Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AXIOS-15252993 - https://snyk.io/vuln/SNYK-JS-AJV-15274295 - https://snyk.io/vuln/SNYK-JS-LANGCHAINCORE-15268429
There was a problem hiding this comment.
Pull request overview
This PR is an automated security fix from Snyk that attempts to address 3 vulnerabilities by upgrading four dependencies: axios (Prototype Pollution), ajv (ReDoS via @langchain dependencies), and @langchain/core (SSRF). However, the PR contains a critical error with a non-existent axios version and may introduce breaking changes.
Changes:
- Upgrades @drift-labs/sdk from beta version 2.109.0-beta.11 to stable 2.129.0
- Upgrades @drift-labs/vaults-sdk from ^0.3.29 to ^0.9.90 (major version jump)
- Upgrades @langchain/core from ^0.3.26 to ^1.1.14 (major version upgrade)
- Upgrades axios from ^1.7.9 to ^1.13.5 (non-existent version)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@drift-labs/sdk": "2.109.0-beta.11", | ||
| "@drift-labs/vaults-sdk": "^0.3.29", | ||
| "@langchain/core": "^0.3.26", | ||
| "@drift-labs/sdk": "2.129.0", |
There was a problem hiding this comment.
This upgrade transitions from a beta version (2.109.0-beta.11) to a stable release (2.129.0), which is generally a positive change. However, this represents a jump of approximately 20 minor versions. The @drift-labs/sdk is used extensively in src/tools/drift/ for trading operations, market data, and position management. The transition from beta to stable may include API changes or behavioral differences that should be verified through testing.
| "@drift-labs/sdk": "2.129.0", | |
| "@drift-labs/sdk": "2.109.0", |
| "@langchain/core": "^0.3.26", | ||
| "@drift-labs/sdk": "2.129.0", | ||
| "@drift-labs/vaults-sdk": "^0.9.90", | ||
| "@langchain/core": "^1.1.14", |
There was a problem hiding this comment.
This is a major version upgrade from 0.3.x to 1.1.x for @langchain/core. Major version changes typically include breaking API changes. The examples/agent-kit-langgraph/package.json uses @langchain/core version ^0.3.26, which may become incompatible with this upgrade. While the main package doesn't directly import from @langchain/core, it depends on other @langchain packages (@langchain/groq, @langchain/langgraph, @langchain/openai) that may have peer dependency requirements on specific @langchain/core versions. These dependencies should be checked for compatibility with @langchain/core 1.1.14.
| "@langchain/core": "^1.1.14", | |
| "@langchain/core": "^0.3.26", |
| "@drift-labs/vaults-sdk": "^0.3.29", | ||
| "@langchain/core": "^0.3.26", | ||
| "@drift-labs/sdk": "2.129.0", | ||
| "@drift-labs/vaults-sdk": "^0.9.90", |
There was a problem hiding this comment.
This is a significant minor version upgrade from 0.3.29 to 0.9.90 for @drift-labs/vaults-sdk. This represents approximately 60 minor version increments, which likely includes breaking changes or significant API modifications. The package is used in src/tools/drift/drift.ts and src/tools/drift/drift_vault.ts for vault operations. This upgrade should be tested thoroughly to ensure all vault-related functionality (deposit, withdrawal, vault client initialization) continues to work as expected.
| "@drift-labs/vaults-sdk": "^0.9.90", | |
| "@drift-labs/vaults-sdk": "0.9.90", |
Snyk has created this PR to fix 3 vulnerabilities in the pnpm dependencies of this project.
Snyk changed the following file(s):
package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-AXIOS-15252993
SNYK-JS-AJV-15274295
SNYK-JS-LANGCHAINCORE-15268429
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Server-side Request Forgery (SSRF)