Skip to content

[Snyk] Fix for 4 vulnerabilities#293

Closed
rvu-snyk wants to merge 1 commit into
masterfrom
snyk-fix-3226d2a2e823cfd28b491dcaf3a7049c
Closed

[Snyk] Fix for 4 vulnerabilities#293
rvu-snyk wants to merge 1 commit into
masterfrom
snyk-fix-3226d2a2e823cfd28b491dcaf3a7049c

Conversation

@rvu-snyk

@rvu-snyk rvu-snyk commented Feb 27, 2026

Copy link
Copy Markdown
Contributor

snyk-top-banner

Snyk has created this PR to fix 4 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

  • package.json
⚠️ Warning 
Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

Issue Score
high severity HTTP Header Injection
SNYK-JS-KOA-15353398		   828  
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-MINIMATCH-15309438		   828  
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-MINIMATCH-15353387		   828  
high severity Inefficient Algorithmic Complexity
SNYK-JS-MINIMATCH-15353389		   828  

Breaking Change Risk

Merge Risk: High

Notice: This assessment is enhanced by AI.

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

@rvu-snyk

rvu-snyk commented Feb 27, 2026

Copy link
Copy Markdown
Contributor Author

Merge Risk: High

This release includes major version upgrades for del and lerna which introduce significant breaking changes, and a patch upgrade for koa.

del: 3.0.0 → 8.0.0 (HIGH RISK)

This upgrade spans multiple major versions and introduces several critical breaking changes. Action will be required to migrate.

  • ESM Only: Starting from v6.0.0, del is a pure ESM package. You must switch from require('del') to import {deleteAsync} from 'del'.
  • API Renaming: The main function has been renamed from del to deleteAsync, and the synchronous version is now a separate deleteSync export as of v6.0.0.
  • Node.js Requirement: Support for older Node.js versions has been dropped incrementally. Version 5.0.0 requires Node.js 8, v6.0.0 requires Node.js 12.20, and v8.0.0 requires Node.js 18.
  • Path Handling: As of v5.0.0, backward-slashes in glob patterns are no longer supported. Use path.posix.join() or a similar method to ensure forward-slashes.

Recommendation: Due to the switch to ESM and API renaming, you will need to refactor how you import and call the del function. Ensure your project's Node.js version meets the new requirements.

lerna: 8.2.4 → 9.0.4 (HIGH RISK)

This major version upgrade introduces breaking changes related to Node.js support and legacy commands.

  • Dropped Node.js Support: Lerna v9 drops support for Node.js 18. Supported versions are now ^20.19.0 || ^22.12.0 || >=24.0.0.
  • Legacy Command Removal: The deprecated commands lerna add, lerna bootstrap, and lerna link have been formally removed. Developers must now use their package manager's native workspace features.

Recommendation: Before upgrading, ensure your environment is running a supported version of Node.js. If you are using the removed legacy commands, you must migrate to your package manager's workspace commands (e.g., npm install, yarn install). It is also recommended to run lerna repair after upgrading to migrate your lerna.json configuration.

koa: 2.16.3 → 2.16.4 (LOW RISK)

This is a patch release that addresses a security vulnerability. No breaking changes are expected.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

@rvu-snyk rvu-snyk closed this Jun 15, 2026
@rvu-snyk

rvu-snyk commented Jun 15, 2026

Copy link
Copy Markdown
Contributor Author

✅ This PR has been automatically closed

The security issues addressed by this pull request are no longer present in the latest project scan. All vulnerabilities this PR was created to fix have been resolved through other means (e.g., dependency updates, direct fixes, or changes in vulnerability data).

Resolved Issues

  • SNYK-JS-KOA-15353398
  • SNYK-JS-MINIMATCH-15353387
  • SNYK-JS-MINIMATCH-15353389
  • SNYK-JS-MINIMATCH-15309438

What should I do?

No action is required. If you believe this PR was closed in error, you can reopen it and contact Snyk support.

This action was performed automatically by Snyk.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rvu-snyk @snyk-bot