[Snyk] Security upgrade lerna from 3.0.0-rc.0 to 6.4.1#21
[Snyk] Security upgrade lerna from 3.0.0-rc.0 to 6.4.1#21MHxGH-ServiceAccount wants to merge 1 commit into
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-TAR-15456201
|
The upgrade from Lerna v3 to v6 is a major undertaking with significant breaking changes. Lerna's stewardship was transferred to Nrwl (the creators of Nx), and its core functionality has been fundamentally re-architected. Key Breaking Changes:
Recommendation: This is a high-effort migration that will require significant changes to your repository's setup and CI/CD workflows.
Source: Lerna GitHub Releases, Lerna Documentation
|
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| }, | ||
| "dependencies": { | ||
| "lerna": "^3.0.0-rc.0" | ||
| "lerna": "^6.4.1" |
There was a problem hiding this comment.
Lerna 6 upgrade breaks release-canary script flags
High Severity
Upgrading lerna to ^6.4.1 breaks the release-canary script, which uses --cd-version and --npm-tag flags that were removed/renamed in lerna v6. The --cd-version flag was replaced by a positional argument to lerna version, and --npm-tag was renamed to --dist-tag. The canary release workflow will fail at runtime with unrecognized option errors.
| }, | ||
| "dependencies": { | ||
| "lerna": "^3.0.0-rc.0" | ||
| "lerna": "^6.4.1" |
There was a problem hiding this comment.
Lockfile not updated, security fix not applied
High Severity
The package.json declares lerna@^6.4.1 but the yarn.lock still resolves lerna@^3.0.0-rc.0 to version 3.0.0-rc.0. This means the security vulnerability (SNYK-JS-TAR-15456201) that this PR aims to fix won't actually be remediated. In CI environments using --frozen-lockfile, installations will fail due to the mismatch. Without that flag, yarn may still install the old vulnerable version from the stale lockfile.


Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
package.jsonNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-TAR-15456201
Breaking Change Risk
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.
Note
Medium Risk
Medium risk because this is a major-version jump in release tooling (
lerna publish) that could break publishing/monorepo workflows even though runtime code is unchanged.Overview
Upgrades
lernafrom^3.0.0-rc.0to^6.4.1inpackage.jsonto remediate a security issue.This may affect release/publish workflows that rely on
lernacommands due to the major-version change.Written by Cursor Bugbot for commit 422658c. This will update automatically on new commits. Configure here.