Bump flatted from 3.3.3 to 3.4.2 in /sample-dapps/solana-staking-ui#334
Conversation
Bumps [flatted](https://github.com/WebReflection/flatted) from 3.3.3 to 3.4.2. - [Commits](WebReflection/flatted@v3.3.3...v3.4.2) --- updated-dependencies: - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| specifier: 15.1.7 | ||
| version: 15.1.7(react-dom@19.0.0(react@19.0.0))(react@19.0.0) | ||
| specifier: ^16.1.1 | ||
| version: 16.2.1(react-dom@19.0.1(react@19.0.1))(react@19.0.1) |
There was a problem hiding this comment.
Major Next.js upgrade hidden in flatted patch bump
High Severity
This PR is titled "Bump flatted from 3.3.3 to 3.4.2" but the lockfile changes include a major version upgrade of next from 15.1.7 to 16.2.1 (specifier changed to ^16.1.1), along with react/react-dom version changes and eslint-config-next updates. Next.js 16 has significant breaking changes including Turbopack as default bundler, Node.js 20.9.0 minimum, middleware API deprecations, and changed caching defaults. These changes far exceed the stated scope and could break the application if merged without proper review and migration steps.
Additional Locations (1)
| specifier: ^19.0.0 | ||
| version: 19.0.0(react@19.0.0) | ||
| specifier: 19.0.1 | ||
| version: 19.0.1(react@19.0.1) |
There was a problem hiding this comment.
Security fix for flatted not applied in pnpm lockfile
Medium Severity
The PR's stated purpose is to bump flatted from 3.3.3 to 3.4.2 to fix CWE-1321 (prototype pollution). The package-lock.json correctly updates flatted to 3.4.2, but pnpm-lock.yaml still resolves flatted@3.3.3. Instead, the pnpm-lock.yaml received entirely unrelated changes (Next.js, React, sharp upgrades). If the project uses pnpm, the security fix won't be applied.
Bumps flatted from 3.3.3 to 3.4.2.
Commits
3bf09093.4.2885ddccfix CWE-13210bdba70added flatted-view to the benchmark2a02dce3.4.1fba4e8fMerge pull request #89 from WebReflection/python-fix5fe8648added "when in Rome" also a test for PHP53517adsome minor improvementb3e2a0cFixing recursion issue in Python tooc4b46dbAdd SECURITY.md for security policy and reportingf86d071Create dependabot.yml for version updatesDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Note
Medium Risk
Primarily dependency/lockfile updates, but it includes a major
nextupgrade (15→16) with a higher Node.js engine requirement and updated transitive deps (e.g.,sharp), which may affect build/runtime behavior.Overview
Updates
sample-dapps/solana-staking-uidependency resolution by bumpingflattedto3.4.2and refreshing lockfiles.As part of the lockfile refresh,
nextis upgraded from15.1.7to16.2.1(andeslint-config-nextto15.2.3),react/react-domare bumped to19.0.1, and image/tooling transitive deps likesharpare updated accordingly.Written by Cursor Bugbot for commit 5f0581e. This will update automatically on new commits. Configure here.