Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion packages/middleware/express/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,6 @@
"tsdown": "catalog:devTools",
"typescript": "catalog:devTools",
"typescript-eslint": "catalog:devTools",
"vitest": "catalog:devTools"
"vitest": "4.1.8"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: Pin has no effect without lockfile update and leaves other workspace packages vulnerable

This change pins vitest to "4.1.8" in one package, but:

  1. pnpm-lock.yaml still resolves vitest to 4.1.2 (catalog section, lines 78-80). pnpm defers to the lockfile, so this pin is a no-op until the lockfile is regenerated. Snyk itself flagged this: "Failed to update the pnpm-lock.yaml, please update manually before merging."

  2. The vulnerability (SNYK-JS-VITEST-17375131) exists across 12+ packages that all resolve vitest via "catalog:devTools" — only this one package is patched. The catalog specifier in pnpm-workspace.yaml (line 34) is already ^4.0.15, which includes 4.1.8. The proper fix is to regenerate the lockfile so the catalog resolves the patched version workspace-wide, rather than pinning one package and leaving the rest on the vulnerable 4.1.2.


Reply with @kilocode-bot fix it to have Kilo Code address this issue.

}
}
Loading