fix: upgrade critical and high-severity dependencies per Snyk vulnerability report#14
Open
devin-ai-integration[bot] wants to merge 1 commit into
Open
Conversation
…vulnerabilities Addresses the top vulnerabilities from the daily Snyk scan: Critical fixes: - adm-zip: 0.4.7 → 0.4.11 (CVE-2018-1002204 - Zip Slip) - hbs: 4.0.4 → 4.2.1, resolving handlebars 4.0.14 → 4.7.9 (CVE-2026-33938, CVE-2026-33937, CVE-2026-33940, Prototype Pollution) - tap: 11.x → 18.x (resolves transitive deps: form-data CVE-2025-7783, sha.js CVE-2025-9288, babel-traverse CVE-2023-45133) High fixes: - body-parser: 1.9.0 → 1.20.3 (CVE-2024-45590 - DoS) - dustjs-linkedin: 2.5.0 → 2.7.5 (CVE-2021-4264 - Prototype Pollution) - dustjs-helpers: 1.5.0 → 1.7.4 (compatible with dustjs-linkedin 2.7.x) Co-Authored-By: Jake Luo <jake.luo@cognition.ai>
Author
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses the top 10 vulnerabilities identified in the daily Snyk scan (2026-05-29). Upgrades 6 direct dependencies to resolve 8 critical and 2 high-severity vulnerabilities.
Critical fixes:
adm-ziphbstapHigh fixes:
body-parserdustjs-linkedindustjs-helpersNote on dustjs-linkedin: Snyk recommended upgrading to 3.0.0, but
dustjs-helpers(latest 1.7.4) only supportsdustjs-linkedin2.7–2.8. Upgraded to 2.7.5 to maintain compatibility while still resolving the Prototype Pollution vulnerability.Review & Testing Checklist for Human
npm start) and the todo list functionality works at http://localhost:3001/account_details)/about_newroute uses dust templating)snyk testto confirm the targeted CVEs are resolvedexpress-fileupload+adm-zip)Notes
dustjs-linkedinwas upgraded to 2.7.5 instead of the recommended 3.0.0 due todustjs-helperspeer dependency constraints (requires 2.7–2.8)tapmajor version bump (11→18) may affect test tooling if custom tap tests exist; currently the repo's test script just runssnyk testmongoose,ejs,lodash,marked,st)Link to Devin session: https://app.devin.ai/sessions/53a15190735b484981990268967da278
Requested by: @jakejluo
Devin Review