Skip to content

fix: resolve all fixable snyk vulnerabilities#91

Merged
radovanjorgic merged 3 commits into
mainfrom
rado/ISS-344638
Jul 14, 2026
Merged

fix: resolve all fixable snyk vulnerabilities#91
radovanjorgic merged 3 commits into
mainfrom
rado/ISS-344638

Conversation

@radovanjorgic

@radovanjorgic radovanjorgic commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Description

This PR resolves all fixable Snyk vulnerabilities found in the project:

  • Bumps the transitive protobufjs dependency (via @devrev/typescript-sdk) from 7.6.4 to 7.6.5 (high severity, infinite loop, SNYK-JS-PROTOBUFJS-17900550).
  • Bumps body-parser (direct dependency) from 1.20.5 to 1.20.6 (medium severity, SNYK-JS-BODYPARSER-17906397).
  • Bumps transitive devDependencies (lockfile-only): brace-expansion 1.1.15/2.1.1/5.0.6 → 1.1.16/2.1.2/5.0.7, js-yaml 4.2.0 → 4.3.0 (eslint path) and 3.14.2 → 3.15.0 (istanbul path, partial).

Some fixed versions were fetched from public npmjs since the internal registry mirror had not yet synced them.

Two findings remain and are not fixable without disruptive changes: inflight@1.0.6 (abandoned package, no patch exists) and one js-yaml CVE on the istanbul path that needs 4.x but is blocked by a parent's ^3.13.1 pin (would require an overrides entry).

Verified clean via snyk test for everything else. Build passes (this repo has no test suite).

Connected Issues

https://app.devrev.ai/devrev/works/ISS-344638

Checklist

  • Tests added/updated and ran with npm run test OR no tests needed.
  • Code formatted and checked with npm run lint.
  • Added "How to test" section to the description OR this section is not needed.

Resolves SNYK-JS-PROTOBUFJS-17900550 (infinite loop, high severity) via
@devrev/typescript-sdk. Fetched from public npmjs since the internal
registry mirror had not yet synced 7.6.5.
body-parser 1.20.5 -> 1.20.6 (SNYK-JS-BODYPARSER-17906397, medium)
brace-expansion 1.1.15/2.1.1/5.0.6 -> 1.1.16/2.1.2/5.0.7 via nodemon,
  eslint, typescript-eslint, rimraf transitive chains
  (SNYK-JS-BRACEEXPANSION-17706650, high)
js-yaml 4.2.0 -> 4.3.0 via eslint (SNYK-JS-JSYAML-17900054, high)
js-yaml 3.14.2 -> 3.15.0 via babel-jest > @istanbuljs/load-nyc-config
  (partial fix for SNYK-JS-JSYAML-17342520; that CVE's real fix needs
  js-yaml 4.2.0+ but load-nyc-config pins ^3.13.1, so a clean bump past
  3.x isn't possible without an overrides block)

Not fixed: inflight@1.0.6 (SNYK-JS-INFLIGHT-6095116) has no available
fix, abandoned package via babel-jest > ... > glob > inflight
@radovanjorgic radovanjorgic marked this pull request as ready for review July 14, 2026 11:38
@radovanjorgic radovanjorgic changed the title fix: bump transitive protobufjs to 7.6.5 to resolve snyk vuln fix: resolve all fixable snyk vulnerabilities Jul 14, 2026
CI runners have no Verdaccio credentials for npm.infra.devrev-eng.ai,
so npm ci would fail with E401 on 3 pre-existing deps (argparse,
esprima, sprintf-js) whose "resolved" URL had been pinned to the
internal mirror. Repoint to registry.npmjs.org; integrity hashes are
unchanged since tarballs are byte-identical on both registries.
@radovanjorgic radovanjorgic merged commit a0ee2d6 into main Jul 14, 2026
3 checks passed
@radovanjorgic radovanjorgic deleted the rado/ISS-344638 branch July 14, 2026 12:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants