Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-FORMDATA-10841150
There was a problem hiding this comment.
Pull Request Overview
This is a security-focused PR that upgrades four npm dependencies to fix a critical vulnerability (SNYK-JS-FORMDATA-10841150) with a score of 863/1000. The vulnerability is related to "Predictable Value Range from Previous Values" in the form-data package, which is resolved by upgrading dependencies that include this package in their dependency tree.
- Upgrades @slack/client from 4.12.0 to 5.0.2 (major version bump)
- Upgrades juice from 5.2.0 to 7.0.0 (major version bump)
- Upgrades node-gcm from 0.14.4 to 1.1.0 (major version bump)
- Upgrades turndown from 5.0.3 to 6.0.0 (major version bump)
| "@rocket.chat/mp3-encoder": "^0.20.1", | ||
| "@rocket.chat/ui-kit": "^0.20.1", | ||
| "@slack/client": "^4.12.0", | ||
| "@slack/client": "^5.0.2", |
There was a problem hiding this comment.
The @slack/client upgrade from 4.x to 5.x is a major version change that likely introduces breaking changes. Review the migration guide and ensure all usage of this package is compatible with the new API.
| "jschardet": "^1.6.0", | ||
| "jsrsasign": "^8.0.24", | ||
| "juice": "^5.2.0", | ||
| "juice": "^7.0.0", |
There was a problem hiding this comment.
The juice upgrade from 5.x to 7.x represents two major version increments, which may include significant breaking changes. Verify that all CSS inlining functionality works as expected after this upgrade.
| "nats": "^1.4.8", | ||
| "node-dogstatsd": "^0.0.7", | ||
| "node-gcm": "0.14.4", | ||
| "node-gcm": "1.1.0", |
There was a problem hiding this comment.
The node-gcm upgrade from 0.x to 1.x is a major version change that may introduce breaking changes to Google Cloud Messaging functionality. Ensure all push notification features continue to work correctly.
| "node-gcm": "1.1.0", | |
| "node-gcm": "^1.1.0", |
| "tinykeys": "^1.1.0", | ||
| "toastr": "^2.1.4", | ||
| "turndown": "^5.0.3", | ||
| "turndown": "^6.0.0", |
There was a problem hiding this comment.
The turndown upgrade from 5.x to 6.x is a major version change that may affect HTML to Markdown conversion functionality. Test all conversion features to ensure compatibility with the new version.
| "turndown": "^6.0.0", | |
| "turndown": "^5.0.3", |
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonpackage-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-FORMDATA-10841150
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.