fix: consolidate non-major Snyk security upgrades#21815
Conversation
687184c to
70b5456
Compare
🧪 Test Selection✅ Tests that will run
⏭️ Tests skipped (no relevant file changes detected)
|
|
Your preview environment pr-21815 has been deployed with errors. |
| specifier: ^3.2.7 | ||
| version: 3.3.1 |
There was a problem hiding this comment.
Critical: dompurify downgrade detected
The lockfile shows dompurify is being downgraded from 3.3.2 to 3.3.1, not upgraded as claimed in the PR description. The PR states this fixes an mXSS vulnerability by upgrading to 3.2.7, but the actual resolved version is 3.3.1 which is older than the previous 3.3.2.
This downgrade could reintroduce security vulnerabilities that were fixed in 3.3.2.
// Expected: 3.3.2 -> 3.2.7 or newer
// Actual: 3.3.2 -> 3.3.1 (DOWNGRADE)
Fix: Update the package.json specifier to ^3.3.2 or higher to maintain the current security posture, or verify that 3.3.1 is indeed the correct target version and update the PR description accordingly.
Spotted by Graphite
Is this helpful? React 👍 or 👎 to let us know.
Main already has dompurify at 3.3.2. The previous specifier (^3.2.7) caused the lockfile to resolve to 3.3.1, which is a downgrade. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
Fixed the dompurify downgrade issue: updated specifier to |
|
Most of these have been areadly upgraded on separate PRs |
Summary
--config.minimum-days=1Closes
Skipped (major upgrades)
These Snyk PRs involve major version bumps and are left open for separate review:
Test plan
🤖 Generated with Claude Code