[Snyk] Security upgrade lodash from 4.17.23 to 4.18.1#11061
[Snyk] Security upgrade lodash from 4.17.23 to 4.18.1#11061revan-zhang wants to merge 1 commit intoxfrom
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-LODASH-15869625 - https://snyk.io/vuln/SNYK-JS-LODASH-15869619
revan-zhang
requested review from
ezailWang,
huhuanming,
originalix and
sidmorizon
as code owners
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 444b0ba461
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| "ethereum-blockies-base64": "^1.0.2", | ||
| "iso-639-1": "^2.1.13", | ||
| "lodash": "^4.17.23", | ||
| "lodash": "^4.18.1", |
There was a problem hiding this comment.
Changing @onekeyhq/components to "lodash": "^4.18.1" without a matching yarn.lock update leaves the repo in an inconsistent state: yarn.lock still only contains lodash@npm:^4.17.23 (around yarn.lock:35198), and CI jobs I checked (for example .github/workflows/lint.yml:54) run yarn install --immutable, which fails when manifests and lockfile diverge. This will block standard CI/install flows until the lockfile (and zero-install cache if required) is regenerated and committed.
Useful? React with 👍 / 👎.
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| "ethereum-blockies-base64": "^1.0.2", | ||
| "iso-639-1": "^2.1.13", | ||
| "lodash": "^4.17.23", | ||
| "lodash": "^4.18.1", |
There was a problem hiding this comment.
🔴 yarn.lock not updated for new lodash version, breaking all CI workflows
The package.json was updated to require lodash@^4.18.1, but yarn.lock still only has resolutions for lodash@^4.17.23 (resolving to 4.17.23). Since there is no lockfile entry matching ^4.18.1, every CI workflow that runs yarn install --immutable (confirmed in over 20 workflows in .github/workflows/) will fail because Yarn Berry requires the lockfile to be up-to-date when --immutable is used. The lockfile must be regenerated by running yarn install locally and committing the updated yarn.lock.
Prompt for agents
The yarn.lock file was not updated to match the new lodash dependency version. The lockfile still has a resolution for ^4.17.23 -> 4.17.23 but no resolution for ^4.18.1. Since all CI workflows use yarn install --immutable, this will cause every CI build to fail.
To fix: run yarn install locally to regenerate the lockfile, then commit the updated yarn.lock alongside the package.json change. The old lodash@npm:^4.17.23 entry in yarn.lock should be replaced with a lodash@npm:^4.18.1 entry resolving to 4.18.1.
Was this helpful? React with 👍 or 👎 to provide feedback.
2 participants
Snyk has created this PR to fix 2 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
packages/components/package.jsonNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-LODASH-15869625
SNYK-JS-LODASH-15869619
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Prototype Pollution
🦉 Arbitrary Code Injection