Skip to content

chore(deps): update dependency @astrojs/vercel to v10 [security] #10339

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
+67 −146
Open

chore(deps): update dependency @astrojs/vercel to v10 [security] #10339

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion examples/solid/astro/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
"@astrojs/node": "^9.1.3",
"@astrojs/solid-js": "^5.0.7",
"@astrojs/tailwind": "^6.0.2",
"@astrojs/vercel": "^8.1.3",
"@astrojs/vercel": "^10.0.0",
Copy link
Contributor

@coderabbitai coderabbitai bot Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Checking dependency declaration floor in package.json..."
rg -n '"@astrojs/vercel"\s*:\s*"\^10\.[0-9]+\.[0-9]+"' examples/solid/astro/package.json

echo
echo "Searching lockfiles for resolved `@astrojs/vercel` versions..."
fd '^(pnpm-lock\.yaml|package-lock\.json|yarn\.lock|bun\.lockb)$' -H .

echo
echo "Resolved versions (if lockfiles exist):"
rg -n '@astrojs/vercel(@|":|\s)' pnpm-lock.yaml package-lock.json yarn.lock 2>/dev/null || true

echo
echo "Expected result: all resolved versions are >= 10.0.2"

Repository: TanStack/query

Length of output: 1119

Update the version constraint to ^10.0.2 to enforce the patched release floor.

The current ^10.0.0 range permits vulnerable versions 10.0.0 and 10.0.1 to be resolved in fresh installs or lockfile regeneration scenarios. Since this PR addresses CVE-2026-33768 (fixed in v10.0.2), the dependency floor must be explicitly set to the patched version.

Suggested change 
-    "@astrojs/vercel": "^10.0.0",
+    "@astrojs/vercel": "^10.0.2",
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
"@astrojs/vercel": "^10.0.0",
"@astrojs/vercel": "^10.0.2",
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@examples/solid/astro/package.json` at line 17, Update the package.json
dependency entry for "@astrojs/vercel" to enforce the patched release floor:
change the version range string from "^10.0.0" to "^10.0.2" so fresh installs or
lockfile regenerations cannot resolve vulnerable 10.0.0/10.0.1 releases; locate
the line containing the "@astrojs/vercel" dependency in package.json and modify
the version string accordingly.

"@tanstack/solid-query": "^5.95.2",
"@tanstack/solid-query-devtools": "^5.95.2",
"astro": "^5.5.6",
Expand Down
Loading
Loading