[Snyk] Security upgrade @onekeyfe/cross-inpage-provider-core from 0.0.17 to 1.1.58#722
[Snyk] Security upgrade @onekeyfe/cross-inpage-provider-core from 0.0.17 to 1.1.58#722revan-zhang wants to merge 1 commit intoonekeyfrom
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-LODASH-15053838
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| }, | ||
| "dependencies": { | ||
| "@onekeyfe/cross-inpage-provider-core": "^0.0.17", | ||
| "@onekeyfe/cross-inpage-provider-core": "^1.1.58", |
There was a problem hiding this comment.
🔴 yarn.lock not updated for major version bump of cross-inpage-provider-core
The package.json bumps @onekeyfe/cross-inpage-provider-core from ^0.0.17 to ^1.1.58 (a major version change), but the yarn.lock file was not updated — it still only contains an entry for ^0.0.17 resolving to 0.0.17 (yarn.lock:4779-4789). Running yarn install with --frozen-lockfile (as CI typically does) will fail because the lockfile doesn't satisfy the new version constraint. Without --frozen-lockfile, the lockfile would be regenerated, but the PR as-is is incomplete and will break reproducible builds.
Prompt for agents
Run `yarn install` (or the equivalent lockfile update command for this monorepo) to regenerate the yarn.lock file so it includes a resolution for `@onekeyfe/cross-inpage-provider-core@^1.1.58`. The updated yarn.lock must be committed alongside the package.json change. Also verify that the APIs used in packages/hd-web-sdk/src/utils/bridgeUtils.ts (JsBridgeIframe, setPostMessageListenerFlag, IJsBridgeIframeConfig) are still exported and compatible in the 1.x version of @onekeyfe/cross-inpage-provider-core, since this is a major version bump from 0.x.
Was this helpful? React with 👍 or 👎 to provide feedback.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| }, | ||
| "dependencies": { | ||
| "@onekeyfe/cross-inpage-provider-core": "^0.0.17", | ||
| "@onekeyfe/cross-inpage-provider-core": "^1.1.58", |
There was a problem hiding this comment.
Lockfile not updated, security fix not applied
High Severity
The package.json now requires @onekeyfe/cross-inpage-provider-core at ^1.1.58, but the yarn.lock still resolves @onekeyfe/cross-inpage-provider-core@^0.0.17 to version 0.0.17, which transitively depends on the vulnerable lodash ^4.17.21. Until yarn.lock is regenerated, the actual installed version remains 0.0.17 and the Prototype Pollution vulnerability (SNYK-JS-LODASH-15053838) this PR aims to fix is not actually remediated. Merging this as-is creates a false sense of security.
| }, | ||
| "dependencies": { | ||
| "@onekeyfe/cross-inpage-provider-core": "^0.0.17", | ||
| "@onekeyfe/cross-inpage-provider-core": "^1.1.58", |
There was a problem hiding this comment.
Major version bump risks breaking API compatibility
High Severity
Upgrading @onekeyfe/cross-inpage-provider-core from 0.0.x to 1.1.x is a major version bump. The codebase imports JsBridgeIframe, setPostMessageListenerFlag, and IJsBridgeIframeConfig from this package in bridgeUtils.ts. A major version change very likely includes breaking API changes (renamed exports, changed constructor signatures, removed functions). Once the lockfile is updated to actually resolve v1.1.58, the build may fail or behave incorrectly.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
packages/hd-web-sdk/package.jsonNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-LODASH-15053838
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Prototype Pollution
Note
Medium Risk
Upgrades a core postMessage bridge dependency from
0.0.17to^1.1.58, which could introduce breaking behavior changes in the iframe/bridge integration despite being a security-motivated bump.Overview
Updates
packages/hd-web-sdk/package.jsonto upgrade@onekeyfe/cross-inpage-provider-corefrom^0.0.17to^1.1.58(Snyk security bump).No code changes are included, but the new dependency version may affect runtime behavior where
JsBridgeIframe/postMessage bridging is used.Written by Cursor Bugbot for commit 16e1d71. This will update automatically on new commits. Configure here.