Skip to content

Resolve high/critical Snyk SCA findings via dependency upgrades#51

Open
devin-ai-integration[bot] wants to merge 1 commit into
mainfrom
devin/1782375992-resolve-snyk-scan
Open

Resolve high/critical Snyk SCA findings via dependency upgrades#51
devin-ai-integration[bot] wants to merge 1 commit into
mainfrom
devin/1782375992-resolve-snyk-scan

Conversation

@devin-ai-integration

@devin-ai-integration devin-ai-integration Bot commented Jun 25, 2026

Copy link
Copy Markdown

Summary

Remediates the high- and critical-severity dependency (SCA) vulnerabilities surfaced by a Snyk SCA scan (snyk test) of this app. Affected direct dependencies are upgraded to the Snyk-recommended fixed versions, package-lock.json is regenerated, and two small source adaptations are made so the app still installs and starts cleanly with the upgraded deps. Only real upgrades — no tests or scan config were modified to hide findings.

Result: unique high/critical SCA findings dropped from 76 (8 critical) → 9 (0 critical). All criticals eliminated.

Before vs After (Snyk SCA, snyk test)

Severity Before (unique vuln IDs) After (unique vuln IDs)
Critical 8 0
High 68 9
High+Critical total 76 9
Vulnerable paths (high+crit) 273 28

Criticals fixed include: adm-zip Zip Slip, handlebars (via hbs) prototype pollution / type confusion (×4), form-data predictable boundary, babel-traverse (via old tap).

Dependency version bumps

Package Old New Notes
adm-zip 0.4.7 0.5.2 Critical Zip Slip (SNYK-JS-ADMZIP-1065796)
body-parser 1.9.0 1.20.4
cfenv ^1.0.4 ^1.2.6
ejs 1.0.0 3.1.10 direct ejs (see caveat re: ejs-locals)
errorhandler 1.2.0 1.4.3
express 4.12.4 4.22.0
express-fileupload 0.0.5 1.5.2 1.5.x uses busboy@1 (drops vulnerable dicer)
hbs ^4.0.4 ^4.2.1 pulls handlebars 4.7.x (fixes 4 highs + criticals)
lodash 4.17.4 4.17.21
marked 0.3.5 4.0.10
moment 2.15.1 2.29.4 fixes ReDoS SNYK-JS-MOMENT-2944238
mongodb ^3.5.9 ^6.0.0 direct dep is unused by app code; bumped to satisfy typeorm peer
mongoose 4.2.4 6.13.9
st 0.2.4 1.2.2
tap ^11.1.3 ^18.0.0 dev/test tooling; removes ~39 high/crit from old transitive tree
typeorm ^0.2.24 ^0.3.30 fixes SQL injection + prototype pollution
validator ^13.5.2 ^13.15.22
npmconf 0.0.24 removed unused by the app; removal drops its high + transitive semver high

Snyk recommended typeorm@1.0.0, but that version requires mongodb@^7 as a peer (conflicts with this app's mongodb dep) — typeorm@0.3.30 fixes the same high findings (SQL injection fixed in 0.3.29, prototype pollution in 0.2.25) and installs cleanly.

Required source changes (to keep the app working with upgraded deps)

  • typeorm-db.js: migrated from the removed typeorm.createConnection(...)/getConnection(...) API to the new typeorm.DataSource(...).initialize() API (typeorm 0.3 removed the old functions). Same connection params and seeding behavior.
  • routes/index.js: AdmZip(buffer)new AdmZip(buffer) (adm-zip 0.5 requires new).

Verification

  • npm install succeeds and regenerates package-lock.json with no peer-dependency errors.
  • App boots: npm start (with --openssl-legacy-provider) logs Express server listening on port 3001; with a local MongoDB, GET / and GET /login return HTTP 200 and the admin user is seeded (mongoose 6 works). MySQL/typeorm failure when no DB is present is caught and does not crash the process.
  • Re-ran snyk test to confirm the high/critical drop above.

Findings intentionally left unresolved (and why)

Package Sev Why not fixed
dustjs-linkedin@2.5.0 (×2: prototype pollution, code injection) High dustjs-linkedin@3 breaks the dustjs-helpers@1.5.0 peer (2.5 - 2.6); upgrading both would require replacing the Dust template stack
ejs@0.8.8 (×2: RCE, arbitrary code exec) High transitive via the unmaintained ejs-locals@1.0.2, which pins ejs ~0.8; the direct ejs is already on 3.1.10. Removing these requires replacing ejs-locals (layout engine)
lodash@4.17.21 (arbitrary code injection) High no fixed version available (4.17.21 is the latest 4.x)
pacote@17.0.7 (DoS), tar@6.2.1 (×3: traversal/symlink) High transitive dev/test-only deps via tap@18 > @tapjs/run > pacote; not part of the app runtime. Upgrading tap already removed ~39 older high/crit findings

These are low-risk to this demo and/or require deeper refactors (replacing ejs-locals/Dust) that are out of scope for a dependency-upgrade PR.

Link to Devin session: https://app.devin.ai/sessions/856d7214262941ab92e1b911df9b255a
Requested by: @iancmoritz


Devin Review

Status Commit
⚪ Not started

Run Devin Review

Open in Devin Review (Staging)

Upgrade vulnerable direct dependencies to Snyk-recommended fixed versions
(adm-zip, body-parser, ejs, express, express-fileupload, hbs, lodash, marked,
moment, mongoose, st, typeorm, validator, errorhandler, cfenv) and regenerate
package-lock.json. Adapt typeorm-db.js to the typeorm 0.3 DataSource API and
fix adm-zip 0.5 constructor usage. Reduces unique high/critical SCA findings
from 76 (8 critical) to 9 (0 critical).

Co-Authored-By: Ian Moritz <ian.moritz@cognition.ai>
@devin-ai-integration

Copy link
Copy Markdown
Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants