[Snyk] Fix for 1 vulnerabilities

[snyk-io]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• package.json
• package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Race Condition SNYK-JS-EFFECT-15746380	634

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Race Condition

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[what-the-diff]

PR Summary

• Upgraded prisma package
  The database tool 'prisma' that we're using in our project was upgraded from version 6.19.0 to a newer version, 7.6.0. This should deliver better performance and may include some new features or improvements.

• Upgraded prisma-kysely package
  We also updated another related package called 'prisma-kysely' from version 2.2.1 to version 3.0.0. Again, this helps us stay updated with the latest improvements, bug-fixes, and potentially benefits our project with enhanced functionality.

[greptile-apps]

Greptile Summary

This Snyk-generated PR fixes the race-condition vulnerability SNYK-JS-EFFECT-15746380 (scored 634/1000) in the effect library by upgrading the prisma CLI from 6.19.0 → 7.6.0 and prisma-kysely from 2.2.1 → 3.0.0. The lock file confirms effect is now consolidated at the patched version 3.20.0 across all affected CLI packages.

However, the upgrade is incomplete and contains a significant version mismatch:

• @prisma/client and @prisma/adapter-pg are left at 6.19.0 while the prisma CLI is at 7.6.0. Prisma requires both packages to be the same version. Running prisma generate (v7 CLI) against a v6 client package can produce an incompatible or misrouted generated client, potentially breaking the build or the database layer at runtime.
• The overrides block in package.json still pins prisma-kysely's prisma peer dependency to 6.19.0, which contradicts prisma-kysely@3.0.0's requirement of >=7.0.0. While npm ultimately resolves the peer dep to the top-level prisma@7.6.0 (making the override a no-op), the stale entry is misleading and should be removed.
• Prisma 7 marks this upgrade as a breaking change (the PR metadata confirms \"isBreakingChange\": true). Breaking changes include: the generated client output path changing to ./generated/prisma/client, PrismaClient requiring a driver adapter, and the removal of the --skip-generate flag from prisma migrate dev (already handled by the project's separate migrate:generate script).

Confidence Score: 2/5

Not safe to merge as-is: the prisma CLI major-version upgrade without matching @prisma/client leaves the project in a broken state that can surface at build or deploy time.

The P1 finding (CLI at v7 / client at v6) is a genuine present defect on the critical path — npm run migrate:generate runs in the Docker build and the generated client will be incompatible with the imported @prisma/client@6.19.0 package. Prisma explicitly forbids mixed major versions across CLI and client. This needs resolution before the PR can be safely merged.

package.json — @prisma/client and @prisma/adapter-pg must be upgraded to 7.6.0, and the stale overrides block must be removed. src/common/database/prisma.service.ts and prisma/schema.prisma will likely also need updates to adopt the v7 driver-adapter and new client output path.

Important Files Changed

Filename	Overview
package.json	Upgrades prisma CLI to 7.6.0 and prisma-kysely to 3.0.0, but leaves @prisma/client and @prisma/adapter-pg at 6.19.0 (major version mismatch). The stale overrides block (pinning prisma to 6.19.0 for prisma-kysely) also needs to be removed.
package-lock.json	Lock file updated consistently with the package.json changes; effect is consolidated to the fixed version 3.20.0, confirming the CVE is patched in the CLI toolchain. @prisma/client@6.19.0 remains and does not depend on effect directly, so it is not affected by the vulnerability.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["prisma CLI v7.6.0\n(upgraded by this PR)"] -->|"prisma generate"| B["Generated Client\n(output path changed in v7)"]
    B -->|"v7: default → ./generated/prisma/client"| C["❌ Import mismatch\nimport from '@prisma/client'"]
    D["@prisma/client v6.19.0\n(NOT upgraded)"] -->|"runtime import"| C
    C --> E["🔴 Runtime / Build breakage"]
    A2["prisma CLI v7.6.0"] -->|"@prisma/config → effect 3.20.0"| F["✅ CVE SNYK-JS-EFFECT-15746380 fixed\nin CLI toolchain"]
    style E fill:#ff4444,color:#fff
    style F fill:#44bb44,color:#fff
    style C fill:#ffaa00,color:#fff

Loading

Comments Outside Diff (2)

1. package.json, line 78-79 (link)

   prisma CLI and @prisma/client are mismatched major versions

   The PR upgrades prisma (CLI) to 7.6.0 but leaves @prisma/client and @prisma/adapter-pg at 6.19.0. Prisma explicitly requires both packages to share the same version — the CLI tool and the generated client must be in sync.

   When the Docker build runs npm run migrate:generate (prisma generate), the v7 CLI will generate a client against a v6 runtime package. In Prisma 7, the default output path for prisma generate changed (from node_modules/@prisma/client to ./generated/prisma/client), and the runtime now requires a driver adapter to be passed to PrismaClient. Generating with the v7 CLI while the codebase imports from @prisma/client (v6 package) can produce an incompatible or stale generated client.

   All three packages should be upgraded together:

   Additionally, after upgrading @prisma/client to v7, the adapter usage in src/common/database/prisma.service.ts (currently commented out) will need to be uncommented and the import path updated to the v7 generated client location.

2. package.json, line 179-183 (link)

   Stale overrides entry should be removed

   This override was originally added to pin prisma-kysely's internal prisma dependency to 6.19.0. Now that prisma-kysely has been upgraded to 3.0.0, it declares peerDependencies: { "prisma": ">=7.0.0" }. The pinned version 6.19.0 contradicts this requirement.

   Inspecting the lock file confirms npm ultimately resolves prisma-kysely's peer dependency to the top-level prisma@7.6.0 regardless (peer deps are not overridden by the nested overrides mechanism here), so the override is a no-op. It should be removed to avoid confusion:

   (Remove the entire "overrides" block.)

_{Reviews (1): Last reviewed commit: "fix: package.json & package-lock.json to..." | Re-trigger Greptile}