Skip to content

Update deps to fix vulns #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
paveldudka merged 1 commit into from
Jan 24, 2026
Merged

Update deps to fix vulns #20

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 12 additions & 11 deletions zapier/package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 5 additions & 1 deletion zapier/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,14 @@
},
"dependencies": {
"agentql-js-common": "^0.0.1",
"zapier-platform-core": "17.7.2"
"zapier-platform-core": "^17",
"lodash": ">=4.17.23"
},
"devDependencies": {
"jest": "^29.6.0"
},
"overrides": {
"lodash": ">=4.17.23"
},
Comment on lines +17 to +19
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Identify package manager and lockfiles used by CI/build
fd -a -t f 'package-lock.json|npm-shrinkwrap.json|pnpm-lock.yaml|yarn.lock|.npmrc|.yarnrc*' .
rg -n -g '!**/node_modules/**' -C2 '\b(npm|yarn|pnpm)\b' .github package.json

Repository: tinyfish-io/agentql-integrations

Length of output: 189

🏁 Script executed:

#!/bin/bash
# Check npm version constraint in package.json
cat -n /home/jailuser/git/zapier/package.json | grep -A 5 -B 5 "engines\|version"

# Find and examine CI workflows
fd -a -t f '\.yml$|\.yaml$' .github

Repository: tinyfish-io/agentql-integrations

Length of output: 442

🏁 Script executed:

#!/bin/bash
# Read zapier package.json to check engines and overrides
echo "=== zapier/package.json ==="
cat /home/jailuser/git/zapier/package.json

echo ""
echo "=== CI Workflow files ==="
# Check all CI workflow files
for file in /home/jailuser/git/.github/workflows/*.yml; do
  echo "File: $(basename $file)"
  cat -n "$file" | head -50
  echo ""
done

Repository: tinyfish-io/agentql-integrations

Length of output: 3984

🏁 Script executed:

#!/bin/bash
# Check package-lock.json version
head -20 /home/jailuser/git/zapier/package-lock.json | grep -A 2 -B 2 "lockfileVersion"

Repository: tinyfish-io/agentql-integrations

Length of output: 184

Add explicit npm version constraint to guarantee overrides enforcement.

The lockfile uses lockfileVersion: 3, indicating npm 8.6.0+ was used to create it (which supports overrides). However, without an engines field in package.json or explicit npm setup in CI workflows, there's no guarantee developers and all CI environments will use a compatible version. Add "engines": { "npm": ">=8.3.0" } to ensure the overrides field is properly honored everywhere.

🤖 Prompt for AI Agents 
In `@zapier/package.json` around lines 17 - 19, Add an npm engines constraint to
package.json so the "overrides" entry is guaranteed to be honored: update
package.json to include an "engines" object with "npm": ">=8.3.0" (or >=8.6.0 if
you want to match lockfileVersion 3 more strictly) and ensure CI workflows
respect this (e.g., node/npm version setup) so the existing "overrides": {
"lodash": ">=4.17.23" } is enforced consistently.

"private": true
}
Loading