[Snyk] Fix for 4 vulnerabilities by shafnirlab · Pull Request #3 · shafnirlab/JavaScript

shafnirlab · 2025-06-03T07:25:36Z

Snyk has created this PR to fix 4 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

package.json
package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Arbitrary Code Injection SNYK-JS-UNDERSCORE-1080984	175
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	159
	Prototype Pollution SNYK-JS-INI-1048974	149
	Regular Expression Denial of Service (ReDoS) npm:semver:20150403	46

Important

Check the changes in this PR to ensure they won't cause issues with your project.
Max score is 1000. Note that the real score may have changed since the PR was raised.
This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution
🦉 Regular Expression Denial of Service (ReDoS)
🦉 Arbitrary Code Injection

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984 - https://snyk.io/vuln/SNYK-JS-SEMVER-3247795 - https://snyk.io/vuln/SNYK-JS-INI-1048974 - https://snyk.io/vuln/npm:semver:20150403

shafnirlab · 2025-06-03T07:28:58Z

Checkmarx One – Scan Summary & Details – 3c0670c7-26cb-4bfc-a2f6-7044356d15cb

New Issues (20)

Checkmarx found the following issues in this Pull Request

Issue	Source File / Package	Checkmarx Insight
CVE-2025-23061	Npm-mongoose-4.2.4	details Recommended version: 6.13.6 Description: Mongoose versions prior to 6.13.6, 7.x prior to 7.8.4 and 8.x prior to 8.9.5 can improperly use a nested "$where" filter with a "populate()" match,... Attack Vector: NETWORK Attack Complexity: HIGH `ID: Yey3bKO47Wi7D8ydlZDMQv21jK3DCgiMzNw%2BQ2hbbsE%3D` Vulnerable Package
Cx88b46a98-47a5	Npm-elliptic-6.4.1	details Recommended version: 6.6.1 Description: The elliptic package is a plain JavaScript implementation of elliptic-curve cryptography. Versions of elliptic package prior to 6.6.1 are vulnerabl... Attack Vector: NETWORK Attack Complexity: LOW `ID: arzOIzPA0ar%2B7PmD4WalNuluQ%2BYb0z0wffvIK0qa27o%3D` Vulnerable Package
Missing User Instruction	/Dockerfile: 1	details A user should be specified in the dockerfile, otherwise the image will run as root `ID: TqERt3DQyX3Ca6FIe%2FmiFFUx3zE%3D`
CVE-2018-25110	Npm-marked-0.3.5	details Recommended version: 4.0.10 Description: Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several r... Attack Vector: NETWORK Attack Complexity: LOW Exploitable Path: setOptions@/app.js - ... - setOptions@/package/lib/marked.js `ID: b8iErNCRXNNNJhE2MVRHnccEfGII4P73%2Fg2Iv8NPOLo%3D` Vulnerable Package
Container Capabilities Unrestricted	/docker-compose.yml: 15	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnec... `ID: 6mcmRKZvsnX79o3XQMf6QemwgIk%3D`
Container Capabilities Unrestricted	/docker-compose.yml: 3	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnec... `ID: Pvw0%2FfXz2%2B6eUwf9tvswcwRl3EA%3D`
Container Traffic Not Bound To Host Interface	/docker-compose.yml: 18	details Incoming container traffic should be bound to a specific host interface `ID: ZVIxxxixBB5lQKRbYGI%2B%2BCBreLo%3D`
Container Traffic Not Bound To Host Interface	/docker-compose.yml: 8	details Incoming container traffic should be bound to a specific host interface `ID: 7nZhUUHRYJvy%2Btjl4yJklqolsro%3D`
Healthcheck Not Set	/docker-compose.yml: 15	details Check containers periodically to see if they are running properly. `ID: 0A4t7%2BYGhc41p2XKMp7EwJK%2BNNQ%3D`
Healthcheck Not Set	/docker-compose.yml: 3	details Check containers periodically to see if they are running properly. `ID: 5VS7anOB9MUQnwkA%2BiRnIs%2B9gcg%3D`
Memory Not Limited	/docker-compose.yml: 15	details Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than ... `ID: bTU8LODu1rKC6h5s7mTY%2Fqcm8OY%3D`
Memory Not Limited	/docker-compose.yml: 3	details Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than ... `ID: pyfOiUPin71E1glL559yeKD9JR8%3D`
Pids Limit Not Set	/docker-compose.yml: 15	details 'pids_limit' should be set and different than -1 `ID: ZCFGfTw8OiPCxYZ3%2Fvk4tCqJ6NQ%3D`
Pids Limit Not Set	/docker-compose.yml: 3	details 'pids_limit' should be set and different than -1 `ID: i0FRnWvS4VsZyLtBb76e2tVYcSA%3D`
Security Opt Not Set	/docker-compose.yml: 3	details Attribute 'security_opt' should be defined. `ID: madx8Ec86dwZZJaGDLxTAtRyGw8%3D`
Security Opt Not Set	/docker-compose.yml: 15	details Attribute 'security_opt' should be defined. `ID: oEI7GhxrkChSpGLqD5ywV5fBIOw%3D`
Cpus Not Limited	/docker-compose.yml: 15	details CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests `ID: 5K7NNt%2BQEiknWiTPvpKwD2xJ3qY%3D`
Cpus Not Limited	/docker-compose.yml: 3	details CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests `ID: pg757s36iYuYwzitBcB0P%2BYGvPg%3D`
Healthcheck Instruction Missing	/Dockerfile: 1	details Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working `ID: 55bDv9SmcN2HQP%2Ff1zfdWHz%2Fios%3D`
Multiple RUN, ADD, COPY, Instructions Listed	/Dockerfile: 3	details Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers. `ID: mrJyOBCB2yKWcQjSwD6Qrx4%2BEP8%3D`

Fixed Issues (12)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	~~CVE-2020-7788~~	Npm-ini-1.1.0
	~~CVE-2020-7788~~	Npm-ini-1.3.5
	~~CVE-2015-8855~~	Npm-semver-1.1.4
	~~CVE-2016-10707~~	Npm-jquery-2.2.4
	~~CVE-2021-23358~~	Npm-underscore-1.9.1
	~~Cx3f7e7954-ea58~~	Npm-ms-0.7.1
	~~Cx3f7e7954-ea58~~	Npm-ms-0.7.3
	~~Cxf4039bac-6697~~	Npm-npmconf-0.0.24
	~~CVE-2020-11022~~	Npm-jquery-2.2.4
	~~Cx14b19a02-387a~~	Npm-body-parser-1.9.0
	~~Cxee7cbf9f-8b8d~~	Npm-marked-0.3.5
	~~Log_Forging~~	/routes/index.js: 223

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Fix for 4 vulnerabilities#3

[Snyk] Fix for 4 vulnerabilities#3
shafnirlab wants to merge 1 commit intomasterfrom
snyk-fix-52418bc814df1511a1a8fb961b432b1b

shafnirlab commented Jun 3, 2025

Uh oh!

shafnirlab commented Jun 3, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

shafnirlab commented Jun 3, 2025

Snyk has created this PR to fix 4 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

Vulnerabilities that will be fixed with an upgrade:

Uh oh!

shafnirlab commented Jun 3, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants