Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AXIOS-15252993 - https://snyk.io/vuln/SNYK-JS-AJV-15274295 - https://snyk.io/vuln/SNYK-JS-QS-15268416
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AXIOS-15252993 - https://snyk.io/vuln/SNYK-JS-AJV-15274295 - https://snyk.io/vuln/SNYK-JS-QS-15268416
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AXIOS-15252993 - https://snyk.io/vuln/SNYK-JS-AJV-15274295 - https://snyk.io/vuln/SNYK-JS-QS-15268416
There was a problem hiding this comment.
Pull request overview
This is an automated Snyk security PR that attempts to fix 3 high/medium severity vulnerabilities by upgrading three npm packages in the upload-api directory: axios (Prototype Pollution), eslint (ReDoS via ajv), and qs (Resource allocation issue).
Changes:
- Upgrade axios from ^1.12.0 to ^1.13.5 to fix SNYK-JS-AXIOS-15252993 (Prototype Pollution vulnerability)
- Upgrade eslint from ^9.0.0 to ^10.0.0 to fix SNYK-JS-AJV-15274295 (ReDoS vulnerability in ajv dependency)
- Upgrade qs from ^6.14.1 to ^6.14.2 to fix SNYK-JS-QS-15268416 (Resource allocation vulnerability)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "cors": "^2.8.5", | ||
| "dotenv": "^16.3.1", | ||
| "eslint": "^9.0.0", | ||
| "eslint": "^10.0.0", |
There was a problem hiding this comment.
The upgrade to eslint version 10.0.0 is problematic because the current @typescript-eslint packages (version 8.x) only support eslint versions ^8.57.0 || ^9.0.0, which does not include version 10.x. This will cause peer dependency conflicts and the TypeScript ESLint parser and plugins will not work correctly. Additionally, eslint version 10.0.0 may not exist yet as of the current date. The latest stable eslint version as of January 2025 was 9.x. Consider updating to a version that is compatible with the @typescript-eslint packages or wait for updated @typescript-eslint packages that support eslint 10.x.
| "eslint": "^10.0.0", | |
| "eslint": "^9.0.0", |
| @@ -61,7 +61,7 @@ | |||
| "node-fetch": "^2.7.0", | |||
| "nodemon": "^3.1.9", | |||
| "prettier": "^3.3.3", | |||
| "qs": "^6.14.1", | |||
| "qs": "^6.14.2", | |||
There was a problem hiding this comment.
The package-lock.json file has not been updated to reflect the changes made to package.json. When dependency versions in package.json are updated, the package-lock.json must also be regenerated by running npm install to ensure that the exact versions and their transitive dependencies are locked. Without updating the package-lock.json, the actual installed versions may not match what is specified in package.json, and the security vulnerabilities may not be properly addressed.
3 participants
Snyk has created this PR to fix 3 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
upload-api/package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-AXIOS-15252993
SNYK-JS-AJV-15274295
SNYK-JS-QS-15268416
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
👩💻 Set who automatically gets assigned
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Prototype Pollution
🦉 Allocation of Resources Without Limits or Throttling