GitHub Copilot has become an indispensable tool for many developers. Its code review feature is getting progressively better, helping us with our daily development work. However, sometimes this reliable partner makes charming and amusing suggestions.
Let me share one such moment with GitHub Copilot.
What Happened During a Vulnerability Fix Code Review
One day, I was working on fixing a vulnerability (CVE-2025-55182). As a solution, I added pnpm.overrides to package.json to forcibly override the vulnerable version of next to the patched version 16.0.7.
After creating a Pull Request, I soon received a review from GitHub Copilot (bot).
The override pins next@16.0.7 for @react-email/preview-server, but the CVE description states the vulnerability is in next@15.5.2. While Next.js 16.0.7 may address the issue, consider verifying that this version specifically resolves CVE-2025-55182 or if a more recent 15.x or 16.x patch version is recommended. Document the rationale for choosing 16.0.7 in comments or commit messages.
// Pinning next@16.0.7 for @react-email/preview-server to address CVE-2025-55182. // See: https://github.com/vercel/next.js/security/advisories/GHSA-xxxx-xxxx-xxxx "@react-email/preview-server>next": "16.0.7",
The suggestion was to document the rationale for choosing version 16.0.7 in comments. This is a very accurate point and an important practice for improving code maintainability.
However, when I looked at the suggested code, I couldn’t help but chuckle.
JSON Doesn’t Support Comments
Did you notice? Copilot suggested adding comments starting with // to the package.json file.
As you know, the JSON specification does not support comments. If I had applied this suggestion as-is, the JSON parser would have thrown an error.
I replied to Copilot (and for other developers reading the review), acknowledging the intent of the suggestion and documenting the rationale in the commit message instead.
JSON files don’t support comments, so I’ve documented the rationale in the commit message.
For additional context:
@react-email/preview-server@5.0.5 depends on next@16.0.1
The patched version for CVE-2025-55182 on Next.js 16.x is 16.0.7
This incident was an interesting example showing that while GitHub Copilot is excellent, it’s not yet perfect. It seems it couldn’t fully understand the basic context of file syntax.
However, the important point is that the essence of Copilot’s suggestion—“document the intent of your changes”—was completely correct. Rather than blindly accepting AI suggestions, humans should correctly interpret their intent and reflect them appropriately. I felt this is one form of collaboration with AI.
It was a moment at the development workplace where I was slightly amused by AI’s accurate yet playful side.
That’s all from the Gemba, where someone wanted to leave a comment in a JSON file.