Skip to content

fix(deps): remediate top 5 critical Snyk vulnerability categories#13

Open
devin-ai-integration[bot] wants to merge 1 commit into
mainfrom
devin/1776883369-snyk-critical-fixes
Open

fix(deps): remediate top 5 critical Snyk vulnerability categories#13
devin-ai-integration[bot] wants to merge 1 commit into
mainfrom
devin/1776883369-snyk-critical-fixes

Conversation

@devin-ai-integration

@devin-ai-integration devin-ai-integration Bot commented Apr 22, 2026

Copy link
Copy Markdown

Summary

Bumps direct dependencies and adds an npm overrides block to patch the top-5 critical Snyk SCA finding categories in nodejs-goof:

  1. RCE / Code Injection — upgraded handlebars, ejs, dustjs-linkedin, lodash, shell-quote, pac-resolver.
  2. Zip Slip / Directory Traversal — upgraded adm-zip, moment.
  3. SSRF — upgraded parse-url, ip, netmask.
  4. Crypto signature forgery / weak randomness — upgraded elliptic, pbkdf2, cipher-base, sha.js, form-data.
  5. Prototype Pollution — upgraded handlebars, lodash, express-fileupload, mongoose, typeorm, json-schema, mquery, mixin-deep, set-value, unset-value, y18n.

The new overrides block force-pins transitive dependencies (tar, minimatch, qs, picomatch, braces, on-headers, micromatch, etc.) to patched versions.

Snyk MCP SCA scan results (dev deps included, all_projects):

Total Critical High Medium Low
Before 204 17 83 91 13
After 6 0 0 5 1

All 17 critical and 83 high findings are cleared. The 6 residual findings are mediums/low with no upstream patch available (elliptic CVE-2025-14505, express-fileupload CVE-2022-27140/27261, file-type infinite-loop, hbs info exposure, inflight leak).

Review & Testing Checklist for Human

🔴 High risk — this PR touches ~40 dependencies including several breaking major-version jumps on a demo app whose routes depend on the old APIs. I did not run the app or its test suite.

  • Does the app still boot? Run npm start (with Mongo up). The jumps from mongoose 4 → 8, mongodb 3 → 6, typeorm 0.2 → 0.3, express-fileupload 0.0.5 → 1.5.1, and marked 0.3 → 4 all have breaking APIs — routes/, mongoose-db.js, typeorm-db.js, and any marked(...) / mongoose.connect(...) calls likely need code changes that are not in this PR.
  • Do the intentional vulnerability demos still reproduce? This is a teaching app. The Zip Slip payload in exploits/, the lodash.merge prototype-pollution exploit, the NoSQL-injection demo (mongoose), and the Dust.js RCE demo may no longer fire because the underlying libs are now patched. Decide whether that's desirable for this repo or whether the fixes should be applied selectively.
  • overrides sanity check — the block force-pins things like form-data@4.0.4, tar@7.5.11, mime@3.0.0, minimatch@10.2.3, debug@4.3.7. Older transitive consumers (e.g. the pinned snyk@^1.1294.0, tap@18, nodemon@3) may not be compatible with these majors. Run npm ls and npm test / snyk test locally.
  • Verify lodash@4.18.1 and dustjs-linkedin@3.0.1 are the intended pins (both are newer than the common 4.17.x / 2.7.x lines most tutorials reference).
  • Wait for the GitHub Actions snyk test / snyk code / CodeQL workflows to complete and confirm the expected drop in findings; also confirm CodeQL doesn't surface new issues due to API changes.

Suggested test plan

  1. rm -rf node_modules && npm install — confirm clean install on Node 20.
  2. docker-compose up (Mongo) then npm start — hit /, /login, the todo list, and the file-upload/import-zip routes to ensure nothing throws.
  3. Re-run snyk test --all-projects --dev and diff against the pre-PR baseline.
  4. Walk through the teaching exploits in exploits/ and decide, per demo, whether to (a) accept that it's patched or (b) roll back the specific dep.

Notes

  • No application code was modified — this is purely a dependency-manifest change. If the app fails to boot after the upgrades, the right follow-up is either app-code migration PRs or partial rollback of the offending dep.
  • 6 residual Snyk findings remain (listed above); none are critical/high and none currently have a published fix. They can be tracked via .snyk ignores if desired.

Link to Devin session: https://app.devin.ai/sessions/bdb2c485a5fb4172be51aa78f7323a82
Requested by: @vanessasalas-cog

@devin-ai-integration @vanessasalas-cog
fix(deps): remediate top 5 critical Snyk vulnerability categories
291b79f 
Reduces Snyk SCA findings from 204 (17 critical, 83 high) to 6
(0 critical, 0 high).

Top 5 critical categories remediated:
1. RCE / Code Injection — upgrade handlebars, ejs, dustjs-linkedin,
   lodash, shell-quote, pac-resolver to patched versions.
2. Arbitrary File Write / Zip Slip — upgrade adm-zip, moment.
3. SSRF — upgrade parse-url, ip, netmask.
4. Crypto signature forgery / weak randomness — upgrade elliptic,
   pbkdf2, cipher-base, sha.js, form-data.
5. Prototype Pollution — upgrade handlebars, lodash, express-fileupload,
   mongoose, typeorm, json-schema and related.

Also adds an npm 'overrides' block to pin transitive dependencies to
patched versions (tar, minimatch, qs, picomatch, braces, on-headers,
y18n, mquery, mixin-deep, set-value, unset-value, etc.).

Co-Authored-By: vanessa.salas <vanessa.salas@cognition.ai>
@devin-ai-integration

devin-ai-integration Bot commented Apr 22, 2026

Copy link
Copy Markdown
Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@vanessasalas-cog vanessasalas-cog

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vanessasalas-cog