fix: resolve critical and high-severity dependency vulnerabilities monorepo-wide#8339
fix: resolve critical and high-severity dependency vulnerabilities monorepo-wide#8339shivanee-p wants to merge 13 commits into
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates numerous dependencies and introduces overrides blocks across the monorepo to manage transitive dependency versions. The review identifies several critical issues, including the use of non-existent version numbers for typescript, @opentelemetry/sdk-node, and @types/uuid, which will cause installation failures. Additionally, the feedback warns that forcing ESM-only dependency versions in a CommonJS project will lead to runtime errors and notes that a resolutions field is required for Yarn compatibility. Finally, the reviewer suggests consolidating redundant configuration into the root package.json for better maintainability.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request updates and synchronizes dependencies across the monorepo, notably upgrading protobufjs to version 7.5.8 and adding version overrides for several core packages in the root package.json. It also downgrades uuid to version 9.0.1 in multiple modules. Feedback indicates that removing @types/uuid during the uuid downgrade will break TypeScript compilation, as version 9 lacks built-in type definitions; these types must be retained to ensure build stability.
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request synchronizes and updates dependencies across the monorepo, primarily focusing on protobufjs and uuid versions. It introduces root-level overrides and resolutions for several packages to address potential vulnerabilities. Review feedback indicates that these overrides are not consistently applied across all subpackage lockfiles, as evidenced by minimatch and uuid resolutions in nested dependencies. Furthermore, a version mismatch for uuid was identified in the pubsub package, and the decision to downgrade uuid to a deprecated version (v9) is questioned, with a recommendation to upgrade to v11 instead.
shivanee-p
added
the
kokoro:force-run
yoshi-kokoro
removed
the
kokoro:force-run
…dependency versions and removing redundant types/uuid
…ackage.json updates for Bazel build compatibility
…@v9 to avoid TypeScript compilation errors
…ne packages to ensure consistent lockfile safety
…inimatch is not a function in CI tests
shivanee-p
force-pushed
the
shivaneep-security-vulnerability-fixes
branch
from
10ba8a4 to
660b6e5
Compare
…olve CI runner not found error
… packages to prevent runner not found failures
…ub.com/googleapis/google-cloud-node into shivaneep-security-vulnerability-fixes
…ub.com/googleapis/google-cloud-node into shivaneep-security-vulnerability-fixes
2 participants
We identified 19 distinct vulnerable dependencies in our monorepo, ranging from Critical to Low severity. The highest priority ones are addressed in this PR.
Fixes #8134
more information can be found via b/514928073