[Snyk] Security upgrade solana-agent-kit from 1.3.4 to 2.0.1#40
[Snyk] Security upgrade solana-agent-kit from 1.3.4 to 2.0.1#40
Conversation
…-starter/pnpm-lock.yaml to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-GLOB-14040952 - https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-9789073
There was a problem hiding this comment.
Pull request overview
This PR is an automated security upgrade generated by Snyk to address two vulnerabilities in transitive dependencies (Command Injection in glob and ReDoS in brace-expansion). The PR updates the solana-agent-kit dependency in the discord-bot-starter example from version 1.3.4 to 2.0.1 (which resolves to 2.0.10 in the lock file).
Changes:
- Upgraded solana-agent-kit from ^1.3.4 to ^2.0.1 in examples/discord-bot-starter
- This is a major version upgrade (1.x to 2.x) with significantly different dependency structure
- The upgrade addresses security vulnerabilities in transitive dependencies
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "discord.js": "^14.25.1", | ||
| "dotenv": "^16.4.7", | ||
| "solana-agent-kit": "^1.3.4" | ||
| "solana-agent-kit": "^2.0.1" |
There was a problem hiding this comment.
This upgrade to solana-agent-kit 2.0.10 (via ^2.0.1 specification) appears problematic. The root package is at version 1.4.8, and all other examples in the repository use versions 1.3.0-1.4.8. Version 2.0.10 has a completely different dependency structure - it includes @openai/agents and only has a minimal set of dependencies compared to the comprehensive v1.x versions. This appears to be either a different package, a major fork, or an incompatible version. The code in this example uses SolanaAgentKit and createSolanaTools which may have different APIs in version 2.x. This needs verification that: 1) version 2.0.10 is the correct official package, 2) the API is compatible with the existing code, and 3) this version should be used instead of updating all examples consistently.
| "solana-agent-kit": "^2.0.1" | |
| "solana-agent-kit": "^1.4.8" |
| "discord.js": "^14.25.1", | ||
| "dotenv": "^16.4.7", | ||
| "solana-agent-kit": "^1.3.4" | ||
| "solana-agent-kit": "^2.0.1" |
There was a problem hiding this comment.
This example is being upgraded to solana-agent-kit version 2.0.1/2.0.10 while all other examples in the repository still use version 1.3.0-1.4.8. If this security upgrade is necessary, consider whether all examples should be upgraded consistently to the same version to maintain consistency across the codebase and avoid confusion about which version should be used.
| "discord.js": "^14.25.1", | ||
| "dotenv": "^16.4.7", | ||
| "solana-agent-kit": "^1.3.4" | ||
| "solana-agent-kit": "^2.0.1" |
There was a problem hiding this comment.
The PR description states this upgrades solana-agent-kit to version 2.0.1, but the pnpm-lock.yaml shows version 2.0.10 was actually resolved and installed. This discrepancy should be clarified - either the package.json should specify ^2.0.10 for accuracy, or the PR description should be updated to reflect the actual version being installed.
Snyk has created this PR to fix 2 vulnerabilities in the pnpm dependencies of this project.
Snyk changed the following file(s):
examples/discord-bot-starter/package.jsonexamples/discord-bot-starter/pnpm-lock.yamlVulnerabilities that will be fixed with an upgrade:
SNYK-JS-GLOB-14040952
SNYK-JS-BRACEEXPANSION-9789073
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Command Injection