[Snyk] Security upgrade solana-agent-kit from 1.3.7 to 2.0.1#53
[Snyk] Security upgrade solana-agent-kit from 1.3.7 to 2.0.1#53
Conversation
…ng-agent/pnpm-lock.yaml to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AXIOS-15252993 - https://snyk.io/vuln/SNYK-JS-LANGCHAINCORE-15268429
There was a problem hiding this comment.
Pull request overview
This PR attempts to fix security vulnerabilities (Prototype Pollution in axios and SSRF in langchain-core) by upgrading the solana-agent-kit dependency from version 1.3.7 to 2.0.1 in the market-making-agent example. However, the upgrade is ineffective because the example imports from the local monorepo source code ("../../src") rather than from the npm package.
Changes:
- Updated solana-agent-kit dependency from ^1.3.7 to ^2.0.1 in examples/market-making-agent/package.json
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "dependencies": { | ||
| "@langchain/langgraph-checkpoint-postgres": "^0.1.2", | ||
| "solana-agent-kit": "^1.3.7" | ||
| "solana-agent-kit": "^2.0.1" |
There was a problem hiding this comment.
The package.json dependency update to solana-agent-kit 2.0.1 is ineffective because the code imports from the local source directory ("../../src") instead of from the npm package. Line 8 of index.ts imports from "../../src", which means the declared dependency in package.json is unused.
To fix the security vulnerabilities addressed by this PR, the import statement in index.ts needs to be changed to import from "solana-agent-kit" instead of "../../src". All other examples in the repository (agent-kit-langgraph, discord-bot-starter, persistent-agent) import from the npm package directly.
| "dependencies": { | ||
| "@langchain/langgraph-checkpoint-postgres": "^0.1.2", | ||
| "solana-agent-kit": "^1.3.7" | ||
| "solana-agent-kit": "^2.0.1" |
There was a problem hiding this comment.
This security upgrade only updates the market-making-agent example. However, other examples in the repository (agent-kit-langgraph at 1.3.0, discord-bot-starter at 1.3.4) are also on older versions of solana-agent-kit that may have the same security vulnerabilities in axios and langchain-core dependencies. Consider updating all examples to 2.0.1 for consistent security posture across the repository.
Snyk has created this PR to fix 2 vulnerabilities in the pnpm dependencies of this project.
Snyk changed the following file(s):
examples/market-making-agent/package.jsonexamples/market-making-agent/pnpm-lock.yamlVulnerabilities that will be fixed with an upgrade:
SNYK-JS-AXIOS-15252993
SNYK-JS-LANGCHAINCORE-15268429
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Prototype Pollution
🦉 Server-side Request Forgery (SSRF)