Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Snyk] Fix for 24 vulnerabilities #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 23, 2025
Merged

[Snyk] Fix for 24 vulnerabilities #14

merged 1 commit into from
Sep 23, 2025

Conversation

@Dargon789
Copy link
Owner

snyk-top-banner

Snyk has created this PR to fix 24 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

  • package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning 
Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

Issue
medium severity Allocation of Resources Without Limits or Throttling
SNYK-JS-AXIOS-12613773
low severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-BRACEEXPANSION-9789073
medium severity Cross-site Scripting (XSS)
SNYK-JS-COOKIE-8163060
critical severity Predictable Value Range from Previous Values
SNYK-JS-FORMDATA-10841150
high severity Server-side Request Forgery (SSRF)
SNYK-JS-IP-12704893
high severity Server-side Request Forgery (SSRF)
SNYK-JS-IP-12761655
high severity Improper Verification of Cryptographic Signature
SNYK-JS-OPENPGP-10185678
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-PATHTOREGEXP-8482416
medium severity Server-side Request Forgery (SSRF)
SNYK-JS-REQUEST-3361831
medium severity Cross-site Scripting (XSS)
SNYK-JS-SERIALIZEJAVASCRIPT-6147607
medium severity Prototype Pollution
SNYK-JS-TOUGHCOOKIE-5672873
low severity Insecure Credential Storage
SNYK-JS-WEB3-174533
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-WS-1296835
critical severity Improper Verification of Cryptographic Signature
SNYK-JS-ELLIPTIC-8187303
high severity Server-side Request Forgery (SSRF)
SNYK-JS-IP-6240864
medium severity Server-side Request Forgery (SSRF)
SNYK-JS-AXIOS-9292519
high severity Denial of Service (DoS)
SNYK-JS-WS-7266574
high severity Prototype Pollution
SNYK-JS-WEB3UTILS-6229337
high severity Cross-site Request Forgery (CSRF)
SNYK-JS-AXIOS-6032459
medium severity Uncontrolled Resource Consumption ('Resource Exhaustion')
SNYK-JS-TAR-6476909
medium severity Missing Release of Resource after Effective Lifetime
SNYK-JS-INFLIGHT-6095116
medium severity Server-side Request Forgery (SSRF)
SNYK-JS-AXIOS-9403194
medium severity Server-Side Request Forgery (SSRF)
SNYK-JS-IP-7148531
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-AXIOS-6124857

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling
🦉 Cross-site Request Forgery (CSRF)
🦉 Regular Expression Denial of Service (ReDoS)
🦉 More lessons are available in Snyk Learn

@snyk-io
Copy link

snyk-io bot commented Sep 23, 2025
edited
Loading

⚠️ Snyk checks are incomplete.

⚠️ security/snyk check encountered an error. (View Details)

@gemini-code-assist
Copy link

Summary of Changes

Hello @Dargon789, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request, automatically generated by Snyk, aims to enhance the project's security posture by addressing 24 identified vulnerabilities across several yarn dependencies. The changes involve upgrading specific package versions in package.json to their patched counterparts. Reviewers should pay close attention to the yarn.lock file, as it requires a manual update to fully incorporate these security fixes and ensure compatibility, particularly for zero-install environments.

Highlights

  • Dependency Updates for Security: This PR updates 10 key yarn dependencies, including @onekeyfe/cross-inpage-provider-injected, @onekeyfe/hd-core, openpgp, and superagent, to newer versions to address identified security vulnerabilities.
  • Vulnerability Resolution: A total of 24 vulnerabilities, ranging from low to critical severity, are targeted for remediation. These include critical issues like "Predictable Value Range from Previous Values" (SNYK-JS-FORMDATA-10841150) and "Improper Verification of Cryptographic Signature" (SNYK-JS-ELLIPTIC-8187303), as well as various SSRF, XSS, and ReDoS vulnerabilities.
  • Manual yarn.lock Update Required: Snyk noted that it failed to update the yarn.lock file, requiring a manual update before merging to ensure all dependency resolutions are correctly reflected, especially for projects utilizing Yarn's zero-install feature.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Sep 23, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request from Snyk resolves 24 security vulnerabilities by updating dependencies. While crucial for security, these changes require careful handling.

A critical point is that the yarn.lock file was not updated, as mentioned in the pull request description. You must run yarn (or yarn install) locally and commit the updated yarn.lock file. Without this step, the dependency upgrades will not be correctly applied, and your project may not build or might use outdated packages.

Furthermore, several dependencies have been upgraded across major versions. These upgrades are likely to introduce breaking changes. It is essential to conduct thorough testing (unit, integration, and end-to-end) to ensure the application remains stable and functional after these changes.

@socket-security
Copy link

socket-security bot commented Sep 23, 2025
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
@alephium/[email protected] has a License Policy Violation.

License: GPL-3.0-only (package/src/utils/bs58.ts)

From: ?npm/@alephium/[email protected]

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@alephium/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
[email protected] is Protestware or potentially unwanted behavior.

Note: This package prints a protestware console message on install regarding Ukraine for users with Russian language locale

From: yarn.locknpm/[email protected]

ℹ Read more on: This package | This alert | What is protestware?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Consider that consuming this package may come along with functionality unrelated to its primary purpose.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
[email protected] is Protestware or potentially unwanted behavior.

Note: The script attempts to run a local post-install script, which could potentially contain malicious code. The error handling suggests that it is designed to fail silently, which is a common tactic in malicious scripts.

From: yarn.locknpm/[email protected]

ℹ Read more on: This package | This alert | What is protestware?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Consider that consuming this package may come along with functionality unrelated to its primary purpose.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@snyk-bot @Dargon789
fix: package.json to reduce vulnerabilities
9547e8d 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-AXIOS-12613773
- https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-9789073
- https://snyk.io/vuln/SNYK-JS-COOKIE-8163060
- https://snyk.io/vuln/SNYK-JS-FORMDATA-10841150
- https://snyk.io/vuln/SNYK-JS-IP-12704893
- https://snyk.io/vuln/SNYK-JS-IP-12761655
- https://snyk.io/vuln/SNYK-JS-OPENPGP-10185678
- https://snyk.io/vuln/SNYK-JS-PATHTOREGEXP-8482416
- https://snyk.io/vuln/SNYK-JS-REQUEST-3361831
- https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-6147607
- https://snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873
- https://snyk.io/vuln/SNYK-JS-WEB3-174533
- https://snyk.io/vuln/SNYK-JS-WS-1296835
- https://snyk.io/vuln/SNYK-JS-ELLIPTIC-8187303
- https://snyk.io/vuln/SNYK-JS-IP-6240864
- https://snyk.io/vuln/SNYK-JS-AXIOS-9292519
- https://snyk.io/vuln/SNYK-JS-WS-7266574
- https://snyk.io/vuln/SNYK-JS-WEB3UTILS-6229337
- https://snyk.io/vuln/SNYK-JS-AXIOS-6032459
- https://snyk.io/vuln/SNYK-JS-TAR-6476909
- https://snyk.io/vuln/SNYK-JS-INFLIGHT-6095116
- https://snyk.io/vuln/SNYK-JS-AXIOS-9403194
- https://snyk.io/vuln/SNYK-JS-IP-7148531
- https://snyk.io/vuln/SNYK-JS-AXIOS-6124857
@Dargon789 Dargon789 force-pushed the snyk-fix-78f186c06184ee90c9ded04451f4cffd branch from dbbeef1 to 9547e8d Compare September 23, 2025 06:08
@Dargon789 Dargon789 merged commit ba23ecf into x Sep 23, 2025
10 of 15 checks passed
@Dargon789 Dargon789 deleted the snyk-fix-78f186c06184ee90c9ded04451f4cffd branch September 23, 2025 06:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Dargon789 @snyk-bot