[Snyk] Fix for 1 vulnerabilities#12932
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-17706650
|
This set of upgrades includes a major, high-risk update to High Risk: This is a double-major version upgrade that introduces significant breaking changes requiring code modifications. The upgrade spans Language Server Protocol versions up to 3.18. Key Breaking Changes:
Recommendation: Developers must carefully review the official changelogs for both v9 and v10, update client initialization and lifecycle management code, and adjust import paths as necessary before merging. Low Risk: This is a patch release that fixes a native module build issue on macOS Sequoia by switching to
|
There was a problem hiding this comment.
1 issue found across 1 file
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="extensions/vscode/package.json">
<violation number="1" location="extensions/vscode/package.json:766">
P2: Upgrading unused dependency `vscode-languageclient` from `^8.0.2` to `^10.0.0` skips v9 and brings a VS Code engine requirement of `^1.91.0`, far above the extension's `^1.70.0` target. Since the package is never imported in any source file, the brace-expansion vulnerability would be better fixed with a targeted override instead. This change adds unnecessary install-time risk with zero runtime benefit.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
| "vectordb": "0.4.20", | ||
| "vitest": "^3.1.4", | ||
| "vscode-languageclient": "^8.0.2", | ||
| "vscode-languageclient": "^10.0.0", |
There was a problem hiding this comment.
P2: Upgrading unused dependency vscode-languageclient from ^8.0.2 to ^10.0.0 skips v9 and brings a VS Code engine requirement of ^1.91.0, far above the extension's ^1.70.0 target. Since the package is never imported in any source file, the brace-expansion vulnerability would be better fixed with a targeted override instead. This change adds unnecessary install-time risk with zero runtime benefit.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At extensions/vscode/package.json, line 766:
<comment>Upgrading unused dependency `vscode-languageclient` from `^8.0.2` to `^10.0.0` skips v9 and brings a VS Code engine requirement of `^1.91.0`, far above the extension's `^1.70.0` target. Since the package is never imported in any source file, the brace-expansion vulnerability would be better fixed with a targeted override instead. This change adds unnecessary install-time risk with zero runtime benefit.</comment>
<file context>
@@ -763,7 +763,7 @@
"vectordb": "0.4.20",
"vitest": "^3.1.4",
- "vscode-languageclient": "^8.0.2",
+ "vscode-languageclient": "^10.0.0",
"ws": "^8.19.0",
"yarn": "^1.22.21"
</file context>
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
extensions/vscode/package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-BRACEEXPANSION-17706650
Breaking Change Risk
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.