[Snyk] Security upgrade solana-agent-kit from 1.4.5 to 2.0.1#39
[Snyk] Security upgrade solana-agent-kit from 1.4.5 to 2.0.1#39
Conversation
…i-personality-engine/package-lock.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-GLOB-14040952 - https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-9789073
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
There was a problem hiding this comment.
Pull request overview
This PR is an automated Snyk security upgrade that attempts to update the solana-agent-kit dependency in the orbofi-personality-engine example from version ^1.3.0 to ^2.0.1 to fix two security vulnerabilities: a high-severity Command Injection vulnerability in the glob package and a low-severity Regular Expression Denial of Service (ReDoS) vulnerability in the brace-expansion package.
Changes:
- Updates
solana-agent-kitdependency version from ^1.3.0 to ^2.0.1 in the orbofi-personality-engine example
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "dependencies": { | ||
| "@langchain/langgraph-checkpoint-postgres": "^0.0.2", | ||
| "solana-agent-kit": "^1.3.0" | ||
| "solana-agent-kit": "^2.0.1" |
There was a problem hiding this comment.
This PR only upgrades the solana-agent-kit dependency in one example (orbofi-personality-engine) while leaving other examples on older versions (1.3.0, 1.3.4, 1.3.7, and 1.4.8). For consistency and to ensure all examples benefit from the security fixes, all examples using solana-agent-kit should be upgraded together. Examples that still use older versions include: agent-kit-langgraph, agent-kit-nextjs-langchain, discord-bot-starter, market-making-agent, persistent-agent, and the tg-bot-starter variations.
| "solana-agent-kit": "^2.0.1" | |
| "solana-agent-kit": "^1.4.8" |
| "dependencies": { | ||
| "@langchain/langgraph-checkpoint-postgres": "^0.0.2", | ||
| "solana-agent-kit": "^1.3.0" | ||
| "solana-agent-kit": "^2.0.1" |
There was a problem hiding this comment.
The PR title and description state that this is an upgrade "from 1.4.5 to 2.0.1", but the actual change in the package.json file shows an upgrade from ^1.3.0 to ^2.0.1. This discrepancy between the PR description and the actual code changes should be clarified. The Snyk metadata may be referencing a different version than what was actually in the file.
Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
examples/orbofi-personality-engine/package.jsonexamples/orbofi-personality-engine/package-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-GLOB-14040952
SNYK-JS-BRACEEXPANSION-9789073
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Command Injection