chore(SEC-11590): security upgrades for shortcuts-sandbox#2
Conversation
Resolve 2 CRITICAL security advisories via yarn resolutions: - form-data: 3.0.1 -> 3.0.4 (GHSA-fjxv-7rqg-78g4) - @babel/traverse: 7.22.15 -> 7.29.7 (GHSA-67hx-6x53-jw92) Both packages are transitive dependencies pulled in by react-scripts; upgrades are pinned via package.json "resolutions" and the lockfile is regenerated. Build verified successfully (no test suite exists).
|
PR opened by agent Execution log |
📝 WalkthroughWalkthroughThe package.json now includes a new ChangesDependency Resolution Overrides
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
Pushed commit Execution logBranch autopilot2/sec-11590_critical-2-security-upgrades-in-phantom-shortcuts-sandbox pushed |
|
PR opened by agent Execution logDraft PR: #2 |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@package.json`:
- Around line 35-38: Change the two resolution entries in package.json from
caret ranges to exact pinned versions to prevent unintended upgrades: replace
"form-data": "^3.0.4" with "form-data": "3.0.4" and replace "`@babel/traverse`":
"^7.23.2" with the exact vetted version you intend to lock (e.g., "7.29.7" if
that's the audited version); update the "resolutions" object entries for
form-data and `@babel/traverse` accordingly and run install to regenerate
lockfiles.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 9d3abb84-6959-44d3-a546-8cbf13f570ef
⛔ Files ignored due to path filters (1)
yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (1)
package.json
| "resolutions": { | ||
| "form-data": "^3.0.4", | ||
| "@babel/traverse": "^7.23.2" | ||
| } |
There was a problem hiding this comment.
Use exact versions for CRITICAL security fixes instead of caret ranges.
The caret (^) version constraints allow minor and patch version updates, which could inadvertently introduce new vulnerabilities or breaking changes in future installs. For CRITICAL security advisories like the ones being addressed here, it's safer to pin exact versions in the resolutions block.
Current behavior:
^3.0.4permits any version ≥3.0.4 and <4.0.0 (e.g., 3.0.5, 3.1.0)^7.23.2permits any version ≥7.23.2 and <8.0.0 (e.g., 7.24.0, 7.30.0)
While yarn.lock currently locks the exact versions (3.0.4 and 7.29.7), future yarn install operations may upgrade these dependencies, potentially undermining the security fix.
🔒 Proposed fix: Pin exact versions
"resolutions": {
- "form-data": "^3.0.4",
- "`@babel/traverse`": "^7.23.2"
+ "form-data": "3.0.4",
+ "`@babel/traverse`": "7.29.7"
}Alternatively, if you want to allow only patch-level updates, use tilde ranges:
"resolutions": {
- "form-data": "^3.0.4",
- "`@babel/traverse`": "^7.23.2"
+ "form-data": "~3.0.4",
+ "`@babel/traverse`": "~7.29.7"
}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| "resolutions": { | |
| "form-data": "^3.0.4", | |
| "@babel/traverse": "^7.23.2" | |
| } | |
| "resolutions": { | |
| "form-data": "3.0.4", | |
| "`@babel/traverse`": "7.29.7" | |
| } |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@package.json` around lines 35 - 38, Change the two resolution entries in
package.json from caret ranges to exact pinned versions to prevent unintended
upgrades: replace "form-data": "^3.0.4" with "form-data": "3.0.4" and replace
"`@babel/traverse`": "^7.23.2" with the exact vetted version you intend to lock
(e.g., "7.29.7" if that's the audited version); update the "resolutions" object
entries for form-data and `@babel/traverse` accordingly and run install to
regenerate lockfiles.
1 participant
Summary
Resolves SEC-11590 by upgrading 2 transitive dependencies flagged with CRITICAL advisories.
Both packages are transitive dependencies (pulled in via
react-scripts), so the upgrades are pinned through a newresolutionsblock inpackage.jsonand the lockfile is regenerated.@babel/traversewas upgraded to 7.29.7 — the latest compatible version, well above the 7.23.2 minimum fix.Test plan
yarn installsucceeds and regeneratesyarn.lockyarn.lockshows form-data@3.0.4 and @babel/traverse@7.29.7CI=true yarn buildcompiles successfullysrc/contains no*.test.*/*.spec.*files), so the only behavioral verification is the production build🤖 Generated with Claude Code
Summary by CodeRabbit