[Snyk] Security upgrade bcrypt from 5.1.1 to 6.0.0#10
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-TAR-15038581 - https://snyk.io/vuln/SNYK-JS-TAR-15032660
There was a problem hiding this comment.
Pull request overview
This PR upgrades bcrypt from version 5.1.1 to 6.0.0 to fix two medium-severity security vulnerabilities (SNYK-JS-TAR-15038581 and SNYK-JS-TAR-15032660) in the tar package, which was a transitive dependency of the older bcrypt version.
Changes:
- Upgrades bcrypt from ^5.1.1 to ^6.0.0 in package.json
- Updates pnpm-lock.yaml to reflect the new bcrypt version and its dependencies
- Removes tar and related vulnerable dependencies by switching from @mapbox/node-pre-gyp to node-gyp-build
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Updates bcrypt dependency specification from ^5.1.1 to ^6.0.0 |
| pnpm-lock.yaml | Updates lock file with new bcrypt version (6.0.0), removes vulnerable tar dependency and its transitive dependencies (@mapbox/node-pre-gyp, npmlog, gauge, etc.), and adds updated node-addon-api (8.5.0) and node-gyp-build (4.8.4) |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@vercel/postgres": "^0.8.0", | ||
| "autoprefixer": "10.4.19", | ||
| "bcrypt": "^5.1.1", | ||
| "bcrypt": "^6.0.0", |
There was a problem hiding this comment.
The bcrypt upgrade from 5.1.1 to 6.0.0 introduces a breaking change: the minimum Node.js version requirement has increased from ">= 10.0.0" to ">= 18". Consider adding an "engines" field to package.json to enforce this requirement and prevent deployment issues in environments running older Node versions. For example:
"engines": {
"node": ">=18.0.0"
}
This is particularly important since the PR metadata indicates this is a breaking change.
Snyk has created this PR to fix 2 vulnerabilities in the pnpm dependencies of this project.
Snyk changed the following file(s):
package.jsonpnpm-lock.yamlVulnerabilities that will be fixed with an upgrade:
SNYK-JS-TAR-15038581
SNYK-JS-TAR-15032660
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Directory Traversal