0.2.0#3
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the version of @formo/cli from 0.1.0 to 0.2.0 in package.json and package-lock.json. Feedback highlights a critical security concern regarding suspicious dependency versions in the lockfile that may indicate a supply chain attack. Additionally, there is an inconsistency between the updated version and a hardcoded version string in src/index.ts.
| { | ||
| "name": "@formo/cli", | ||
| "version": "0.1.0", | ||
| "version": "0.2.0", |
There was a problem hiding this comment.
The lockfile contains several highly suspicious dependency versions that do not exist in the official npm registry (e.g., axios@1.15.0, typescript@5.9.3, eslint@10.2.0, zod@4.3.6, mocha@11.7.5). This strongly suggests a compromised environment or a supply chain attack. Please audit your dependencies and regenerate the lockfile from a clean state immediately.
| { | ||
| "name": "@formo/cli", | ||
| "version": "0.1.0", | ||
| "version": "0.2.0", |
There was a problem hiding this comment.
The version bump to 0.2.0 is inconsistent with the hardcoded version in src/index.ts (line 72), which is still set to 0.1.0. This will cause the CLI to report the incorrect version. Please update src/index.ts to match the new version.
1 participant
No description provided.