[Snyk] Security upgrade realm from 11.10.1 to 20.0.0 #2297
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-QS-14724253
There was a problem hiding this comment.
Pull request overview
This PR upgrades the realm dependency from version 11.10.1 to 20.0.0 to address a high-severity security vulnerability (SNYK-JS-QS-14724253: Allocation of Resources Without Limits or Throttling). This is an automated security fix generated by Snyk.
- Security fix for high-severity vulnerability with a score of 710
- Major version upgrade spanning from v11 to v20 (9 major versions)
- Failed yarn.lock update that requires manual intervention
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "react-timer-mixin": "0.13.4", | ||
| "readable-stream": "4.4.2", | ||
| "realm": "11.10.1", | ||
| "realm": "20.0.0", |
There was a problem hiding this comment.
This is a major version upgrade from realm 11.10.1 to 20.0.0, which spans multiple major versions (v11 to v20). Realm typically introduces breaking changes between major versions that may require code changes:
- The API for schema definitions, migrations, and database operations may have changed significantly
- The current migration logic (schemaVersion: 75, onMigration callback) needs to be verified against the new version's API
- Type definitions from 'realm' imports (Results, ObjectChangeCallback, Collection, CollectionChangeSet, etc.) may have changed
- The Realm constructor and configuration options may have been updated
Before merging, you should:
- Review the Realm migration guides from v11 through v20
- Test all database operations including migrations, CRUD operations, and queries
- Verify that the existing schema definitions are compatible
- Update any deprecated API usage
| "realm": "20.0.0", | |
| "realm": "11.10.1", |
| "react-timer-mixin": "0.13.4", | ||
| "readable-stream": "4.4.2", | ||
| "realm": "11.10.1", | ||
| "realm": "20.0.0", |
There was a problem hiding this comment.
The PR description indicates that the yarn.lock file failed to update. This must be resolved before merging because:
- Without an updated yarn.lock, the dependency resolution is incomplete and may cause installation failures
- Other developers pulling this branch will not get the correct version of realm or its transitive dependencies
- CI/CD pipelines may fail or install incorrect versions
You need to manually run yarn install to update the yarn.lock file and commit it with this change.
Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
package.jsonNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-QS-14724253
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Allocation of Resources Without Limits or Throttling