Skip to content

[Snyk] Fix for 2 vulnerabilities #55

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Krosebrook wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Fix for 2 vulnerabilities #55

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions genkit-tools/common/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,14 +15,14 @@
"adm-zip": "^0.5.12",
"ajv": "^8.12.0",
"ajv-formats": "^3.0.1",
"axios": "^1.7.7",
"body-parser": "^1.20.2",
"axios": "^1.13.5",
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

While updating axios here is correct, other packages in this monorepo also use an outdated version. For example, genkit-tools/cli/package.json still uses axios: ^1.7.7. To fully remediate the vulnerability across the project, all occurrences of axios should be updated to ^1.13.5.

Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Update genkit-tools lockfile with bumped dependency ranges

This change updates common/package.json but leaves genkit-tools/pnpm-lock.yaml pinned to the previous common dependency set (axios ^1.7.7/1.10.0, body-parser ^1.20.2/1.20.3, express ^4.21.0/4.21.2 at genkit-tools/pnpm-lock.yaml:123-146), so lockfile-driven installs in genkit-tools will continue resolving the old versions and the intended vulnerability remediation is not actually captured in source control.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai bot Feb 12, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1: The lockfile (pnpm-lock.yaml) must be updated to reflect these dependency version changes. Without updating the lockfile, pnpm install will continue resolving the old vulnerable versions that are pinned in the existing lockfile, defeating the purpose of this security fix. Run pnpm install in the genkit-tools directory to regenerate the lockfile with the patched versions.

Prompt for AI agents 
Check if this issue is valid — if so, understand the root cause and fix it. At genkit-tools/common/package.json, line 18:

<comment>The lockfile (`pnpm-lock.yaml`) must be updated to reflect these dependency version changes. Without updating the lockfile, `pnpm install` will continue resolving the old vulnerable versions that are pinned in the existing lockfile, defeating the purpose of this security fix. Run `pnpm install` in the `genkit-tools` directory to regenerate the lockfile with the patched versions.</comment>

<file context>
@@ -15,14 +15,14 @@
     "ajv-formats": "^3.0.1",
-    "axios": "^1.7.7",
-    "body-parser": "^1.20.2",
+    "axios": "^1.13.5",
+    "body-parser": "^1.20.4",
     "chokidar": "^3.5.3",
</file context>
Fix with Cubic

"body-parser": "^1.20.4",
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

This update to body-parser is good, but it's incomplete for the monorepo. js/core/package.json and js/plugins/express/package.json are still on an older version (^1.20.3). Please update them to ^1.20.4 to ensure consistency and fix any related vulnerabilities across the project.

"chokidar": "^3.5.3",
Copy link

Copilot AI Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These dependency bumps won’t take effect (and CI is likely to fail the "ensure clean working tree" step) unless the Genkit Tools lockfile is updated and committed. Please run pnpm install/update in genkit-tools/ and commit the resulting genkit-tools/pnpm-lock.yaml changes so the axios/body-parser/express versions are actually pinned to the fixed releases.

Suggested change
"chokidar": "^3.5.3",
"chokidar": "^3.6.0",

Copilot uses AI. Check for mistakes.
"colorette": "^2.0.20",
"commander": "^11.1.0",
"configstore": "^5.0.1",
"cors": "^2.8.5",
"express": "^4.21.0",
"express": "^4.22.0",
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Updating express is necessary to address the qs vulnerability. However, js/core/package.json still lists express: ^4.21.0. This should also be updated to ^4.22.0 to ensure the vulnerability is patched throughout the repository.

Copy link
Copy Markdown

@cursor cursor bot Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lockfile not updated, security fixes not applied

High Severity

The package.json dependency versions are updated to fix Prototype Pollution in axios and resource exhaustion in qs, but the pnpm-lock.yaml was not updated (as noted in the PR warning). Without a corresponding lockfile update, pnpm install will continue resolving to the old, vulnerable versions pinned in the lockfile. The security vulnerabilities remain unpatched if this PR is merged as-is.

Fix in Cursor Fix in Web

"get-port": "5.1.1",
"glob": "^10.3.12",
"js-yaml": "^4.1.0",
Expand Down
Loading