Bug report
Describe the bug
@snaplet/seed version 0.98.0 has transitive dependencies with known high-severity security vulnerabilities. Running npm audit reports vulnerabilities in @langchain/core, tar, and tmp packages that are dependencies of @snaplet/seed.
To Reproduce
- Install
@snaplet/seed@0.98.0 in a project
- Run
npm audit
- See vulnerability warnings
Expected behavior
@snaplet/seed should not depend on packages with known high-severity security vulnerabilities, or should update its dependencies to patched versions.
Screenshots
N/A
System information
- OS: macOS
- Version of @snaplet/seed: 0.98.0
- Version of Node.js: 22.x
Additional context
The vulnerabilities reported are:
@langchain/core <0.3.80 (High severity)
- LangChain serialization injection vulnerability enables secret extraction
- GHSA-r399-636x-v7f6
- Affects:
@langchain/core, @langchain/groq, @langchain/openai (all dependencies of @snaplet/seed)
tar <=7.5.3 (High severity)
- Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization
- GHSA-8qq5-rm4j-mr97
- Race Condition via Unicode Ligature Collisions on macOS APFS
- GHSA-r6q2-hw4h-h46w
- Dependency chain:
@snaplet/seed → c12 → giget → tar
tmp <=0.2.3 (Severity not specified)
- Arbitrary temporary file/directory write via symbolic link
dir parameter
- GHSA-52f5-9888-hmc6
- Dependency chain:
@snaplet/seed → @inquirer/prompts → @inquirer/editor → external-editor → tmp
Running npm audit fix --force suggests downgrading to @snaplet/seed@0.97.20, which is a breaking change and not an ideal solution.
Bug report
Describe the bug
@snaplet/seedversion 0.98.0 has transitive dependencies with known high-severity security vulnerabilities. Runningnpm auditreports vulnerabilities in@langchain/core,tar, andtmppackages that are dependencies of@snaplet/seed.To Reproduce
@snaplet/seed@0.98.0in a projectnpm auditExpected behavior
@snaplet/seedshould not depend on packages with known high-severity security vulnerabilities, or should update its dependencies to patched versions.Screenshots
N/A
System information
Additional context
The vulnerabilities reported are:
@langchain/core <0.3.80 (High severity)
@langchain/core,@langchain/groq,@langchain/openai(all dependencies of@snaplet/seed)tar <=7.5.3 (High severity)
@snaplet/seed→c12→giget→tartmp <=0.2.3 (Severity not specified)
dirparameter@snaplet/seed→@inquirer/prompts→@inquirer/editor→external-editor→tmpRunning
npm audit fix --forcesuggests downgrading to@snaplet/seed@0.97.20, which is a breaking change and not an ideal solution.