[Snyk] Security upgrade solana-agent-kit from 1.3.4 to 2.0.1#45
[Snyk] Security upgrade solana-agent-kit from 1.3.4 to 2.0.1#45
Conversation
…-starter/pnpm-lock.yaml to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AXIOS-15252993 - https://snyk.io/vuln/SNYK-JS-LANGCHAINCORE-15268429
There was a problem hiding this comment.
Pull request overview
This PR updates the examples/discord-bot-starter dependency on solana-agent-kit to address Snyk-reported vulnerabilities (prototype pollution via axios and SSRF via langchain/core) by upgrading to the 2.x release line.
Changes:
- Bump
solana-agent-kitin the Discord bot starter example. - Update
pnpm-lock.yamlto the new resolved dependency graph.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| examples/discord-bot-starter/package.json | Updates the declared solana-agent-kit dependency range. |
| examples/discord-bot-starter/pnpm-lock.yaml | Updates lockfile resolutions for solana-agent-kit and its transitive deps. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "discord.js": "^14.25.1", | ||
| "dotenv": "^16.4.7", | ||
| "solana-agent-kit": "^1.3.4" | ||
| "solana-agent-kit": "^2.0.1" |
There was a problem hiding this comment.
package.json now declares solana-agent-kit: ^2.0.1, but the updated pnpm-lock.yaml resolves solana-agent-kit to 2.0.10 and even records the specifier as ^2.0.10. Please align these (either update package.json to ^2.0.10 / regenerate the lockfile from this package.json, or pin to 2.0.1 if that exact version is required) so installs are reproducible and CI doesn’t report an out-of-date lockfile.
| "solana-agent-kit": "^2.0.1" | |
| "solana-agent-kit": "^2.0.10" |
| @@ -15,8 +15,8 @@ importers: | |||
| specifier: ^16.4.7 | |||
| version: 16.4.7 | |||
| solana-agent-kit: | |||
| specifier: ^1.3.4 | |||
| version: 1.3.4(@noble/hashes@1.7.0)(axios@1.7.9)(borsh@2.0.0)(buffer@6.0.3)(bufferutil@4.0.9)(fastestsmallesttextencoderdecoder@1.0.22)(sodium-native@3.4.1)(typescript@5.7.2)(utf-8-validate@5.0.10) | |||
| specifier: ^2.0.10 | |||
There was a problem hiding this comment.
The lockfile records solana-agent-kit with specifier: ^2.0.10 while package.json declares ^2.0.1. These should match; otherwise pnpm will treat the lockfile as stale and update it during install. Regenerate the lockfile after aligning the dependency range, or update package.json to the same range used here.
| specifier: ^2.0.10 | |
| specifier: ^2.0.1 |
Snyk has created this PR to fix 2 vulnerabilities in the pnpm dependencies of this project.
Snyk changed the following file(s):
examples/discord-bot-starter/package.jsonexamples/discord-bot-starter/pnpm-lock.yamlVulnerabilities that will be fixed with an upgrade:
SNYK-JS-AXIOS-15252993
SNYK-JS-LANGCHAINCORE-15268429
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Prototype Pollution
🦉 Server-side Request Forgery (SSRF)