[Snyk] Fix for 2 vulnerabilities

[SMSDAO]

Snyk has created this PR to fix 2 vulnerabilities in the pnpm dependencies of this project.

Snyk changed the following file(s):

• examples/tg-bot-starter/advanced-tg-bot/package.json
• examples/tg-bot-starter/advanced-tg-bot/pnpm-lock.yaml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Prototype Pollution SNYK-JS-AXIOS-15252993	828
	Server-side Request Forgery (SSRF) SNYK-JS-LANGCHAINCORE-15268429	541

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Server-side Request Forgery (SSRF)

[Copilot]

Pull request overview

This is a security-focused pull request created by Snyk to fix 2 vulnerabilities by upgrading dependencies in the examples/tg-bot-starter/advanced-tg-bot project:

1. Prototype Pollution vulnerability in axios (SNYK-JS-AXIOS-15252993) with a severity score of 828
2. Server-side Request Forgery (SSRF) vulnerability in langchain-core (SNYK-JS-LANGCHAINCORE-15268429) with a severity score of 541

Changes:

• Upgrades @langchain/core from ^0.3.26 to ^1.1.14 (major version bump)
• Upgrades solana-agent-kit from ^1.3.0 to ^2.0.1 (major version bump)
• Updates the entire dependency tree in pnpm-lock.yaml with hundreds of transitive dependency changes

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 3 comments.

File	Description
examples/tg-bot-starter/advanced-tg-bot/package.json	Updates two direct dependencies to fix security vulnerabilities
examples/tg-bot-starter/advanced-tg-bot/pnpm-lock.yaml	Comprehensive lockfile update with new dependency tree including major version changes

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The solana-agent-kit package is being updated from ^1.3.0 to ^2.0.1, which is a major version bump. This is a breaking change and could affect the functionality of the bot. The application code should be reviewed and tested to ensure it's compatible with the new 2.x API of solana-agent-kit, as major version changes typically include breaking API changes.

Suggested change

	"solana-agent-kit": "^2.0.1"
	"solana-agent-kit": "^1.3.0"

[Copilot]

The PR description mentions upgrading solana-agent-kit to fix vulnerabilities, but the package.json specifies ^2.0.1 while the PR description mentions ^2.0.10. The diff shows the version in package.json is being changed from ^1.3.0 to ^2.0.1, but the pnpm-lock.yaml shows version 2.0.10 is actually being installed. This inconsistency should be resolved - either update package.json to ^2.0.10 to match what's actually being installed, or explain why the versions differ.

Suggested change

	"solana-agent-kit": "^2.0.1"
	"solana-agent-kit": "^2.0.10"

[Copilot]

The @langchain/core package is being upgraded from ^0.3.26 to ^1.1.14, which is a major version bump (0.x to 1.x). According to the pnpm-lock.yaml, the actual installed version will be 1.1.24. This major version change may introduce breaking changes that could affect compatibility with other @langchain packages in the project (@langchain/langgraph, @langchain/langgraph-checkpoint-postgres, @langchain/openai). These peer dependencies should be verified for compatibility with the new major version of @langchain/core.

Suggested change

	"@langchain/core": "^1.1.14",
	"@langchain/core": "^0.3.26",