Conversation
…t-kit-nextjs-langchain/pnpm-lock.yaml to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AXIOS-15252993 - https://snyk.io/vuln/SNYK-JS-AJV-15274295 - https://snyk.io/vuln/SNYK-JS-LANGCHAINCOMMUNITY-15268428 - https://snyk.io/vuln/SNYK-JS-LANGCHAINCORE-15268429
There was a problem hiding this comment.
Pull request overview
This PR is a Snyk-generated security fix that upgrades 4 dependencies in the examples/agent-kit-nextjs-langchain example to address high and medium severity vulnerabilities. The changes involve major version upgrades across multiple packages that may introduce breaking changes and compatibility issues.
Changes:
- Upgrades @langchain/community and @langchain/core from v0.3 to v1.1 (major version jump)
- Upgrades ESLint from 8.46.0 to 10.0.0 (major version with significant breaking changes)
- Upgrades solana-agent-kit from ^1.3.0 to ^2.0.1 (major version, potentially nonexistent)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "ai": "^3.1.12", | ||
| "autoprefixer": "10.4.14", | ||
| "eslint": "8.46.0", | ||
| "eslint": "10.0.0", |
There was a problem hiding this comment.
The upgrade from eslint 8.46.0 to 10.0.0 may be incompatible with eslint-config-next 13.4.12, which was released when eslint 8 was current. ESLint 9 introduced significant breaking changes (including the new flat config format), and ESLint 10 continues that evolution. The eslint-config-next package at version 13.4.12 was designed for ESLint 8 and may not work correctly with ESLint 10. Consider either:
- Upgrading eslint-config-next to a version compatible with ESLint 10, or
- Keeping ESLint at version 8.x until all related packages are updated, or
- Testing thoroughly to ensure the current configuration works with ESLint 10
| "eslint": "10.0.0", | |
| "eslint": "8.46.0", |
| "@langchain/community": "^1.1.14", | ||
| "@langchain/core": "^1.1.14", |
There was a problem hiding this comment.
The major version upgrade of @langchain/core (0.3.17 → 1.1.14) and @langchain/community (0.3.11 → 1.1.14) creates version inconsistency across the repository. Other dependencies like @langchain/langgraph (^0.2.20), @langchain/openai (^0.3.11), and langchain (^0.3.5) remain at 0.x versions. LangChain packages typically have peer dependency requirements, and mixing v0.3 and v1.1 packages may cause compatibility issues. All @langchain/* packages should ideally be upgraded together to ensure compatibility. Consider upgrading @langchain/langgraph, @langchain/openai, and langchain to their v1.x equivalents if available.
| "@langchain/community": "^1.1.14", | |
| "@langchain/core": "^1.1.14", | |
| "@langchain/community": "^0.3.11", | |
| "@langchain/core": "^0.3.17", |
| "react-dom": "^18.3.1", | ||
| "react-toastify": "^9.1.3", | ||
| "solana-agent-kit": "^1.3.0", | ||
| "solana-agent-kit": "^2.0.1", |
There was a problem hiding this comment.
The upgrade of solana-agent-kit from ^1.3.0 to ^2.0.1 creates version inconsistency across the repository examples. The root package (main solana-agent-kit library) is at version 1.4.8, and other examples (agent-kit-langgraph, persistent-agent) still use ^1.3.0. This could lead to inconsistent behavior across examples and confusion for users. Consider:
- Updating all examples to use the same version of solana-agent-kit, or
- Documenting why different examples use different versions, or
- Verifying that version 2.0.1 is compatible with the current codebase (since the root package is still at 1.4.8)
| "solana-agent-kit": "^2.0.1", | |
| "solana-agent-kit": "^1.4.8", |
Snyk has created this PR to fix 4 vulnerabilities in the pnpm dependencies of this project.
Snyk changed the following file(s):
examples/agent-kit-nextjs-langchain/package.jsonexamples/agent-kit-nextjs-langchain/pnpm-lock.yamlVulnerabilities that will be fixed with an upgrade:
SNYK-JS-AXIOS-15252993
SNYK-JS-AJV-15274295
SNYK-JS-LANGCHAINCOMMUNITY-15268428
SNYK-JS-LANGCHAINCORE-15268429
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Server-side Request Forgery (SSRF)