[Snyk] Fix for 9 vulnerabilities#23
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AXIOS-16298058 - https://snyk.io/vuln/SNYK-JS-AXIOS-16299923 - https://snyk.io/vuln/SNYK-JS-AXIOS-16299904 - https://snyk.io/vuln/SNYK-JS-AXIOS-16298130 - https://snyk.io/vuln/SNYK-JS-AXIOS-16298055 - https://snyk.io/vuln/SNYK-JS-AXIOS-16299925 - https://snyk.io/vuln/SNYK-JS-AXIOS-16299478 - https://snyk.io/vuln/SNYK-JS-AXIOS-16298095 - https://snyk.io/vuln/SNYK-JS-AXIOS-16298162
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 7f44123. Configure here.
| }, | ||
| "dependencies": { | ||
| "@azure/ms-rest-js": "^1.5.0", | ||
| "@azure/ms-rest-js": "^2.0.0", |
There was a problem hiding this comment.
Major version bump flagged as breaking change
Medium Severity
The Snyk metadata for this PR explicitly flags "isBreakingChange":true. The @azure/ms-rest-js upgrade is a major version bump (v1 → v2) which internally switches its HTTP transport from axios to node-fetch. The project heavily uses @azure/ms-rest-js APIs (URLBuilder, OperationSpec, Serializer, DictionaryMapper) across generated code in src/blob/generated/ and handler files. While these specific APIs appear to still exist in v2, has this been validated against the project's build and test suite? It would be helpful to confirm no subtle behavioral regressions exist before merging.
Additional Locations (1)
Triggered by team rule: Ask Clarifying Questions
Reviewed by Cursor Bugbot for commit 7f44123. Configure here.
| }, | ||
| "dependencies": { | ||
| "@azure/ms-rest-js": "^1.5.0", | ||
| "@azure/ms-rest-js": "^2.0.0", |
There was a problem hiding this comment.
Deep internal import path may break with v2
High Severity
src/table/TableRequestListenerFactory.ts imports from a deep internal path: @azure/ms-rest-js/es/lib/operationSpec. This references the package's internal ES module build structure, not a public API surface. Upgrading @azure/ms-rest-js from v1 to v2 may change the internal file layout within the es/lib/ directory, causing this import to fail at build or runtime. All other usages in the codebase use the safe top-level import * as msRest from "@azure/ms-rest-js" pattern.
Additional Locations (1)
Triggered by team rule: Ask Clarifying Questions
Reviewed by Cursor Bugbot for commit 7f44123. Configure here.
2 participants
Snyk has created this PR to fix 9 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonpackage-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-AXIOS-16298058
SNYK-JS-AXIOS-16299923
SNYK-JS-AXIOS-16299904
SNYK-JS-AXIOS-16298130
SNYK-JS-AXIOS-16298055
SNYK-JS-AXIOS-16299925
SNYK-JS-AXIOS-16299478
SNYK-JS-AXIOS-16298095
SNYK-JS-AXIOS-16298162
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Improper Encoding or Escaping of Output
🦉 Server-side Request Forgery (SSRF)
🦉 Allocation of Resources Without Limits or Throttling
🦉 More lessons are available in Snyk Learn
Note
Medium Risk
Upgrades
axiosand@azure/ms-rest-js(including a major-version bump) which can subtly change HTTP/request handling and impact generated Azure REST plumbing at runtime.Overview
Updates runtime dependencies to remediate reported Snyk issues by upgrading
axiosto0.31.1and@azure/ms-rest-jsto2.0.0.The lockfile is refreshed accordingly, pulling in new transitive packages (e.g.,
node-fetch/abort-controllerfor@azure/ms-rest-jsandproxy-from-envforaxios) and updating several low-level utility deps.Reviewed by Cursor Bugbot for commit 7f44123. Bugbot is set up for automated code reviews on this repo. Configure here.