[Snyk] Fix for 2 vulnerabilities #6219
Conversation
…ties The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-HTTPPROXYMIDDLEWARE-8229906 - https://snyk.io/vuln/SNYK-JS-VUETEMPLATECOMPILER-8219888
|
|
|
Build Error! No Linked Issue found. Please link an issue or mention it in the body using #<issue_id> |
![ellipsis-dev[bot]](https://avatars.githubusercontent.com/in/64358?s=60&v=4){kind=small}
There was a problem hiding this comment.
👍 Looks good to me! Reviewed everything up to de0f665 in 8 seconds
More details
- Looked at
22lines of code in1files - Skipped
1files when reviewing. - Skipped posting
2drafted comments based on config settings.
1. frontend/package.json:45
- Draft comment:
The update from@signozhq/design-tokensversion0.0.8to1.0.0is a major version change. Ensure that the codebase is compatible with this new version as it may introduce breaking changes. - Reason this comment was not posted:
Confidence changes required:50%
The PR updates the version of@signozhq/design-tokensfrom0.0.8to1.0.0. This is a major version change, which could introduce breaking changes. It's important to verify if the codebase is compatible with this new version.
2. frontend/package.json:45
- Draft comment:
Ensure that design tokens are used consistently throughout the project to maintain design consistency. - Reason this comment was not posted:
Confidence changes required:33%
The package.json file does not contain any violations related to the rules provided. The changes are related to dependency updates, which are appropriate for the context of the PR.
Workflow ID: wflow_ACSji7FwISiaAU4G
You can customize Ellipsis with 👍 / 👎 feedback, review rules, user-specific overrides, quiet mode, and more.
|
Build Error! No Linked Issue found. Please link an issue or mention it in the body using #<issue_id> |
|
@ankitnayan can you disable the snyk for org? It keeps creating PRs but we are not looking into them https://github.com/SigNoz/signoz/pulls?q=sort%3Aupdated-desc+is%3Apr+is%3Aopen+Snyk |
Shouldn't we look into them once a while? Like once in a month? Or they are not useful? |
|
The vast majority of them are frontend. @YounixM do you look into them occasionally and address them? |
Snyk has created this PR to fix one or more vulnerable packages in the `yarn` dependencies of this project.
Changes included in this PR
Note for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed
With an upgrade:
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 8.7
SNYK-JS-HTTPPROXYMIDDLEWARE-8229906
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 2.1
SNYK-JS-VUETEMPLATECOMPILER-8219888
(*) Note that the real score may have changed since the PR was raised.
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
🛠 Adjust project settings
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Denial of Service (DoS)
Important
Upgrade
@signozhq/design-tokensandhttp-proxy-middlewareto fix security vulnerabilities.@signozhq/design-tokensfrom0.0.8to1.0.0infrontend/package.json.http-proxy-middlewarefrom2.0.6to2.0.7infrontend/package.json.http-proxy-middleware.vue-template-compiler(indirectly through dependency updates).This description was created by
for de0f665. It will automatically update as commits are pushed.