Skip to content

[Snyk] Security upgrade solana-agent-kit from 1.3.0 to 2.0.1#24

Open
SMSDAO wants to merge 1 commit intomainfrom
snyk-fix-9fd4bf9456c195799d88bc1e31edf21b
Open

[Snyk] Security upgrade solana-agent-kit from 1.3.0 to 2.0.1#24
SMSDAO wants to merge 1 commit intomainfrom
snyk-fix-9fd4bf9456c195799d88bc1e31edf21b

Conversation

@SMSDAO
Copy link
Owner

@SMSDAO SMSDAO commented Jan 25, 2026

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the pnpm dependencies of this project.

Snyk changed the following file(s):

  • examples/persistent-agent/package.json
  • examples/persistent-agent/pnpm-lock.yaml

Vulnerabilities that will be fixed with an upgrade:

Issue Score
medium severity Prototype Pollution
SNYK-JS-LODASH-15053838		   631  

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution

@snyk-bot
fix: examples/persistent-agent/package.json & examples/persistent-age…
2db6b55 
…nt/pnpm-lock.yaml to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-LODASH-15053838
Copilot AI review requested due to automatic review settings January 25, 2026 00:34
Copilot AI reviewed Jan 25, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR upgrades solana-agent-kit from version 1.3.0 to 2.0.10 to fix a prototype pollution vulnerability in lodash (SNYK-JS-LODASH-15053838, severity score 631/1000). However, this is a major version upgrade that introduces significant breaking changes.

Changes:

  • Upgrades solana-agent-kit from 1.3.0 to 2.0.10 (specified as ^2.0.1 in package.json)
  • Completely restructures the dependency tree, removing Solana ecosystem packages (Anchor, Metaplex, Orca, Pyth, Raydium, Bonfida) and langchain
  • Adds OpenAI agents packages, Express server dependencies, and AI SDK packages

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 6 comments.

File Description
examples/persistent-agent/package.json Updates solana-agent-kit version constraint to ^2.0.1
examples/persistent-agent/pnpm-lock.yaml Major dependency tree restructuring with removal of Solana ecosystem packages and addition of OpenAI/Express infrastructure

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

examples/persistent-agent/package.json
"dependencies": {
"@langchain/langgraph-checkpoint-postgres": "^0.0.2",
"solana-agent-kit": "^1.3.0"
"solana-agent-kit": "^2.0.1"
Copy link

Copilot AI Jan 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description indicates upgrading to version 2.0.1, but the package.json specifies ^2.0.1 which will allow updates up to (but not including) 3.0.0. Meanwhile, the lock file shows version 2.0.10 is actually being installed. This discrepancy should be addressed - either the PR description should be updated to reflect the actual installed version (2.0.10), or the version constraint should be more specific if 2.0.1 is specifically required for the security fix.

Suggested change
"solana-agent-kit": "^2.0.1"
"solana-agent-kit": "2.0.10"

Copilot uses AI. Check for mistakes.
examples/persistent-agent/pnpm-lock.yaml
Comment on lines +1628 to +1660
express@5.2.1:
dependencies:
accepts: 2.0.0
body-parser: 2.2.2
content-disposition: 1.0.1
content-type: 1.0.5
cookie: 0.7.2
cookie-signature: 1.2.2
debug: 4.4.0
depd: 2.0.0
encodeurl: 2.0.0
escape-html: 1.0.3
etag: 1.8.1
finalhandler: 2.1.1
fresh: 2.0.0
http-errors: 2.0.1
merge-descriptors: 2.0.0
mime-types: 3.0.2
on-finished: 2.4.1
once: 1.4.0
parseurl: 1.3.3
proxy-addr: 2.0.7
qs: 6.14.1
range-parser: 1.2.1
router: 2.2.0
send: 1.2.1
serve-static: 2.2.1
statuses: 2.0.2
type-is: 2.0.1
vary: 1.1.2
transitivePeerDependencies:
- supports-color
optional: true
Copy link

Copilot AI Jan 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The upgrade introduces Express 5.2.1 and related HTTP server dependencies (express-rate-limit, body-parser, cors, etc.) which were not present in the previous version. These dependencies are marked as optional in the lock file but suggest that solana-agent-kit 2.x may have server/API capabilities that weren't in 1.x. Ensure that if your application doesn't need these server features, they won't cause issues, and if they do, that appropriate configuration is provided.

Copilot uses AI. Check for mistakes.
examples/persistent-agent/pnpm-lock.yaml
Comment on lines +1192 to +1206
'@openai/agents@0.0.7(bufferutil@4.0.8)(hono@4.11.5)(utf-8-validate@5.0.10)(ws@7.5.10(bufferutil@4.0.8)(utf-8-validate@5.0.10))(zod@3.24.1)':
dependencies:
'@metaplex-foundation/beet': 0.7.2
'@solana/web3.js': 1.98.0(bufferutil@4.0.8)(utf-8-validate@5.0.10)
bs58: 5.0.0
'@openai/agents-core': 0.0.7(hono@4.11.5)(ws@7.5.10(bufferutil@4.0.8)(utf-8-validate@5.0.10))(zod@3.24.1)
'@openai/agents-openai': 0.0.7(hono@4.11.5)(ws@7.5.10(bufferutil@4.0.8)(utf-8-validate@5.0.10))(zod@3.24.1)
'@openai/agents-realtime': 0.0.7(bufferutil@4.0.8)(hono@4.11.5)(utf-8-validate@5.0.10)(zod@3.24.1)
debug: 4.4.0
openai: 5.23.2(ws@7.5.10(bufferutil@4.0.8)(utf-8-validate@5.0.10))(zod@3.24.1)
transitivePeerDependencies:
- '@cfworker/json-schema'
- bufferutil
- encoding
- hono
- supports-color
- utf-8-validate
- ws
- zod
Copy link

Copilot AI Jan 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new version adds @openai/agents packages and OpenAI integration as core dependencies, while the previous version used langchain and groq-sdk. This represents a fundamental shift in the AI/LLM integration architecture. The dependency on openai package (5.23.2) is now required rather than optional. Verify that:

  1. Your application is prepared to work with OpenAI's API structure
  2. API keys and configuration for OpenAI are properly set up
  3. Any existing code using langchain or groq patterns is updated accordingly

Copilot uses AI. Check for mistakes.
examples/persistent-agent/pnpm-lock.yaml
Comment on lines +2099 to +2124
solana-agent-kit@2.0.10(@opentelemetry/api@1.9.0)(bufferutil@4.0.8)(fastestsmallesttextencoderdecoder@1.0.22)(hono@4.11.5)(openai@5.23.2(ws@7.5.10(bufferutil@4.0.8)(utf-8-validate@5.0.10))(zod@3.24.1))(react@19.2.3)(typescript@5.6.3)(utf-8-validate@5.0.10)(ws@7.5.10(bufferutil@4.0.8)(utf-8-validate@5.0.10)):
dependencies:
'@langchain/core': 0.3.80(@opentelemetry/api@1.9.0)(openai@5.23.2(ws@7.5.10(bufferutil@4.0.8)(utf-8-validate@5.0.10))(zod@3.24.1))
'@openai/agents': 0.0.7(bufferutil@4.0.8)(hono@4.11.5)(utf-8-validate@5.0.10)(ws@7.5.10(bufferutil@4.0.8)(utf-8-validate@5.0.10))(zod@3.24.1)
'@solana/spl-token': 0.4.14(@solana/web3.js@1.98.4(bufferutil@4.0.8)(typescript@5.6.3)(utf-8-validate@5.0.10))(bufferutil@4.0.8)(fastestsmallesttextencoderdecoder@1.0.22)(typescript@5.6.3)(utf-8-validate@5.0.10)
'@solana/web3.js': 1.98.4(bufferutil@4.0.8)(typescript@5.6.3)(utf-8-validate@5.0.10)
ai: 4.3.19(react@19.2.3)(zod@3.24.1)
bs58: 6.0.0
chai: 5.1.2
decimal.js: 10.4.3
dotenv: 16.4.7
form-data: 4.0.1
langchain: 0.3.8(@langchain/core@0.3.26(openai@4.77.0(zod@3.24.1)))(@langchain/groq@0.1.2(@langchain/core@0.3.26(openai@4.77.0(zod@3.24.1))))(axios@1.7.9)(openai@4.77.0(zod@3.24.1))
openai: 4.77.0(zod@3.24.1)
typedoc: 0.26.11(typescript@5.6.3)
rpc-websockets: 10.0.0
tweetnacl: 1.0.3
zod: 3.24.1
transitivePeerDependencies:
- '@langchain/anthropic'
- '@langchain/aws'
- '@langchain/cohere'
- '@langchain/google-genai'
- '@langchain/google-vertexai'
- '@langchain/mistralai'
- '@langchain/ollama'
- '@noble/hashes'
- axios
- borsh
- buffer
- '@cfworker/json-schema'
- '@opentelemetry/api'
- '@opentelemetry/exporter-trace-otlp-proto'
- '@opentelemetry/sdk-trace-base'
- bufferutil
- cheerio
- debug
- encoding
- fastestsmallesttextencoderdecoder
- handlebars
- peggy
- hono
- openai
- react
- supports-color
- typeorm
- typescript
- utf-8-validate
- zod

space-separated-tokens@2.0.2: {}
- ws
Copy link

Copilot AI Jan 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The upgrade removes several Solana ecosystem packages that were dependencies in 1.3.0:

If your application uses any of these Solana-specific features through solana-agent-kit, they may no longer be available in version 2.x. Review the application code to ensure none of these removed capabilities are being used, or plan to add them as direct dependencies if needed.

Copilot uses AI. Check for mistakes.
examples/persistent-agent/pnpm-lock.yaml
Comment on lines +2099 to +2109
solana-agent-kit@2.0.10(@opentelemetry/api@1.9.0)(bufferutil@4.0.8)(fastestsmallesttextencoderdecoder@1.0.22)(hono@4.11.5)(openai@5.23.2(ws@7.5.10(bufferutil@4.0.8)(utf-8-validate@5.0.10))(zod@3.24.1))(react@19.2.3)(typescript@5.6.3)(utf-8-validate@5.0.10)(ws@7.5.10(bufferutil@4.0.8)(utf-8-validate@5.0.10)):
dependencies:
'@langchain/core': 0.3.80(@opentelemetry/api@1.9.0)(openai@5.23.2(ws@7.5.10(bufferutil@4.0.8)(utf-8-validate@5.0.10))(zod@3.24.1))
'@openai/agents': 0.0.7(bufferutil@4.0.8)(hono@4.11.5)(utf-8-validate@5.0.10)(ws@7.5.10(bufferutil@4.0.8)(utf-8-validate@5.0.10))(zod@3.24.1)
'@solana/spl-token': 0.4.14(@solana/web3.js@1.98.4(bufferutil@4.0.8)(typescript@5.6.3)(utf-8-validate@5.0.10))(bufferutil@4.0.8)(fastestsmallesttextencoderdecoder@1.0.22)(typescript@5.6.3)(utf-8-validate@5.0.10)
'@solana/web3.js': 1.98.4(bufferutil@4.0.8)(typescript@5.6.3)(utf-8-validate@5.0.10)
ai: 4.3.19(react@19.2.3)(zod@3.24.1)
bs58: 6.0.0
chai: 5.1.2
decimal.js: 10.4.3
dotenv: 16.4.7
form-data: 4.0.1
langchain: 0.3.8(@langchain/core@0.3.26(openai@4.77.0(zod@3.24.1)))(@langchain/groq@0.1.2(@langchain/core@0.3.26(openai@4.77.0(zod@3.24.1))))(axios@1.7.9)(openai@4.77.0(zod@3.24.1))
openai: 4.77.0(zod@3.24.1)
typedoc: 0.26.11(typescript@5.6.3)
rpc-websockets: 10.0.0
tweetnacl: 1.0.3
zod: 3.24.1
Copy link

Copilot AI Jan 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The engine requirement has changed from Node.js >=23.1.0 (in solana-agent-kit 1.3.0) to >=22.0.0 (in version 2.0.10). While this is technically less restrictive, it's worth noting. Additionally, the new version introduces React as a peer dependency through the @ai-sdk/react package. If this is a server-side application without React, this may cause peer dependency warnings, though the dependency is marked as optional.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@SMSDAO @snyk-bot