Skip to content

[Snyk] Fix for 1 vulnerabilities#255

Open
rachellerathbone wants to merge 1 commit into
mainfrom
snyk-fix-2a5052e7bd3d187e3c001b5fa364d5ca
Open

[Snyk] Fix for 1 vulnerabilities#255
rachellerathbone wants to merge 1 commit into
mainfrom
snyk-fix-2a5052e7bd3d187e3c001b5fa364d5ca

Conversation

@rachellerathbone

Copy link
Copy Markdown

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

  • package.json
  • yarn.lock

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

Vulnerabilities that will be fixed with an upgrade:

Issue Score
high severity Inefficient Algorithmic Complexity
SNYK-JS-BRACEEXPANSION-17706650
  721  

Breaking Change Risk

Merge Risk: High

Notice: This assessment is enhanced by AI.


Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

@rachellerathbone

Copy link
Copy Markdown
Author

Merge Risk: High

This upgrade includes major versions for both @forge/api and @forge/events, introducing significant breaking changes that require code modifications.

@forge/api v4.3.0 → v6.3.0

This is a high-risk upgrade. The most critical breaking change is the removal of the legacy storage module.

Breaking Changes:

  • Legacy Storage Removal: The import { storage } from '@forge/api' module has been completely removed. Any applications still using this will fail to build and run.
  • TypeScript 5 Support: Forge packages now ship with TypeScript 5 compatible types. While this is an enhancement, compatibility with TypeScript 4 is not guaranteed in future releases.
  • Node.js Version: Major version updates often include dropping support for older Node.js versions. Community discussions suggest this version moves to support Node 20, which may affect environments running older versions.

Recommendation:

  • Migrate Storage: Immediately migrate from the legacy storage API to the @forge/kvs package to avoid service disruption.
  • Verify Build Environment: Ensure your development and deployment environments are compatible with TypeScript 5 and a modern version of Node.js.

@forge/events v0.9.11 → v2.0.11

This is a high-risk upgrade due to fundamental changes in how events are published and consumed.

Breaking Changes:

  • Event Publishing: The Queue.push() signature has changed. It now accepts a PushEvent object with a body and an optional delayInSeconds. The event body must be an object.
  • Event Consumption: The use of Forge resolvers is deprecated. Event consumers are now defined using a Function within the Consumer module. The event payload passed to the function is an AsyncEvent object with a new structure.
  • Job Context: jobId is no longer available via the context object, and retryContext is no longer part of the event body.

Recommendation:

  • Refactor Event Handling: Update all event publishing calls to use the new PushEvent object structure.
  • Rewrite Event Consumers: Replace all resolver-based event consumers with the new function-based Consumer module and update the logic to handle the AsyncEvent payload.

Source: Atlassian Developer Changelog, Upgrade to @forge/events major version 2

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

@rachellerathbone rachellerathbone requested a review from a team as a code owner July 1, 2026 11:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants