[Snyk] Security upgrade diff from 3.5.0 to 8.0.3#41
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-DIFF-14917201
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 62badacaf5
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| "classnames": "^2.2.5", | ||
| "clipboard": "^2.0.1", | ||
| "diff": "^3.5.0", | ||
| "diff": "^8.0.3", |
There was a problem hiding this comment.
Changing packages/components/package.json alone doesn’t update the resolved version in package-lock.json, which still pins diff to 3.5.0. Any install that uses the lockfile (e.g. npm ci in CI or contributors) will continue to pull 3.5.0 and the ReDoS fix won’t be applied, so the security upgrade is effectively skipped in those environments. The lockfile needs to be updated alongside this dependency bump to make the upgrade take effect.
Useful? React with 👍 / 👎.
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
packages/components/package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-DIFF-14917201
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)