[Snyk] Security upgrade nunjucks from 3.2.0 to 3.2.1#116
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-TAR-15127355
There was a problem hiding this comment.
Pull request overview
This is a Snyk-generated security upgrade PR that updates the nunjucks dependency from version 3.2.0 to 3.2.1 to address a directory traversal vulnerability in a transitive dependency (tar package, SNYK-JS-TAR-15127355 with a severity score of 596).
Changes:
- Updated nunjucks dependency from ^3.2.0 to ^3.2.1 in package.json
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "klaw": "^1.x", | ||
| "lodash": "^4.17.11", | ||
| "nunjucks": "^3.2.0", | ||
| "nunjucks": "^3.2.1", |
There was a problem hiding this comment.
The package.json has been updated to nunjucks 3.2.1, but the package-lock.json file still references nunjucks 3.2.0 (line 3708-3709 in package-lock.json). This means that npm install will still install version 3.2.0, leaving the security vulnerability unpatched. The package-lock.json must be updated manually to ensure the correct version is installed. Run npm install after this change to regenerate the package-lock.json with the correct version.
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-TAR-15127355
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Directory Traversal