Pin next + eslint-config-next to 16.1.7 (CVE mitigation, closes #103)#127
Pin next + eslint-config-next to 16.1.7 (CVE mitigation, closes #103)#127mert-kocoglu wants to merge 1 commit into
Conversation
Per tari-project#103, removes the ^ caret from "next" and "eslint-config-next" in package.json so the resolver cannot fall back to a vulnerable 16.x patch version. 16.1.7 is the latest patched release. NOTE on package-lock.json: regenerating requires `npm install` against @tari-project/wxtm-bridge-contracts which is a private registry package. Without npm-token access, this commit only updates package.json. The maintainer (or CI with npm-token) should run `npm install` to refresh the lockfile post-merge. Closes tari-project#103
|
If you're new to commit signing, there are different ways to set it up: Sign commits with
|
There was a problem hiding this comment.
Code Review
This pull request updates the next and eslint-config-next dependencies in package.json. The reviewer identified that the specified version 16.1.7 is likely a typo for 15.1.7, as the former does not exist in the public registry and would cause installation failures.
| "i18next-http-backend": "^3.0.2", | ||
| "motion": "^12.26.2", | ||
| "next": "^16.1.1", | ||
| "next": "16.1.7", |
There was a problem hiding this comment.
The version 16.1.7 for next is likely a typo for 15.1.7. Next.js is currently on major version 15, and 15.1.7 is the specific release containing the security fixes intended for this PR. This version does not exist in the public npm registry, which will cause installation failures unless a private registry with this specific version is configured. This discrepancy appears to have been inherited from the previous 16.1.1 entry.
| "next": "16.1.7", | |
| "next": "15.1.7", |
| "@walletconnect/ethereum-provider": "^2.23.2", | ||
| "eslint": "^9.39.2", | ||
| "eslint-config-next": "^16.1.1", | ||
| "eslint-config-next": "16.1.7", |
There was a problem hiding this comment.
The version 16.1.7 for eslint-config-next is likely a typo for 15.1.7, matching the likely intended version for the next package. Using a version that does not exist in the public registry will prevent successful dependency installation.
| "eslint-config-next": "16.1.7", | |
| "eslint-config-next": "15.1.7", |
|
Thanks for the review @gemini-code-assist. Both Verification:
No change needed. Closing the suggestion. |
|
Understood, thank you for the clarification and for verifying the package versions. Since the pinning to |
Closes #103
Summary
Pins
nextandeslint-config-nextto exactly16.1.7inpackage.jsonso the resolver cannot fall back to a vulnerable 16.x patch version. The carets^are removed.Acceptance criteria
package.jsonspecifies"next": "16.1.7"(exact, no caret)eslint-config-nextupdated to"16.1.7"(exact, no caret)package-lock.jsonregenerated — see "Lockfile note" belownpm run build— needs CI with@tari-projectnpm-tokenLockfile note
Local regeneration of
package-lock.jsonrequiresnpm install, which pulls@tari-project/wxtm-bridge-contracts@0.1.12from a private registry. Without an@tari-projectnpm token, I can't regenerate the lockfile cleanly here. Two ways to close this:The mechanical pin in
package.jsonis the substantive change; lockfile regen is a one-command follow-up.