[Snyk] Security upgrade @copilotkit/runtime from 1.8.3 to 1.50.0#106
[Snyk] Security upgrade @copilotkit/runtime from 1.8.3 to 1.50.0#106
Conversation
…s/coagents-starter-crewai-flows/ui/pnpm-lock.yaml to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-LANGCHAINCOMMUNITY-15268428 - https://snyk.io/vuln/SNYK-JS-LANGCHAINCORE-15268429
There was a problem hiding this comment.
Pull request overview
This PR attempts to fix 2 SSRF (Server-Side Request Forgery) vulnerabilities in langchain dependencies by upgrading @copilotkit/runtime from version 1.8.3 to 1.50.0 in the examples/coagents-starter-crewai-flows/ui example. The vulnerabilities affect @langchain/community and @langchain/core packages, which are transitive dependencies of @copilotkit/runtime.
Changes:
- Upgrades
@copilotkit/runtimefrom 1.8.3 to 1.50.0 (a major version jump of 42 minor versions) - Updates the entire dependency tree in pnpm-lock.yaml with hundreds of new and updated packages
- Introduces new dependencies including AI SDK packages, Hono server, and various LangChain ecosystem updates
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| examples/coagents-starter-crewai-flows/ui/package.json | Updates @copilotkit/runtime version only, leaving other @CopilotKit packages at 1.8.3 |
| examples/coagents-starter-crewai-flows/ui/pnpm-lock.yaml | Massive dependency tree update with hundreds of package changes reflecting the new runtime version |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@copilotkit/react-core": "1.8.3", | ||
| "@copilotkit/react-ui": "1.8.3", | ||
| "@copilotkit/runtime": "1.8.3", | ||
| "@copilotkit/runtime": "1.50.0", | ||
| "@copilotkit/runtime-client-gql": "1.8.3", |
There was a problem hiding this comment.
This PR only upgrades @copilotkit/runtime from 1.8.3 to 1.50.0, leaving @copilotkit/react-core, @copilotkit/react-ui, and @copilotkit/runtime-client-gql at version 1.8.3. This creates a version mismatch that can lead to compatibility issues.
According to established patterns in this repository (seen in previous PRs and stored memories), all @CopilotKit packages should be kept at the same version to ensure compatibility. The major version jump from 1.8.3 to 1.50.0 suggests significant changes that likely require the other packages to be updated as well.
Additionally, this security fix should be applied consistently to all examples in the repository, not just one. There are at least 14 other examples (coagents-starter, coagents-ai-researcher, coagents-routing, etc.) that are still using @copilotkit/runtime@1.8.3 and would have the same SSRF vulnerabilities.
Snyk has created this PR to fix 2 vulnerabilities in the pnpm dependencies of this project.
Snyk changed the following file(s):
examples/coagents-starter-crewai-flows/ui/package.jsonexamples/coagents-starter-crewai-flows/ui/pnpm-lock.yamlVulnerabilities that will be fixed with an upgrade:
SNYK-JS-LANGCHAINCOMMUNITY-15268428
SNYK-JS-LANGCHAINCORE-15268429
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Server-side Request Forgery (SSRF)