Skip to content

[Snyk] Fix for 3 vulnerabilities #445

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
q1blue wants to merge 1 commit into
base: next
Choose a base branch
from
Open

[Snyk] Fix for 3 vulnerabilities #445

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 11 additions & 11 deletions code/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@
"dependencies": {
"@chromatic-com/storybook": "^1.6.1",
"@happy-dom/global-registrator": "^14.12.0",
"@nx/eslint": "18.0.6",
"@nx/eslint": "19.1.0",
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Feb 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

This is a major version upgrade for @nx/eslint from v18 to v19. This may introduce breaking changes related to Nx's ESLint integration. Please review the release notes and test thoroughly to ensure compatibility.

"@nx/vite": "18.0.6",
"@nx/workspace": "18.0.6",
"@playwright/test": "1.46.0",
Expand All @@ -114,13 +114,13 @@
"@storybook/addon-themes": "workspace:*",
"@storybook/addon-toolbars": "workspace:*",
"@storybook/addon-viewport": "workspace:*",
"@storybook/angular": "workspace:*",
"@storybook/angular": "3.3.0",
"@storybook/bench": "next",
"@storybook/blocks": "workspace:*",
"@storybook/builder-vite": "workspace:*",
"@storybook/builder-webpack5": "workspace:*",
"@storybook/codemod": "workspace:*",
"@storybook/core": "workspace:*",
"@storybook/builder-webpack5": "6.2.0",
"@storybook/codemod": "3.0.0",
"@storybook/core": "3.3.3",
Comment on lines +117 to +123
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Feb 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

These dependency upgrades from workspace:* to old, pinned versions are incorrect. This monorepo uses Storybook v8.3, but these changes pin packages to much older versions (e.g., v3.3.0, v6.2.0), which will cause major version conflicts and break the project. The workspace:* protocol is essential for maintaining version consistency in this monorepo. To fix the underlying security vulnerabilities in transitive dependencies (like ajv, qs, diff), please add overrides to the resolutions field in package.json instead of changing these direct dependencies.

    "@storybook/angular": "workspace:*",
    "@storybook/bench": "next",
    "@storybook/blocks": "workspace:*",
    "@storybook/builder-vite": "workspace:*",
    "@storybook/builder-webpack5": "workspace:*",
    "@storybook/codemod": "workspace:*",
    "@storybook/core": "workspace:*"

"@storybook/core-webpack": "workspace:*",
"@storybook/csf": "0.1.11",
"@storybook/csf-plugin": "workspace:*",
Expand All @@ -137,7 +137,7 @@
"@storybook/preact": "workspace:*",
"@storybook/preact-vite": "workspace:*",
"@storybook/preact-webpack5": "workspace:*",
"@storybook/preset-create-react-app": "workspace:*",
"@storybook/preset-create-react-app": "1.0.0",
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Feb 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

As with the other @storybook packages, this change is incorrect and should be reverted. Pinning to an old version will break the monorepo. Please use resolutions for transitive vulnerabilities.

    "@storybook/preset-create-react-app": "workspace:*"

"@storybook/preset-html-webpack": "workspace:*",
"@storybook/preset-preact-webpack": "workspace:*",
"@storybook/preset-react-webpack": "workspace:*",
Expand All @@ -161,7 +161,7 @@
"@storybook/vue3-webpack5": "workspace:*",
"@storybook/web-components": "workspace:*",
"@storybook/web-components-vite": "workspace:*",
"@storybook/web-components-webpack5": "workspace:*",
"@storybook/web-components-webpack5": "7.0.0",
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Feb 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

As with the other @storybook packages, this change is incorrect and should be reverted. Pinning to an old version will break the monorepo. Please use resolutions for transitive vulnerabilities.

    "@storybook/web-components-webpack5": "workspace:*"

"@testing-library/dom": "^10.4.0",
"@testing-library/jest-dom": "^6.5.0",
"@testing-library/react": "^16.0.0",
Expand All @@ -183,13 +183,13 @@
"@vitest/browser": "^2.0.5",
"@vitest/coverage-istanbul": "^2.0.5",
"@vitest/coverage-v8": "^2.0.5",
"create-storybook": "workspace:*",
"create-storybook": "1.0.0",
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Feb 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

As with the other @storybook packages, this change is incorrect and should be reverted. Pinning to an old version will break the monorepo. Please use resolutions for transitive vulnerabilities.

    "create-storybook": "workspace:*"

"cross-env": "^7.0.3",
"danger": "^12.3.3",
"esbuild": "^0.18.0 || ^0.19.0 || ^0.20.0 || ^0.21.0 || ^0.22.0 || ^0.23.0",
"esbuild-loader": "^4.2.0",
"esbuild-plugin-alias": "^0.2.1",
"eslint": "^8.56.0",
"eslint": "^10.0.0",
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Feb 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

This is a major version upgrade for eslint from v8 to v10. This is a significant jump that likely includes breaking changes to ESLint rules and configurations. Please carefully review the ESLint v9 and v10 migration guides and update your configuration accordingly to avoid linting errors or CI failures.

"eslint-import-resolver-typescript": "^3.6.1",
"eslint-plugin-local-rules": "portal:../scripts/eslint-plugin-local-rules",
"eslint-plugin-playwright": "^1.6.2",
Expand All @@ -209,14 +209,14 @@
"prettier-plugin-css-order": "^2.1.2",
"prettier-plugin-curly": "^0.2.2",
"prettier-plugin-jsdoc": "^1.3.0",
"prettier-plugin-merge": "^0.7.0",
"prettier-plugin-merge": "^0.9.1",
"process": "^0.11.10",
"react": "^18.2.0",
"react-dom": "^18.2.0",
"semver": "^7.3.7",
"serve-static": "^1.14.1",
"slash": "^5.0.0",
"storybook": "workspace:^",
"storybook": "0.0.0",
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot Feb 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

Changing the storybook package version from workspace:^ to 0.0.0 is incorrect and will likely break dependency resolution in this monorepo. This change should be reverted.

    "storybook": "workspace:^"

"svelte": "^5.0.0-next.65",
"ts-dedent": "^2.0.0",
"typescript": "^5.4.3",
Expand Down
Loading