[Snyk] Security upgrade @thoughtspot/ts-chart-sdk from 0.0.2-alpha.23 to 1.0.0#210
[Snyk] Security upgrade @thoughtspot/ts-chart-sdk from 0.0.2-alpha.23 to 1.0.0#210mnk-blr wants to merge 1 commit into
Conversation
…/pnpm-lock.yaml to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-ROLLUP-15340920
|
Minimum allowed coverage is Generated by 🐒 cobertura-action against e361ab7 |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
| }, | ||
| "dependencies": { | ||
| "@thoughtspot/ts-chart-sdk": "2.7.6", | ||
| "@thoughtspot/ts-chart-sdk": "1.0.0", |
There was a problem hiding this comment.
🚨 Critical Version Inconsistency: This line shows version "1.0.0" but the previous package.json had "2.7.6". Going from 2.7.6 → 1.0.0 appears to be a version downgrade, which is unusual for a security fix.
Issues:
- This violates semantic versioning expectations (major version should increment, not decrement)
- Could introduce breaking changes moving to an older major version
- Needs verification that 1.0.0 actually contains the security fix for SNYK-JS-ROLLUP-15340920
Recommendation: Verify the correct target version with Snyk. Security fixes typically move forward to newer versions, not backwards.
| @@ -6,8 +6,8 @@ settings: | |||
|
|
|||
| dependencies: | |||
| '@thoughtspot/ts-chart-sdk': | |||
There was a problem hiding this comment.
0.0.2-alpha.23 but the PR description and package.json suggest different versions were involved.
Timeline appears to be:
- Lock file had:
0.0.2-alpha.23 - Package.json had:
2.7.6 - Now updating to:
1.0.0
This suggests the lock file was out of sync with package.json, which could indicate dependency management issues in the example project.
|
|
||
| /@thoughtspot/ts-chart-sdk@0.0.2-alpha.23: | ||
| resolution: {integrity: sha512-oxxPgKTtmiY94LnuOV+Iyf9z6nPzLZ+0cV49cHfy4/ud6LWy5/XBgrsMdgsQO1fHLWb33BpPzlq3RJPhhCPhCA==} | ||
| /@thoughtspot/ts-chart-sdk@1.0.0: |
There was a problem hiding this comment.
📦 Significant Dependency Changes: Version 1.0.0 introduces many new dependencies (cldr-data, globalize, various utility packages) that weren't present in the alpha version.
New dependencies include:
cldr-data@36.0.5- Large internationalization data packageglobalize@1.7.1- Internationalization library- Various utility packages (abbrev, axios, cross-spawn, etc.)
Concerns:
- Bundle size impact on the example application
- Potential security surface area increase
- Need to verify these dependencies don't introduce new vulnerabilities
Recommendation: Test the example application thoroughly to ensure it still works correctly with the new dependency tree.
PR Review Summary 🔍Status: ❌ NOT READY FOR MERGE This Snyk security fix PR has critical version consistency issues that must be resolved before merging. 🚨 Critical Issues Found
📋 Required Actions Before Merge
💡 RecommendationThe version inconsistencies suggest this may be an incorrect automated fix. Please manually verify the intended target version and regenerate the dependency updates to ensure consistency across package.json and lock files. Review completed with specialized subagents for code quality, documentation accuracy, and test coverage. |
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the pnpm dependencies of this project.
Snyk changed the following file(s):
example/custom-bar-chart/package.jsonexample/custom-bar-chart/pnpm-lock.yamlVulnerabilities that will be fixed with an upgrade:
SNYK-JS-ROLLUP-15340920
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Directory Traversal