Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-LODASH-15053838
There was a problem hiding this comment.
Pull request overview
This PR updates two Drift Labs dependencies to address a prototype pollution vulnerability (SNYK-JS-LODASH-15053838) in the lodash dependency chain. However, the automated update process failed to regenerate the pnpm-lock.yaml file, which is explicitly noted in the PR description warning.
Changes:
- Upgrade @drift-labs/sdk from 2.109.0-beta.11 to 2.129.0 (stable release)
- Upgrade @drift-labs/vaults-sdk from ^0.3.29 to ^0.9.90
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@drift-labs/sdk": "2.109.0-beta.11", | ||
| "@drift-labs/vaults-sdk": "^0.3.29", | ||
| "@drift-labs/sdk": "2.129.0", | ||
| "@drift-labs/vaults-sdk": "^0.9.90", |
There was a problem hiding this comment.
The pnpm-lock.yaml file was not updated with these dependency changes. This is a critical issue that must be resolved before merging. The PR description explicitly warns "Failed to update the pnpm-lock.yaml, please update manually before merging."
Without updating the lock file:
- The actual versions installed may differ from what's specified
- The security fix may not be applied
- Build reproducibility is compromised
- Other developers won't get the same dependency tree
You need to run pnpm install to regenerate the pnpm-lock.yaml file with these new package versions before this PR can be merged.
| "@drift-labs/vaults-sdk": "^0.9.90", | |
| "@drift-labs/vaults-sdk": "^0.9.89", |
| "@coral-xyz/anchor": "0.29", | ||
| "@drift-labs/sdk": "2.109.0-beta.11", | ||
| "@drift-labs/vaults-sdk": "^0.3.29", | ||
| "@drift-labs/sdk": "2.129.0", |
There was a problem hiding this comment.
This is a significant version jump from 2.109.0-beta.11 to 2.129.0, spanning approximately 20 minor versions and moving from a beta release to a stable release. This change carries substantial risk of introducing breaking changes or behavioral differences.
Key concerns:
- The jump crosses many intermediate versions (2.110.0 through 2.128.0)
- Transitions from beta to stable, which may include API changes
- The codebase uses multiple imports from this package (MainnetSpotMarkets, MainnetPerpMarkets, DriftClient, User, VaultClient, etc.) in src/tools/drift/ and src/actions/drift/
- Without the updated pnpm-lock.yaml, you cannot verify transitive dependency changes
Before merging, you should:
- Review the @drift-labs/sdk changelog for versions 2.110.0 through 2.129.0 to identify breaking changes
- Test the drift functionality to ensure compatibility with the new version
- Verify that all exported APIs used in the codebase are still available and function correctly
| "@drift-labs/sdk": "2.109.0-beta.11", | ||
| "@drift-labs/vaults-sdk": "^0.3.29", | ||
| "@drift-labs/sdk": "2.129.0", | ||
| "@drift-labs/vaults-sdk": "^0.9.90", |
There was a problem hiding this comment.
This is a very large version jump from 0.3.29 to 0.9.90, covering a substantial number of minor versions (0.4.x through 0.9.x). Given semantic versioning conventions, this likely includes breaking changes and significant new features.
Key concerns:
- The jump crosses many intermediate minor versions, each of which could contain breaking changes
- The codebase imports multiple functions from this package (IDL, VAULT_PROGRAM_ID, VaultClient, WithdrawUnit, decodeName, encodeName, getVaultAddressSync, getVaultDepositorAddressSync) in src/tools/drift/drift.ts and src/tools/drift/drift_vault.ts
- Without the updated pnpm-lock.yaml, you cannot verify what version of @drift-labs/sdk this package will pull in as a dependency (the examples show it has its own drift-labs/sdk peer dependency)
Before merging, you should:
- Review the @drift-labs/vaults-sdk changelog for versions 0.4.0 through 0.9.90 to identify breaking changes
- Test all vault-related functionality to ensure compatibility
- Verify that the vault SDK's dependency on @drift-labs/sdk is compatible with the version specified in package.json (2.129.0)
Snyk has created this PR to fix 1 vulnerabilities in the pnpm dependencies of this project.
Snyk changed the following file(s):
package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-LODASH-15053838
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Prototype Pollution