Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-AXIOS-12613773 - https://snyk.io/vuln/SNYK-JS-MULTER-10773732 - https://snyk.io/vuln/SNYK-JS-TYPEORM-13746469 - https://snyk.io/vuln/SNYK-JS-JSYAML-13961110
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Important Review skippedIgnore keyword(s) in the title. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This is an automated security fix PR from Snyk that updates 4 dependencies in the API application to address high and medium severity vulnerabilities. However, the pnpm lockfile was not updated, which means the security fixes will not actually be applied.
Changes:
- Upgraded axios from ^1.11.0 to ^1.12.0 to fix Allocation of Resources Without Limits vulnerability (score 666)
- Upgraded @nestjs/platform-express from ^11.0.1 to ^11.1.5 to fix Uncaught Exception vulnerability in multer (score 649)
- Upgraded typeorm from ^0.3.25 to ^0.3.26 to fix SQL Injection vulnerability (score 576)
- Upgraded @nestjs/swagger from ^11.2.0 to ^11.2.2 to fix Prototype Pollution vulnerability in js-yaml (score 559)
| "@nestjs/platform-express": "^11.1.5", | ||
| "@nestjs/swagger": "^11.2.2", | ||
| "@nestjs/typeorm": "^11.0.0", | ||
| "@supabase/supabase-js": "^2.53.0", | ||
| "@types/bcrypt": "^5.0.2", | ||
| "@types/passport-google-oauth20": "^2.0.16", | ||
| "@types/pg": "^8.15.4", | ||
| "axios": "^1.11.0", | ||
| "axios": "^1.12.0", |
There was a problem hiding this comment.
The package.json has been updated to fix security vulnerabilities, but the pnpm-lock.yaml file has not been updated accordingly. This means the actual installed dependencies will still be the vulnerable versions. The lockfile still contains:
- axios@1.11.0 (instead of 1.12.0)
- @nestjs/platform-express@11.1.3 (instead of 11.1.5)
- @nestjs/swagger@11.2.0 (instead of 11.2.2)
- typeorm@0.3.25 (instead of 0.3.26)
You must run pnpm install at the repository root to update the lockfile before merging this PR, otherwise the security vulnerabilities will remain unfixed.
2 participants
Snyk has created this PR to fix 4 vulnerabilities in the pnpm dependencies of this project.
Snyk changed the following file(s):
apps/api/package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-AXIOS-12613773
SNYK-JS-MULTER-10773732
SNYK-JS-TYPEORM-13746469
SNYK-JS-JSYAML-13961110
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Allocation of Resources Without Limits or Throttling
🦉 Prototype Pollution
🦉 Uncaught Exception
🦉 More lessons are available in Snyk Learn