Skip to content

[Snyk] Security upgrade express from 4.21.2 to 4.22.0 #61

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Krosebrook wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[Snyk] Security upgrade express from 4.21.2 to 4.22.0 #61

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ed5254f
fix: js/testapps/vertexai-modelgarden/package.json to reduce vulnerab…
snyk-bot Feb 13, 2026
156c056
fix: js/testapps/vertexai-modelgarden/package.json to reduce vulnerab…
snyk-bot Feb 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion js/testapps/vertexai-modelgarden/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
"@genkit-ai/vertexai": "workspace:*",
"@genkit-ai/google-genai": "workspace:*",
"@mistralai/mistralai-gcp": "^1.3.4",
"express": "^4.21.0",
"express": "^4.22.0",
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-critical critical

While this version bump is correct, the pnpm-lock.yaml file has not been updated. As noted in the PR description, this must be done manually. To ensure the security vulnerability is actually fixed, please run pnpm install to update the lockfile and commit the changes before merging this PR.

Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Regenerate workspace lockfile for the express bump

This change raises express to ^4.22.0 in package.json, but the workspace lockfile at this commit still records testapps/vertexai-modelgarden with specifier: ^4.21.0 and version: 4.21.2 (js/pnpm-lock.yaml around lines 1944-1946). As a result, lockfile-based installs continue to resolve the old vulnerable version (or fail in frozen-lockfile workflows), so the intended security upgrade is not actually applied.

Useful? React with 👍 / 👎.

Copy link

Copilot AI Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The version constraint "^4.22.0" appears to reference express 4.22.0, but this version doesn't exist in the lockfile. The lockfile shows express@4.22.1 exists (line 5709-5711) but not express@4.22.0. This suggests that express 4.22.0 may not be a valid published version.

Additionally, the pnpm-lock.yaml has not been updated as indicated in the PR description warning. According to the repository's dependency management practices (enforced via the "only-allow" pnpm script in js/package.json), all dependency changes must be reflected in the committed js/pnpm-lock.yaml file.

To properly resolve the security vulnerability and maintain consistency with the repository's practices:

  1. Verify that express 4.22.0 is a valid published version, or use 4.22.1 if 4.22.0 doesn't exist
  2. Update the js/pnpm-lock.yaml file by running pnpm install in the js/ directory
  3. Commit the updated lockfile with this PR
Suggested change
"express": "^4.22.0",
"express": "^4.22.1",

Copilot uses AI. Check for mistakes.
"genkit": "workspace:*",
"zod": "3.22.4"
},
Expand Down
Loading