Skip to content

[Snyk] Fix for 2 vulnerabilities#23

Open
karencapiiro wants to merge 1 commit into
androidx-mainfrom
snyk-fix-9440d149c6dcda97312c05bc5d632c16
Open

[Snyk] Fix for 2 vulnerabilities#23
karencapiiro wants to merge 1 commit into
androidx-mainfrom
snyk-fix-9440d149c6dcda97312c05bc5d632c16

Conversation

@karencapiiro

Copy link
Copy Markdown

snyk-top-banner

Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

  • development/fetchLicenses/package.json
  • development/fetchLicenses/package-lock.json

Vulnerabilities that will be fixed with an upgrade:

Issue Score
high severity Infinite loop
SNYK-JS-BRACEEXPANSION-15789759
  99  
medium severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-PATHTOREGEXP-15789761
  50  

Breaking Change Risk

Merge Risk: High

Notice: This assessment is enhanced by AI.


Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

@karencapiiro

Copy link
Copy Markdown
Author

Merge Risk: High

This update includes a major version upgrade for puppeteer from v18 to v24, which introduces significant breaking changes. The upgrade for express is minor and carries low risk.

puppeteer: 18.2.1 → 24.15.0 (HIGH RISK)

This is a major upgrade with several breaking changes that require developer action.

Key Breaking Changes:

  • Node.js Version: Support for Node.js versions below 18 has been dropped. The previously supported Node.js 14 and 16 are no longer compatible. [11, 12]
  • Browser Management:
    • Puppeteer now downloads Chrome for Testing instead of Chromium by default. The behavior of headless mode has changed; the old mode can be accessed using headless: 'shell'. [8]
    • The browser cache location has moved from the project's node_modules folder to a shared global cache at ~/.cache/puppeteer. This may impact CI/CD build environments. [9]
  • API Changes & Removals:
    • createIncognitoBrowserContext() has been renamed to createBrowserContext(). [1]
    • The ignoreHttpsErrors launch option has been renamed to acceptInsecureCerts. [1]
    • The product launch option has been renamed to browser. [1]
    • The deprecated Frame.isOOPFrame() method has been removed. [1]

Recommendation:

  • Ensure your runtime environment uses Node.js 18 or newer. [12]
  • Review and update your Puppeteer launch configuration and API calls to align with the renames (createBrowserContext, acceptInsecureCerts).
  • Verify that your CI/CD environment can successfully download the browser to the new cache location or configure a custom cache directory using the PUPPETEER_CACHE_DIR environment variable. [9]

Source: Puppeteer Changelog

express: 4.18.2 → 4.22.0 (Low Risk)

This is a minor version upgrade that consists of security patches and bug fixes. No breaking API changes are documented for this range. [7, 14]

Source: Express Release History

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

@jit-ci

jit-ci Bot commented Mar 28, 2026

Copy link
Copy Markdown

🛡️ Jit Security Scan Results

CRITICAL HIGH MEDIUM

✅ No security findings were detected in this PR


Security scan by Jit

@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedexpress@​4.18.2 ⏵ 4.22.097 +1100 +310087100
Updatedpuppeteer@​18.2.1 ⏵ 24.15.093 +110089 -1197 +47100

View full report

@karencapiiro

Copy link
Copy Markdown
Author

Logo
Checkmarx One – Scan Summary & Details7b3821ae-35f3-4721-991a-71304e556368


New Issues (17) Checkmarx found the following issues in this Pull Request
# Severity Issue Source File / Package Checkmarx Insight
1 HIGH CVE-2026-26996 Npm-minimatch-3.1.2
detailsRecommended version: 3.1.4
Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 3.1.3, 4.0.0 prior to 4.2...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: A0UuysGXQldvhpRil3UJDiPuC%2Bih9k5VFuT9xqM2Vjk%3D
Vulnerable Package
2 HIGH CVE-2026-27606 Npm-rollup-3.27.2
detailsRecommended version: 3.30.0
Description: Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.0.0 prior to 3.30.0, and 4.0.0 prior to 4.59.0 of the Rollup module bundler ...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: 6H%2FTlCPPe1oeyxNHUmk2uP1xm6nJY3fWdAnOxi%2B8%2FHI%3D
Vulnerable Package
3 HIGH CVE-2026-27606 Npm-rollup-3.26.3
detailsRecommended version: 3.30.0
Description: Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.0.0 prior to 3.30.0, and 4.0.0 prior to 4.59.0 of the Rollup module bundler ...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: wG4pcydhaOGO3P934nfNDSb6HmUX0snVsBaiyoUCW7M%3D
Vulnerable Package
4 HIGH CVE-2026-27903 Npm-minimatch-3.1.2
detailsRecommended version: 3.1.4
Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: HnZ0ggWBhuenWpefma12uyuDBqodssEgqULT4Nit22I%3D
Vulnerable Package
5 HIGH CVE-2026-27904 Npm-minimatch-3.1.2
detailsRecommended version: 3.1.4
Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: 7VNdblxF9rEb4XXmrbBwgQ9r6IhZyZYP9%2B9kO0f2JOM%3D
Vulnerable Package
6 HIGH CVE-2026-33671 Npm-picomatch-2.3.1
detailsDescription: `picomatch` is vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob ...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: tBQ4dzJ%2BdvsqJ1WzU3cOXmo7asJy4KRyZjglEvbysfc%3D
Vulnerable Package
7 MEDIUM CVE-2026-27121 Npm-svelte-4.1.1
detailsRecommended version: 5.53.5
Description: svelte performance-oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to Cross-Site Scripting (XSS) during server-side rende...
Attack Vector: NETWORK
Attack Complexity: HIGH

ID: RuhxJJYkePZXda4f%2BJE9ffvY%2BoG2yX%2BfMdPf5ptvQLw%3D
Vulnerable Package
8 MEDIUM CVE-2026-27122 Npm-svelte-4.1.1
detailsRecommended version: 5.53.5
Description: svelte performance oriented web framework. Prior to 5.51.5, when using "<svelte:element this={tag}>" in server-side rendering, the provided tag nam...
Attack Vector: NETWORK
Attack Complexity: HIGH

ID: z8bB4xmlzzfeAZjf4fNG%2Bn%2FLSO2TM5j0fp5lPYd5Sx8%3D
Vulnerable Package
9 MEDIUM CVE-2026-27125 Npm-svelte-4.1.1
detailsRecommended version: 5.53.5
Description: svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. <div {...attrs}>) enume...
Attack Vector: NETWORK
Attack Complexity: HIGH

ID: C0Q8q%2Ftfg5vBIioWUZzW2T%2F9qa5qivjec%2FZX4yKGOBU%3D
Vulnerable Package
10 MEDIUM CVE-2026-27901 Npm-svelte-4.1.1
detailsRecommended version: 5.53.5
Description: Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` el...
Attack Vector: NETWORK
Attack Complexity: HIGH

ID: ZWe9gWcjnqtDmgRGQ51OT%2BsYW%2BdLT%2B%2FmIWBPMMXf8nY%3D
Vulnerable Package
11 MEDIUM Privacy_Violation /compose/ui/ui/src/commonMain/kotlin/androidx/compose/ui/semantics/SemanticsProperties.kt: 1061 Attack Vector
12 MEDIUM Privacy_Violation /credentials/credentials/src/main/java/androidx/credentials/webauthn/PublicKeyCredentialCreationOptions.kt: 70 Attack Vector
13 MEDIUM Privacy_Violation /compose/foundation/foundation/src/commonMain/kotlin/androidx/compose/foundation/text2/BasicSecureTextField.kt: 330 Attack Vector
14 MEDIUM Privacy_Violation /compose/ui/ui/src/commonMain/kotlin/androidx/compose/ui/semantics/SemanticsProperties.kt: 1061 Attack Vector
15 MEDIUM Privacy_Violation /credentials/credentials/src/main/java/androidx/credentials/provider/CreateEntry.kt: 190 Attack Vector
16 MEDIUM Use_of_Broken_or_Risky_Cryptographic_Algorithm /room/room-compiler/src/main/kotlin/androidx/room/vo/SchemaIdentityKey.kt: 48 Attack Vector
17 MEDIUM Use_of_Hardcoded_Password /credentials/credentials-play-services-auth/src/main/java/androidx/credentials/playservices/controllers/CredentialProviderBaseController.kt: 73 Attack Vector

Fixed Issues (13) Great job! The following issues were fixed in this Pull Request
Severity Issue Source File / Package
HIGH CVE-2024-12905 Npm-tar-fs-2.1.1
HIGH CVE-2024-37890 Npm-ws-8.9.0
HIGH CVE-2024-45296 Npm-path-to-regexp-0.1.7
HIGH CVE-2024-45590 Npm-body-parser-1.20.1
HIGH CVE-2024-52798 Npm-path-to-regexp-0.1.7
HIGH CVE-2025-48387 Npm-tar-fs-2.1.1
HIGH CVE-2025-59343 Npm-tar-fs-2.1.1
MEDIUM CVE-2024-29041 Npm-express-4.18.2
MEDIUM CVE-2024-43796 Npm-express-4.18.2
MEDIUM CVE-2024-43799 Npm-send-0.18.0
MEDIUM CVE-2024-43800 Npm-serve-static-1.15.0
MEDIUM CVE-2024-47764 Npm-cookie-0.5.0
MEDIUM CVE-2025-13466 Npm-body-parser-1.20.1

Communicate with Checkmarx by submitting a PR comment with @Checkmarx followed by one of the supported commands. Learn about the supported commands here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants