Skip to content

security fix: replace pkg with @yao-pkg/pkg in cli #1240

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 28, 2025
Merged

security fix: replace pkg with @yao-pkg/pkg in cli #1240

merged 1 commit into from
Oct 28, 2025

Conversation

@ChiragAgg5k
Copy link
Member

@ChiragAgg5k ChiragAgg5k commented Oct 28, 2025
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • Chores
    • Updated development build tooling dependency to latest version.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Oct 28, 2025
edited
Loading

Walkthrough

The dev dependency in templates/cli/package.json.twig is updated from "pkg" version 5.8.1 to "@yao-pkg/pkg" version ^6.9.0. This single-line modification changes both the package identifier and introduces a broader semantic version constraint. No other dependencies, scripts, or configurations are modified.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

  • Package name change: The dependency is migrated from "pkg" to "@yao-pkg/pkg" — verify this is an intentional switch to a maintained fork or scoped package and confirm it maintains API compatibility
  • Major version bump: Update from 5.8.1 to 6.9.0 represents a significant version jump — check for breaking changes or behavioral differences in the packaging tool that might affect build output
  • Version constraint relaxation: The shift from pinned version (5.8.1) to semver range (^6.9.0) affects reproducibility — ensure this flexibility is intentional

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check ✅ Passed The pull request title "security fix: replace pkg with @yao-pkg/pkg in cli" directly and accurately describes the main change in the changeset. The summary confirms that the only modification is replacing the dev dependency "pkg": "5.8.1" with "@yao-pkg/pkg": "^6.9.0" in templates/cli/package.json.twig, which matches exactly what the title states. The title is concise, specific, and uses clear language that avoids vague terminology, making it easy for teammates scanning the commit history to understand the primary change at a glance.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix-moderate-vul-cli
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b4a2fd9 and f00005d.

📒 Files selected for processing (1)
  • templates/cli/package.json.twig (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (18)
  • GitHub Check: cli (console)
  • GitHub Check: kotlin (server)
  • GitHub Check: swift (server)
  • GitHub Check: ruby (server)
  • GitHub Check: dart (server)
  • GitHub Check: android (client)
  • GitHub Check: apple (client)
  • GitHub Check: flutter (client)
  • GitHub Check: react-native (client)
  • GitHub Check: web (client)
  • GitHub Check: build (8.3, Python313)
  • GitHub Check: build (8.3, Ruby27)
  • GitHub Check: build (8.3, WebNode)
  • GitHub Check: build (8.3, Node20)
  • GitHub Check: build (8.3, DotNet60)
  • GitHub Check: build (8.3, FlutterBeta)
  • GitHub Check: build (8.3, Android5Java17)
  • GitHub Check: build (8.3, Android14Java17)
🔇 Additional comments (1)
templates/cli/package.json.twig (1)

41-43: Good security migration; no script changes needed.

  • vercel/pkg@5.8.1 is deprecated and affected by CVE‑2024‑24828; moving to the maintained fork mitigates this risk. (nvd.nist.gov)
  • @yao-pkg/pkg 6.9.0 exists and provides the same pkg CLI, so the build scripts invoking pkg remain valid. (socket.dev)
  • The fork extracts native addons under $HOME/.cache/pkg (not /tmp/pkg), improving safety over the original default. (npmjs.com)

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@ChiragAgg5k ChiragAgg5k merged commit 2d24ec8 into master Oct 28, 2025
52 checks passed
@ChiragAgg5k ChiragAgg5k deleted the fix-moderate-vul-cli branch October 28, 2025 16:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@loks0n loks0n loks0n approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ChiragAgg5k @loks0n