Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-DIFF-14917201 - https://snyk.io/vuln/SNYK-JS-ESLINT-15102420
There was a problem hiding this comment.
Pull request overview
This PR updates example app dependencies to remediate Snyk-reported vulnerabilities in diff and eslint/jest by bumping specific versions in the Preact example’s package.json.
Changes:
- Upgrade
eslintinexamples/preact/package.jsonfrom5.12.0to9.26.0to address a reported vulnerability. - Upgrade
jestinexamples/preact/package.jsonfrom23.6.0to24.0.0to address a reported vulnerability.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "dotenv": "6.0.0", | ||
| "dotenv-expand": "4.2.0", | ||
| "eslint": "5.12.0", | ||
| "eslint": "9.26.0", |
There was a problem hiding this comment.
Upgrading eslint to 9.26.0 while keeping eslint-config-react-app at ^3.0.8 introduces a major-version mismatch with the config's expected ESLint peer dependency (it was designed for the ESLint 5-era CRA toolchain), which can lead to unsupported or failing lint runs. To avoid breaking the example's linting, consider either upgrading the entire React App ESLint stack (config plus related plugins) to versions compatible with ESLint 9, or limiting the eslint upgrade to a supported major for the existing config and addressing the vulnerability via a different remediation strategy.
| "eslint": "9.26.0", | |
| "eslint": "^5.16.0", |
| "html-webpack-plugin": "4.0.0-alpha.2", | ||
| "identity-obj-proxy": "3.0.0", | ||
| "jest": "23.6.0", | ||
| "jest": "24.0.0", |
There was a problem hiding this comment.
Changing jest to 24.0.0 while leaving related Jest ecosystem packages (e.g. babel-jest at 23.6.0 and jest-resolve at 23.6.0) on the previous major is inconsistent with Jest's versioning model, where these packages are expected to be kept in lockstep, and may cause test runner or transform issues in this example app. It would be safer to either upgrade the full Jest stack (core plus babel-jest, jest-resolve, etc.) to matching versions, or keep jest on the existing major and use an alternative mitigation for the reported vulnerability.
| "jest": "24.0.0", | |
| "jest": "23.6.0", |
Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
examples/preact/package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-DIFF-14917201
SNYK-JS-ESLINT-15102420
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)