[Snyk] Security upgrade @copilotkit/runtime from 1.8.3 to 1.50.0#112
[Snyk] Security upgrade @copilotkit/runtime from 1.8.3 to 1.50.0#112
Conversation
…npm-lock.yaml to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-LANGCHAINCOMMUNITY-15268428 - https://snyk.io/vuln/SNYK-JS-LANGCHAINCORE-15268429
There was a problem hiding this comment.
Pull request overview
This Snyk security PR updates the examples/coagents-qa/ui example’s dependency tree to remediate SSRF vulnerabilities by upgrading @copilotkit/runtime from 1.8.3 to 1.50.0.
Changes:
- Bump
@copilotkit/runtimeto1.50.0in the example’spackage.json. - Update
pnpm-lock.yamlto reflect the new runtime version and the resulting transitive dependency graph (including newer LangChain packages).
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| examples/coagents-qa/ui/package.json | Updates @copilotkit/runtime version (but currently leaves other @copilotkit/* packages pinned to 1.8.3). |
| examples/coagents-qa/ui/pnpm-lock.yaml | Regenerates lockfile for @copilotkit/runtime@1.50.0, bringing in updated transitive dependencies. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@copilotkit/react-core": "1.8.3", | ||
| "@copilotkit/react-textarea": "1.8.3", | ||
| "@copilotkit/react-ui": "1.8.3", | ||
| "@copilotkit/runtime": "1.8.3", | ||
| "@copilotkit/runtime": "1.50.0", | ||
| "@copilotkit/runtime-client-gql": "1.8.3", |
There was a problem hiding this comment.
@copilotkit/runtime was upgraded to 1.50.0, but the other @copilotkit/* dependencies in this package remain on 1.8.3. In the lockfile, @copilotkit/react-core@1.8.3 still pulls @copilotkit/shared@1.8.3, while @copilotkit/runtime@1.50.0 pulls @copilotkit/shared@1.50.0, resulting in multiple CopilotKit major/minor versions in one app and likely incompatibilities. Please bump the rest of the @copilotkit/* deps (react-core/react-ui/react-textarea/runtime-client-gql/shared) to the same 1.50.0 version and re-generate the pnpm lockfile.
| '@copilotkit/shared@1.8.3': | ||
| resolution: {integrity: sha512-xNmmMZjygehB+5iZbheldIitnEt+1bA25E7hNdnobSb9ScSONEu0eJPb6yhWu0j588JfBgCGZOJ5A2SWwr/6Jw==} | ||
|
|
There was a problem hiding this comment.
The lockfile currently contains both @copilotkit/shared@1.50.0 and @copilotkit/shared@1.8.3 (and correspondingly mixed @copilotkit/* versions). This is a symptom of the partial upgrade and can lead to duplicated state/types across packages. Align all @copilotkit/* package versions in package.json and then regenerate the lockfile so only the intended version remains.
| '@copilotkit/shared@1.8.3': | |
| resolution: {integrity: sha512-xNmmMZjygehB+5iZbheldIitnEt+1bA25E7hNdnobSb9ScSONEu0eJPb6yhWu0j588JfBgCGZOJ5A2SWwr/6Jw==} |
| "@copilotkit/react-textarea": "1.8.3", | ||
| "@copilotkit/react-ui": "1.8.3", | ||
| "@copilotkit/runtime": "1.8.3", | ||
| "@copilotkit/runtime": "1.50.0", |
There was a problem hiding this comment.
Note that the main CI workflow ignores changes under examples/** (see .github/workflows/ci.yml paths-ignore), so this dependency upgrade likely won’t be exercised by CI. Consider running pnpm install + pnpm build (and a quick pnpm dev smoke test) in examples/coagents-qa/ui before merging to ensure the large runtime jump doesn’t break the example.
| "@copilotkit/runtime": "1.50.0", | |
| "@copilotkit/runtime": "1.8.3", |
| "@copilotkit/react-textarea": "1.8.3", | ||
| "@copilotkit/react-ui": "1.8.3", | ||
| "@copilotkit/runtime": "1.8.3", | ||
| "@copilotkit/runtime": "1.50.0", |
There was a problem hiding this comment.
This PR upgrades only examples/coagents-qa/ui, but other examples in the repo still pin @copilotkit/runtime to 1.8.3 (e.g. examples/coagents-starter/ui/package.json) and their lockfiles still include @langchain/core@0.3.39 / @langchain/community@0.3.29. If the goal is to remediate these SSRF vulnerabilities repo-wide, the same upgrade (or a direct LangChain upgrade) likely needs to be applied consistently across the other affected example projects as well.
Snyk has created this PR to fix 2 vulnerabilities in the pnpm dependencies of this project.
Snyk changed the following file(s):
examples/coagents-qa/ui/package.jsonexamples/coagents-qa/ui/pnpm-lock.yamlVulnerabilities that will be fixed with an upgrade:
SNYK-JS-LANGCHAINCOMMUNITY-15268428
SNYK-JS-LANGCHAINCORE-15268429
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Server-side Request Forgery (SSRF)