[Snyk] Security upgrade solana-agent-kit from 1.3.4 to 2.0.1#20
[Snyk] Security upgrade solana-agent-kit from 1.3.4 to 2.0.1#20
Conversation
…-starter/pnpm-lock.yaml to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-LODASH-15053838
There was a problem hiding this comment.
Pull request overview
Security-driven dependency upgrade for the examples/discord-bot-starter project to address a reported lodash prototype pollution vulnerability by upgrading solana-agent-kit.
Changes:
- Bump
solana-agent-kitdependency from^1.3.4to^2.0.1in the Discord bot starter example. - Update
pnpm-lock.yamlto reflect the upgraded dependency graph for the example.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| examples/discord-bot-starter/package.json | Updates solana-agent-kit dependency range to the targeted major version. |
| examples/discord-bot-starter/pnpm-lock.yaml | Updates the lockfile to the new resolved dependency set after the upgrade. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -15,8 +15,8 @@ importers: | |||
| specifier: ^16.4.7 | |||
| version: 16.4.7 | |||
| solana-agent-kit: | |||
| specifier: ^1.3.4 | |||
| version: 1.3.4(@noble/hashes@1.7.0)(axios@1.7.9)(borsh@2.0.0)(buffer@6.0.3)(bufferutil@4.0.9)(fastestsmallesttextencoderdecoder@1.0.22)(sodium-native@3.4.1)(typescript@5.7.2)(utf-8-validate@5.0.10) | |||
| specifier: ^2.0.10 | |||
There was a problem hiding this comment.
package.json specifies solana-agent-kit as ^2.0.1, but the lockfile records the importer specifier as ^2.0.10. This indicates the lockfile is out of sync with package.json and may cause pnpm install --frozen-lockfile (or similar tooling) to fail. Regenerate pnpm-lock.yaml from the updated package.json, or update the dependency specifier so both files match.
| specifier: ^2.0.10 | |
| specifier: ^2.0.1 |
| "discord.js": "^14.25.1", | ||
| "dotenv": "^16.4.7", | ||
| "solana-agent-kit": "^1.3.4" | ||
| "solana-agent-kit": "^2.0.1" |
There was a problem hiding this comment.
The PR description/title indicates an upgrade to solana-agent-kit 2.0.1, but the lockfile resolves to 2.0.10. If 2.0.10 is intended, update the dependency range accordingly; if not, pin/resolve to 2.0.1 and regenerate the lockfile so the resolved version matches what the PR claims.
| resolution: {integrity: sha512-k4tWz1eZNoN34zJB3i29Mis8WJICJlxxl3nEmGO/eaAVOMqHAQ6BVKmWOKvU5G7TiXdSiwmQtc5JpdQhsSP0og==} | ||
| engines: {node: '>=22.0.0', pnpm: '>=8.0.0'} | ||
|
|
There was a problem hiding this comment.
The resolved solana-agent-kit@2.0.10 package declares engines: { node: '>=22.0.0' }. If this example is expected to work on older Node versions, this upgrade will break installs/runtime. Consider explicitly documenting/enforcing the required Node version for this package (e.g., via engines in package.json) or selecting a compatible solana-agent-kit version.
Snyk has created this PR to fix 1 vulnerabilities in the pnpm dependencies of this project.
Snyk changed the following file(s):
examples/discord-bot-starter/package.jsonexamples/discord-bot-starter/pnpm-lock.yamlVulnerabilities that will be fixed with an upgrade:
SNYK-JS-LODASH-15053838
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Prototype Pollution