[Snyk] Security upgrade lerna from 3.0.0-rc.0 to 6.4.1#20
[Snyk] Security upgrade lerna from 3.0.0-rc.0 to 6.4.1#20MHxGH-ServiceAccount wants to merge 1 commit intomasterfrom
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-TAR-15416075
|
The upgrade from Lerna v3 to v6 is a major undertaking with significant breaking changes. Lerna's stewardship was transferred to Nrwl (the creators of Nx), and its core functionality has been fundamentally re-architected. Key Breaking Changes:
Recommendation: This is a high-effort migration that will require significant changes to your repository's setup and CI/CD workflows.
Source: Lerna GitHub Releases, Lerna Documentation
|
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| }, | ||
| "dependencies": { | ||
| "lerna": "^3.0.0-rc.0" | ||
| "lerna": "^6.4.1" |
There was a problem hiding this comment.
Lerna v6 upgrade breaks release-canary script flags
High Severity
Upgrading lerna to ^6.4.1 breaks the release-canary script (line 16) which uses --cd-version and --npm-tag flags that were removed in Lerna v4+. In Lerna 6, --cd-version no longer exists (versioning was split into a separate lerna version command) and --npm-tag was renamed to --dist-tag. The canary release process will fail at runtime with unrecognized option errors.
| }, | ||
| "dependencies": { | ||
| "lerna": "^3.0.0-rc.0" | ||
| "lerna": "^6.4.1" |
There was a problem hiding this comment.
lerna.json bootstrap config incompatible with v6
Medium Severity
Upgrading to lerna v6 while lerna.json still contains command.bootstrap configuration is incompatible. The lerna bootstrap command was entirely removed in Lerna v6 (replaced by native package manager workspaces). This dead configuration may cause warnings or unexpected behavior when Lerna reads its config file.
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
package.jsonNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-TAR-15416075
Breaking Change Risk
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Symlink Attack
Note
Medium Risk
Major-version upgrade of the monorepo/release toolchain may break existing
lerna publish/workspace workflows, and the lockfile is not updated in this PR.Overview
Updates the project’s
lernadependency from^3.0.0-rc.0to^6.4.1to address a reported security issue.No corresponding
yarn.lockchange is included, so installs/CI may still resolve the old transitive tree until the lockfile is regenerated.Written by Cursor Bugbot for commit 080d549. This will update automatically on new commits. Configure here.