[Snyk] Security upgrade solana-agent-kit from 1.3.0 to 2.0.1#21
[Snyk] Security upgrade solana-agent-kit from 1.3.0 to 2.0.1#21
Conversation
…bot-starter/basic-tg-bot/pnpm-lock.yaml to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-LODASH-15053838
There was a problem hiding this comment.
Pull request overview
This PR updates the examples/tg-bot-starter/basic-tg-bot dependency set to remediate a Snyk-reported vulnerability by upgrading solana-agent-kit to the v2 line.
Changes:
- Bumps
solana-agent-kitin the basic Telegram bot example from^1.3.0to^2.0.1. - Regenerates
pnpm-lock.yaml, pulling updated transitive dependencies (including OpenAI/WS-related packages).
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| examples/tg-bot-starter/basic-tg-bot/package.json | Updates solana-agent-kit dependency range to v2. |
| examples/tg-bot-starter/basic-tg-bot/pnpm-lock.yaml | Updates lockfile to reflect the dependency upgrade and resulting transitive dependency graph. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "react": "^19.2.0", | ||
| "react-dom": "^19.0.0", | ||
| "solana-agent-kit": "^1.3.0" | ||
| "solana-agent-kit": "^2.0.1" |
There was a problem hiding this comment.
Upgrading to solana-agent-kit v2 pulls in a Node.js >=22 requirement (see pnpm-lock.yaml:1501). This example's README currently doesn't call out a Node version prerequisite (unlike other examples, e.g. examples/discord-bot-starter/README.md:9). Consider documenting the required Node version (or adding an engines.node field) to prevent setup failures for users on older Node versions.
| version: 19.2.3 | ||
| react-dom: | ||
| specifier: ^19.0.0 | ||
| version: 19.0.0(react@19.2.3) | ||
| solana-agent-kit: | ||
| specifier: ^1.3.0 | ||
| version: 1.3.0(@noble/hashes@1.6.1)(axios@1.7.9)(borsh@2.0.0)(buffer@6.0.3)(bufferutil@4.0.9)(fastestsmallesttextencoderdecoder@1.0.22)(typescript@5.7.2)(utf-8-validate@5.0.10)(zod@3.24.1) | ||
| specifier: ^2.0.10 |
There was a problem hiding this comment.
pnpm-lock.yaml lists solana-agent-kit with specifier ^2.0.10, but package.json declares ^2.0.1. This makes the lockfile out of sync with the manifest and can break CI installs using --frozen-lockfile. Regenerate the lockfile from the current package.json (or update package.json to match the specifier used to generate the lock).
| specifier: ^2.0.10 | |
| specifier: ^2.0.1 |
| @@ -10,13 +10,13 @@ importers: | |||
| dependencies: | |||
| '@langchain/core': | |||
| specifier: ^0.3.26 | |||
| version: 0.3.26(openai@4.77.0(zod@3.24.1)) | |||
| version: 0.3.26(openai@5.23.2(ws@7.5.10(bufferutil@4.0.9)(utf-8-validate@5.0.10))(zod@3.24.1)) | |||
There was a problem hiding this comment.
The lockfile resolves openai@5.23.2 against ws@7.5.10 (see the peer context on this line), but openai@5.23.2 declares a peer dependency ws: ^8.18.0. This peer mismatch can lead to pnpm warnings and potentially broken realtime/WS features. Prefer ensuring ws@^8.18.0 is the peer that openai picks (e.g., add a direct ws dependency/override) and re-lock.
Snyk has created this PR to fix 1 vulnerabilities in the pnpm dependencies of this project.
Snyk changed the following file(s):
examples/tg-bot-starter/basic-tg-bot/package.jsonexamples/tg-bot-starter/basic-tg-bot/pnpm-lock.yamlVulnerabilities that will be fixed with an upgrade:
SNYK-JS-LODASH-15053838
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Prototype Pollution