Skip to content

[Snyk] Security upgrade npm from 8.19.4 to 10.9.6#754

Open
pushkala-datastax wants to merge 1 commit into
2.10_dsfrom
snyk-fix-dfbeed1b6b504e26853a8b999d8413cd
Open

[Snyk] Security upgrade npm from 8.19.4 to 10.9.6#754
pushkala-datastax wants to merge 1 commit into
2.10_dsfrom
snyk-fix-dfbeed1b6b504e26853a8b999d8413cd

Conversation

@pushkala-datastax

Copy link
Copy Markdown
Collaborator

snyk-top-banner

Snyk has created this PR to fix 4 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

  • site2/website-next/package.json

Vulnerabilities that will be fixed with an upgrade:

Issue Score
high severity Infinite loop
SNYK-JS-TAR-17909068
  828  
high severity Allocation of Resources Without Limits or Throttling
SNYK-JS-TAR-17909152
  828  
medium severity Incorrect Type Conversion or Cast
SNYK-JS-TAR-17909104
  738  
medium severity Uncaught Exception
SNYK-JS-TAR-17909225
  738  

Breaking Change Risk

Merge Risk: High

Notice: This assessment is enhanced by AI.


Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling
🦉 Uncaught Exception

@pushkala-datastax

Copy link
Copy Markdown
Collaborator Author

Merge Risk: High

This is a major upgrade from npm v8 to v10, introducing significant breaking changes across two major versions.

npm v9 Breaking Changes

  • Node.js Support Dropped: Support for Node.js versions outside of ^14.17.0, ^16.13.0, or >=18.0.0 has been removed. [1, 2]
  • Authentication: Unscoped authentication settings in .npmrc files are no longer supported and will cause errors. Auth settings must be scoped to a specific registry. [1, 2]
  • File Permissions: npm will no longer change the ownership of files it creates, which may affect some Docker-based workflows. [1, 2]
  • Git Dependencies: Git URLs now default to HEAD instead of master when generating links. [1, 2]

npm v10 Breaking Changes

  • Node.js Support Dropped Further: Support for Node.js 14 and 16 has been completely removed. The minimum required versions are now ^18.17.0 or >=20.5.0. [3, 4]
  • Workspace Scripts: When running scripts across workspaces, npm will now error if a script is missing in any workspace. To retain the old behavior of ignoring missing scripts, you must use the --if-present flag. [3, 4]
  • Configuration Removals: The ci-name, tmp, and metrics-registry configuration options have been removed. [3]
  • Publish Behavior: The CLI will no longer automatically retry publishing a package if it receives a 409 Conflict error. [3]

Recommendation: This upgrade requires developer action. You must verify that your development and CI/CD environments are running a compatible Node.js version (18.17.0+ or 20.5.0+). Additionally, review your package.json scripts if you use npm workspaces to add the --if-present flag where necessary, and update your .npmrc files to ensure all authentication settings are scoped to a registry.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants