsolete flags that are now ignored by the Nx task runner.

Source: Lerna GitHub Releases, Lerna Documentation

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

@MHxGH-ServiceAccount

MHxGH-ServiceAccount commented Mar 12, 2026

Copy link
Copy Markdown
Author

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Comment thread package.json
},
"dependencies": {
"lerna": "^3.0.0-rc.0"
"lerna": "^6.4.1"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lerna 6 upgrade breaks release-canary script flags

High Severity

Upgrading lerna to ^6.4.1 breaks the release-canary script, which uses --cd-version and --npm-tag flags that were removed/renamed in lerna v6. The --cd-version flag was replaced by a positional argument to lerna version, and --npm-tag was renamed to --dist-tag. The canary release workflow will fail at runtime with unrecognized option errors.

Fix in Cursor Fix in Web

Comment thread package.json
},
"dependencies": {
"lerna": "^3.0.0-rc.0"
"lerna": "^6.4.1"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lockfile not updated, security fix not applied

High Severity

The package.json declares lerna@^6.4.1 but the yarn.lock still resolves lerna@^3.0.0-rc.0 to version 3.0.0-rc.0. This means the security vulnerability (SNYK-JS-TAR-15456201) that this PR aims to fix won't actually be remediated. In CI environments using --frozen-lockfile, installations will fail due to the mismatch. Without that flag, yarn may still install the old vulnerable version from the stale lockfile.

Fix in Cursor Fix in Web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants