Skip to content

bug: remediate Snyk SCA dependency vulnerabilities (npm deps bucket)#56

Open
devin-ai-integration[bot] wants to merge 1 commit into
mainfrom
devin/snyk-npm-deps-1782496250
Open

bug: remediate Snyk SCA dependency vulnerabilities (npm deps bucket)#56
devin-ai-integration[bot] wants to merge 1 commit into
mainfrom
devin/snyk-npm-deps-1782496250

Conversation

@devin-ai-integration

@devin-ai-integration devin-ai-integration Bot commented Jun 26, 2026

Copy link
Copy Markdown

Summary

Remediates the open-source dependency (SCA) Snyk findings by bumping vulnerable packages to their fixed versions. Only package.json and package-lock.json change.

Unique Snyk findings (snyk test --all-projects): 154 → 26 (8 critical → 0, 68 high → 11, 67 medium → 14, 11 low → 1). 128 resolved, 0 new.

What changed

  • Direct deps bumped to fixed versions: adm-zip 0.4.7→0.5.x, body-parser 1.9→1.20.x, dustjs-linkedin 2.5→2.7.5 + dustjs-helpers 1.5→1.7.4, express 4.12→4.21.x, express-fileupload 0.0.5→1.5.x, hbs→4.2.x, jquery 2→3.7.x, lodash 4.17.4→4.18.1, moment→2.30.x, mongoose 4.2→4.13.21, morgan→1.11.x, ms→2.1.x, npmconf→2.1.x, st 0.2.4→3.x, typeorm 0.2.24→0.2.45, validator→13.15.x, marked 0.3.5→0.3.9.
  • overrides added for transitive vulns (handlebars→4.7.9, form-data→4.0.6, ajv→6.15, qs→6.14, semver→7.5, minimatch→3.1.3, brace-expansion→1.1.13, cross-spawn→7.0.6, tough-cookie→4.1.3, send/serve-static, bson→1.1.6, mquery→3.2.5, mpath→0.8.4, and ~30 more).
  • Moved tapdevDependencies. tap@11 bundles ancient, un-overridable deps (babel-traverse [critical], request, lodash 4.17.10, hosted-git-info, istanbul-reports, mem, minimist 0.0.8); reclassifying the test framework removes them from the production scan.
  • package-lock.json regenerated in the same commit.

Verification

  • npm install clean; npm run build (browserify) OK.
  • App boots (NODE_OPTIONS=--openssl-legacy-provider node app.js) against MongoDB + MySQL. Exercised: GET / (ejs + marked render → <strong>hello</strong>), /login, /about_new (dust), static /public/js/bundle.js (st), POST /create (mongoose write) and POST /login (mongoose read) — all 200/302.

Remaining 26 findings (require source changes or no fix available)

  • ejs@1.0.0 (5): ejs-locals@1.0.2 pins ejs 1.x; upgrading breaks the EJS view engine.
  • marked@0.3.9 (6): views/index.ejs calls marked(new String(todo.content)); marked ≥0.3.19 rejects String objects. 0.3.9 is the highest non-breaking (cleared 5/11 marked findings).
  • mongoose@4.13.21 (6) + mongodb@2.2.34 (1): mongoose 4 callback API used in mongoose-db.js/routes; 5/6/7/8 are breaking, and mongodb 2.x is pinned by mongoose 4.
  • typeorm@0.2.45 (2, incl. SQLi): 0.3.x removes createConnection/getConnection used in typeorm-db.js.
  • dustjs-linkedin@2.7.5 (1): proto-pollution fix needs 3.0.0 but dustjs-helpers peer caps it at 2.7–2.8 (cleared the code-injection finding).
  • express-fileupload (2), inflight (1), hbs (1): no fix available.
  • js-yaml@3.14.2 (1): fix needs 4.x which removes safeLoad (cleared the proto-pollution finding).

Fixing the remaining items needs application source changes (templating engine / mongoose / typeorm migrations), which are out of scope for this dependencies-only bucket.

Link to Devin session: https://app.devin.ai/sessions/e3ef91adbf3f4fc29bf0195f44ecd1ec
Requested by: @stephencornwell


Devin Review

Status Commit
⚪ Not started

Run Devin Review

Open in Devin Review (Staging)

Bump direct deps to fixed versions, add npm overrides for transitive
vulns, and move tap to devDependencies. Regenerate package-lock.json.
Reduces unique Snyk SCA findings 154 -> 26 (8 critical -> 0).
Only package.json and package-lock.json changed.

Co-Authored-By: Stephen Cornwell <stephen@cognition.ai>
@stephencornwell stephencornwell self-assigned this Jun 26, 2026
@devin-ai-integration

Copy link
Copy Markdown
Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant