Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-15789759 - https://snyk.io/vuln/SNYK-JS-PATHTOREGEXP-15789761
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| "multistream": "^2.1.1", | ||
| "mysql2": "^3.10.1", | ||
| "rimraf": "^3.0.2", | ||
| "rimraf": "^6.1.1", |
There was a problem hiding this comment.
Major rimraf version bump breaks production code API
High Severity
Upgrading rimraf from ^3.0.2 to ^6.1.1 is a breaking major version change. The production code in src/common/utils/utils.ts does import rimraf = require("rimraf") followed by promisify(rimraf), relying on the callback-based API of v3. In v6, rimraf returns a Promise natively, has no default export (requires named import { rimraf }), and doesn't accept callbacks. This will cause rimrafAsync to malfunction, breaking all clean() operations across LokiBlobMetadataStore, FSExtentStore, and LokiExtentMetadataStore. The test file tests/testutils.ts also uses the v3 callback-style API directly.
Additional Locations (1)
| "axios": "^0.27.0", | ||
| "etag": "^1.8.1", | ||
| "express": "^4.16.4", | ||
| "express": "^4.22.0", |
There was a problem hiding this comment.
Node.js engine requirement conflict with rimraf 6
Medium Severity
The project declares "node": ">=10.0.0" in its engines field, but rimraf 6.1.1 (and its dependencies like glob 12, jackspeak 4, path-scurry 2) require "node": "20 || >=22". Users running on Node.js 14, 16, or 18 — which the project explicitly claims to support — will encounter failures at runtime from these dependencies.
Additional Locations (1)
2 participants
Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonpackage-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-BRACEEXPANSION-15789759
SNYK-JS-PATHTOREGEXP-15789761
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)
Note
High Risk
Upgrading
rimraffrom v3 to v6 introduces a new Node.js engine requirement (>=20), which may break installs/builds in environments that still follow the project’s currentnode >=10engine range. Theexpressbump is smaller but still affects request routing/parsing dependencies and should be smoke-tested.Overview
Updates runtime dependencies to remediate reported Snyk issues by upgrading
expressto4.22.0andrimrafto6.1.1.The lockfile is refreshed accordingly, pulling in newer transitive packages (notably around
glob/minimatchandqsunderexpress) and reflecting updated dependency constraints and metadata.Written by Cursor Bugbot for commit 2c7832d. This will update automatically on new commits. Configure here.