Enforce fast-json-patch@3.1.1 via dependency overrides for all 3 portals#1253
Enforce fast-json-patch@3.1.1 via dependency overrides for all 3 portals#1253manodyaSenevirathne wants to merge 1 commit intowso2:mainfrom
Conversation
WalkthroughAdds Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Tip Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
There was a problem hiding this comment.
🧹 Nitpick comments (1)
portals/publisher/src/main/webapp/package.json (1)
181-181: Consider pinning an exact version rather than a caret range for a security override.The PR title says "Enforce fast-json-patch@3.1.1", but
^3.1.1resolves to>=3.1.1 <4.0.0. Since this override exists specifically to exclude a vulnerable version (CVE-2021-4279), an exact version pin ("3.1.1") is more explicit about intent and prevents an unexpected3.xrelease from being silently resolved. Currently this is functionally equivalent since3.1.1is the latest release, but the inconsistency with the PR title is worth addressing.♻️ Proposed change (all three portals)
- "fast-json-patch": "^3.1.1", + "fast-json-patch": "3.1.1",🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@portals/publisher/src/main/webapp/package.json` at line 181, The dependency entry for fast-json-patch currently uses a caret range ("^3.1.1") which allows any 3.x release; change it to an exact version string ("3.1.1") in package.json to match the PR intent and prevent future 3.x updates from being pulled silently — update the "fast-json-patch" dependency key in the package.json files for all three portals (the entry currently showing ^3.1.1) to use "3.1.1" exactly.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@portals/publisher/src/main/webapp/package.json`:
- Line 181: The dependency entry for fast-json-patch currently uses a caret
range ("^3.1.1") which allows any 3.x release; change it to an exact version
string ("3.1.1") in package.json to match the PR intent and prevent future 3.x
updates from being pulled silently — update the "fast-json-patch" dependency key
in the package.json files for all three portals (the entry currently showing
^3.1.1) to use "3.1.1" exactly.



Purpose
$Subject
Related issue
wso2/api-manager#4605
Summary by CodeRabbit