[Snyk] Security upgrade devtools-launchpad from 0.0.100 to 0.0.139#46
[Snyk] Security upgrade devtools-launchpad from 0.0.100 to 0.0.139#46
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-TAR-15032660 - https://snyk.io/vuln/SNYK-JS-TAR-15127355
There was a problem hiding this comment.
Pull request overview
This PR upgrades devtools-launchpad from version 0.0.100 to 0.0.139 to address two directory traversal vulnerabilities in the tar package (SNYK-JS-TAR-15032660 and SNYK-JS-TAR-15127355).
Changes:
- Upgrades devtools-launchpad dependency from ^0.0.100 to ^0.0.139
- Upgrades tar package from 2.2.1 to 4.0.2 (via geckodriver upgrade from 1.4.0 to 1.12.2)
- Introduces numerous transitive dependency updates including React 16.x, selenium-webdriver, check-node-version, and various other packages
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Updates devtools-launchpad version from ^0.0.100 to ^0.0.139 |
| yarn.lock | Updates lock file with new dependency versions and adds new transitive dependencies from upgraded devtools-launchpad |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "codemirror": "^5.28.0", | ||
| "devtools-components": "^0.0.2", | ||
| "devtools-launchpad": "^0.0.100", | ||
| "devtools-launchpad": "^0.0.139", |
There was a problem hiding this comment.
Critical dependency conflict: The upgraded devtools-launchpad version 0.0.139 requires React 16.4.1 and react-dom 16.4.1 (as seen in yarn.lock lines 2939-2940), but this project explicitly depends on React 15.6.2 and react-dom 15.6.2 (lines 89-90 in package.json). This will result in two different versions of React being installed in the dependency tree, which can cause runtime errors, duplicated React instances, and hook violations. You need to either upgrade the project's React dependencies to version 16.x or find a compatible version of devtools-launchpad that works with React 15.x.
| "devtools-launchpad": "^0.0.139", | |
| "devtools-launchpad": "0.0.138", |
Snyk has created this PR to fix 2 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
package.jsonyarn.lockNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-TAR-15032660
SNYK-JS-TAR-15127355
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Directory Traversal