Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-TAR-15038581 - https://snyk.io/vuln/SNYK-JS-DIFF-14917201
There was a problem hiding this comment.
Pull request overview
Updates npm dependencies to remediate two Snyk-reported vulnerabilities (in tar and diff) by upgrading direct dependencies and regenerating the lockfile.
Changes:
- Bump
@nestjs/graphqlfrom^7.9.11to^8.0.0 - Bump
sinonfrom^9.2.4to^21.0.1 - Update
package-lock.jsonto reflect the new resolved dependency graph
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| package.json | Updates direct dependency versions to address Snyk vulnerabilities. |
| package-lock.json | Refreshes resolved/transitive dependency versions based on the new direct dependency ranges. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@nestjs/config": "^0.6.3", | ||
| "@nestjs/core": "^7.5.1", | ||
| "@nestjs/graphql": "^7.9.11", | ||
| "@nestjs/graphql": "^8.0.0", |
There was a problem hiding this comment.
@nestjs/graphql was bumped to ^8.0.0, but the project still depends on @nestjs/common/@nestjs/core ^7.x. @nestjs/graphql@8.0.0 declares peer dependencies on @nestjs/common and @nestjs/core ^8.0.0 (see package-lock.json node_modules/@nestjs/graphql -> peerDependencies), so npm install will produce a peer-dependency conflict and can fail with ERESOLVE.
Suggested fix: either upgrade the rest of the NestJS packages to ^8.0.0 (common/core/testing/cli/microservices/platform-fastify, etc.) to keep versions aligned, or keep @nestjs/graphql on a compatible ^7.x version and use npm overrides/other remediation to address the transitive vulnerability instead.
| "@nestjs/graphql": "^8.0.0", | |
| "@nestjs/graphql": "^7.11.0", |
| "rimraf": "^3.0.2", | ||
| "rxjs": "^6.6.3", | ||
| "sinon": "^9.2.4", | ||
| "sinon": "^21.0.1", |
There was a problem hiding this comment.
sinon is only referenced from test code (e.g. apps/api/src/hello/application/hello.controller.spec.ts), but it is listed under dependencies. This means production installs (e.g. npm ci --omit=dev) will still ship sinon, increasing install size and runtime supply-chain surface.
Suggested fix: move sinon (and likely @types/sinon) to devDependencies since they are test-only.
2 participants
Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonpackage-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-TAR-15038581
SNYK-JS-DIFF-14917201
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)