Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@
]
},
"dependencies": {
"lerna": "^3.0.0-rc.0"
"lerna": "^6.4.1"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lerna 6 upgrade breaks release-canary script flags

High Severity

Upgrading lerna to ^6.4.1 breaks the release-canary script, which uses --cd-version and --npm-tag flags that were removed/renamed in lerna v6. The --cd-version flag was replaced by a positional argument to lerna version, and --npm-tag was renamed to --dist-tag. The canary release workflow will fail at runtime with unrecognized option errors.

Fix in Cursor Fix in Web

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lockfile not updated, security fix not applied

High Severity

The package.json declares lerna@^6.4.1 but the yarn.lock still resolves lerna@^3.0.0-rc.0 to version 3.0.0-rc.0. This means the security vulnerability (SNYK-JS-TAR-15456201) that this PR aims to fix won't actually be remediated. In CI environments using --frozen-lockfile, installations will fail due to the mismatch. Without that flag, yarn may still install the old vulnerable version from the stale lockfile.

Fix in Cursor Fix in Web

},
"name": "next-plugins"
}