Resolve high/critical Snyk SCA findings via dependency upgrades#51
Open
devin-ai-integration[bot] wants to merge 1 commit into
Open
Resolve high/critical Snyk SCA findings via dependency upgrades#51devin-ai-integration[bot] wants to merge 1 commit into
devin-ai-integration[bot] wants to merge 1 commit into
Conversation
Upgrade vulnerable direct dependencies to Snyk-recommended fixed versions (adm-zip, body-parser, ejs, express, express-fileupload, hbs, lodash, marked, moment, mongoose, st, typeorm, validator, errorhandler, cfenv) and regenerate package-lock.json. Adapt typeorm-db.js to the typeorm 0.3 DataSource API and fix adm-zip 0.5 constructor usage. Reduces unique high/critical SCA findings from 76 (8 critical) to 9 (0 critical). Co-Authored-By: Ian Moritz <ian.moritz@cognition.ai>
Author
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Remediates the high- and critical-severity dependency (SCA) vulnerabilities surfaced by a Snyk SCA scan (
snyk test) of this app. Affected direct dependencies are upgraded to the Snyk-recommended fixed versions,package-lock.jsonis regenerated, and two small source adaptations are made so the app still installs and starts cleanly with the upgraded deps. Only real upgrades — no tests or scan config were modified to hide findings.Result: unique high/critical SCA findings dropped from 76 (8 critical) → 9 (0 critical). All criticals eliminated.
Before vs After (Snyk SCA,
snyk test)Criticals fixed include:
adm-zipZip Slip,handlebars(viahbs) prototype pollution / type confusion (×4),form-datapredictable boundary,babel-traverse(via oldtap).Dependency version bumps
dicer)semverhighSnyk recommended
typeorm@1.0.0, but that version requiresmongodb@^7as a peer (conflicts with this app'smongodbdep) —typeorm@0.3.30fixes the same high findings (SQL injection fixed in 0.3.29, prototype pollution in 0.2.25) and installs cleanly.Required source changes (to keep the app working with upgraded deps)
typeorm-db.js: migrated from the removedtypeorm.createConnection(...)/getConnection(...)API to thenew typeorm.DataSource(...).initialize()API (typeorm 0.3 removed the old functions). Same connection params and seeding behavior.routes/index.js:AdmZip(buffer)→new AdmZip(buffer)(adm-zip 0.5 requiresnew).Verification
npm installsucceeds and regeneratespackage-lock.jsonwith no peer-dependency errors.npm start(with--openssl-legacy-provider) logsExpress server listening on port 3001; with a local MongoDB,GET /andGET /loginreturn HTTP 200 and the admin user is seeded (mongoose 6 works). MySQL/typeorm failure when no DB is present is caught and does not crash the process.snyk testto confirm the high/critical drop above.Findings intentionally left unresolved (and why)
dustjs-helpers@1.5.0peer (2.5 - 2.6); upgrading both would require replacing the Dust template stackejs-locals@1.0.2, which pins ejs~0.8; the directejsis already on 3.1.10. Removing these requires replacingejs-locals(layout engine)tap@18 > @tapjs/run > pacote; not part of the app runtime. Upgrading tap already removed ~39 older high/crit findingsThese are low-risk to this demo and/or require deeper refactors (replacing
ejs-locals/Dust) that are out of scope for a dependency-upgrade PR.Link to Devin session: https://app.devin.ai/sessions/856d7214262941ab92e1b911df9b255a
Requested by: @iancmoritz
Devin Review