Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Security upgrade rollup from 0.64.1 to 3.29.5 #161

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Security upgrade rollup from 0.64.1 to 3.29.5 #161

wants to merge 1 commit into from

Conversation

Exnadella
Copy link
Owner

@Exnadella Exnadella commented Sep 24, 2024
edited by codiumai-pr-agent-pro bot
Loading

User description

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

  • package.json
  • package-lock.json

Vulnerabilities that will be fixed with an upgrade:

Issue Score
medium severity Cross-site Scripting (XSS)
SNYK-JS-ROLLUP-8073097		   648  

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cross-site Scripting (XSS)

PR Type

enhancement, dependencies

Description

  • Upgraded rollup dependency from version 0.64.1 to 3.29.5 to address a vulnerability.
  • Added fsevents as an optional dependency in package-lock.json.
  • Reordered dependencies in package-lock.json for consistency.
  • Removed and re-added JSONStream and string-width dependencies in package-lock.json.

Changes walkthrough 📝

Relevant files
Dependencies
package-lock.json
Update dependencies and enhance package-lock.json               

package-lock.json

  • Updated rollup version from 0.64.1 to 3.29.5.
  • Added fsevents as an optional dependency.
  • Reordered some dependencies for consistency.
  • Removed and re-added JSONStream and string-width dependencies.
    		•  +32/-39 
    package.json
    Upgrade rollup version in package.json                                     

    package.json

    • Updated rollup version from 0.64.1 to 3.29.5.
    		 +1/-1     

    💡 PR-Agent usage: Comment /help "your question" on any pull request to receive relevant information

    @codiumai-pr-agent-pro CodiumAI PR-Agent Pro
    Copy link

    PR Reviewer Guide 🔍

    ⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
    🧪 No relevant tests
    🔒 No security concerns identified
    ⚡ Key issues to review

    Dependency Update
    The rollup package has been updated from version 0.64.1 to 3.29.5. This is a major version update that may introduce breaking changes.

    @codiumai-pr-agent-pro CodiumAI PR-Agent Pro
    Copy link

    PR Code Suggestions ✨

    CategorySuggestion                                                                                                                                    Score
    Compatibility
    Update Rollup plugins to versions compatible with Rollup 3.x

    Consider updating the rollup-plugin-commonjs and rollup-plugin-node-resolve
    dependencies to versions compatible with Rollup 3.x. The current versions might not
    be fully compatible with the new Rollup version.

    package-lock.json [5439-5448]

     "rollup": {
   "version": "3.29.5",
   "resolved": "https://registry.npmjs.org/rollup/-/rollup-3.29.5.tgz",
   "integrity": "sha512-GVsDdsbJzzy4S/v3dqWPJ7EfvZJfCHiDqe80IyrF59LYuP+e6U1LJoUqeuqRbwAWoMNoXivMNeNAOf5E22VA1w==",
   "requires": {
     "fsevents": "~2.3.2"
   }
 },
-"rollup-plugin-commonjs": {
-  "version": "9.3.4",
+"@rollup/plugin-commonjs": {
+  "version": "25.0.4",
    • Apply this suggestion
    Suggestion importance[1-10]: 8

    Why: The suggestion to update Rollup plugins to versions compatible with Rollup 3.x is valid and important for ensuring compatibility and functionality with the updated Rollup version. This addresses potential compatibility issues that could arise from using outdated plugins.

    		8
    Dependency update
    Replace outdated Rollup plugins with their modern equivalents

    Update the rollup-plugin-commonjs and rollup-plugin-node-resolve dependencies to
    their newer @rollup/plugin-* equivalents, which are compatible with Rollup 3.x.

    package.json [47-49]

     "rollup": "^3.29.5",
-"rollup-plugin-commonjs": "^9.1.5",
-"rollup-plugin-node-resolve": "^3.3.0",
+"@rollup/plugin-commonjs": "^25.0.4",
+"@rollup/plugin-node-resolve": "^15.2.1",
    • Apply this suggestion
    Suggestion importance[1-10]: 8

    Why: Updating to the newer @rollup/plugin-* equivalents is a good practice to maintain compatibility with Rollup 3.x, ensuring that the project uses the latest supported plugins and avoids potential issues with deprecated or incompatible versions.

    		8

    💡 Need additional feedback ? start a PR chat

    @Exnadella Exnadella mentioned this pull request Oct 13, 2024
    Open
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Reviewers
    No reviews
    Assignees
    No one assigned
    Labels
    dependencies enhancement New feature or request Review effort [1-5]: 2
    Projects
    None yet
    Milestone
    No milestone
    Development

    Successfully merging this pull request may close these issues.
    2 participants
    @Exnadella @snyk-bot