Skip to content

security: remediate Snyk SCA findings (7 fixed, 0 documented)#2

Open
papalialuigi wants to merge 1 commit into
masterfrom
security/sca-remediation
Open

security: remediate Snyk SCA findings (7 fixed, 0 documented)#2
papalialuigi wants to merge 1 commit into
masterfrom
security/sca-remediation

Conversation

@papalialuigi

Copy link
Copy Markdown

Summary

Remediates all production-dependency (Snyk SCA) vulnerabilities in agentnet.
Scope: production dependencies only (snyk test, no --dev). Only package.json and package-lock.json were changed — no application source.

Critical High Medium Low License
Baseline 1 2 4 0 0
After 0 0 0 0 0

Final snyk test: no vulnerable paths found (92 dependencies tested). 7 unique findings fixed, 0 ignored, 0 documented residuals.

Fixed

Snyk ID CVE Package Fix Path (direct dep) Sev
SNYK-JS-FORMDATA-10841150 CVE-2025-7783 form-data 4.0.2 -> 4.0.6 override ^4.0.6 openai > @types/node-fetch Critical
SNYK-JS-JWS-14188253 CVE-2025-65945 jws 4.0.0 -> 4.0.1 override ^4.0.1 @google/genai > google-auth-library High
SNYK-JS-WS-17344547 CVE-2026-48779 ws 8.18.2 -> 8.21.0 override ^8.21.0 @google/genai High
SNYK-JS-FORMDATA-17337015 CVE-2026-12143 form-data 4.0.2 -> 4.0.6 override ^4.0.6 openai > @types/node-fetch Medium
SNYK-JS-WS-16722635 CVE-2026-45736 ws 8.18.2 -> 8.21.0 override ^8.21.0 @google/genai Medium
SNYK-JS-UUID-16133035 CVE-2026-41907 uuid 11.1.0 -> 11.1.1 (direct) bump ^11.1.1 uuid (direct) Medium
SNYK-JS-UUID-16133035 CVE-2026-41907 uuid 9.0.1 -> 11.1.1 (transitive) override uuid@9 -> ^11.1.1 @google/genai > google-auth-library > gaxios Medium
SNYK-JS-YAML-15765520 CVE-2026-33532 yaml 2.7.1 -> 2.9.0 bump ^2.8.3 yaml (direct) Medium

overrides added to package.json:

"overrides": {
  "form-data": "^4.0.6",
  "jws": "^4.0.1",
  "ws": "^8.21.0",
  "uuid@9": "^11.1.1"
}

uuid@9 is major-scoped because uuid 9.x (transitive via gaxios) and 11.x (direct) coexist in the lockfile; the direct dep is bumped to ^11.1.1 and the scoped override lifts the stale 9.x transitive to the same fixed line, unifying all uuid to 11.1.1.

.snyk ignores

None.

SECURITY.md (documented, unfixed)

None — every finding had a reachable fix.

Reviewer notes

  • No major version bumps of direct dependencies. Direct changes are patch/minor: uuid ^11.1.0 -> ^11.1.1, yaml ^2.7.1 -> ^2.8.3 (resolves 2.9.0).
  • Transitive uuid lifted across a major (9 -> 11) for gaxios (under @google/genai). uuid's named exports (v4, v1, etc.) are stable across v9->v11; the v10/v11 breaking changes were dropped deep import paths and Node baseline, which gaxios does not use. Validate in CI.
  • ws 8.18.2 -> 8.21.0, form-data 4.0.2 -> 4.0.6, jws 4.0.0 -> 4.0.1 are same-major transitive bumps under @google/genai and openai; low risk.
  • Smoke test: this is a plain-JS library with no build/type-check script. The test (jest) script is already broken on master independent of this PR — on a pristine origin/master checkout npm test fails to run with TypeError: Cannot read properties of undefined (reading 'prototype') (a jest ESM --experimental-vm-modules mock-harness issue), so it cannot serve as a smoke gate. No application source is touched by this PR; correctness is validated by the clean Snyk re-scan. Please rely on CI.

Do not merge without CI validation.

Co-Authored-By: Claude Opus 4.8 noreply@anthropic.com
Claude-Session: a89068a1-ce52-4fd1-a754-f714ba16eaf7

Remediate all 7 production-dependency vulnerabilities reported by Snyk
SCA (baseline: 1 critical, 2 high, 4 medium; 0 license issues).

Direct dependency bumps:
- uuid ^11.1.0 -> ^11.1.1  (SNYK-JS-UUID-16133035)
- yaml ^2.7.1  -> ^2.8.3   (SNYK-JS-YAML-15765520; resolves to 2.9.0)

Transitive pins via npm "overrides":
- form-data ^4.0.6 (SNYK-JS-FORMDATA-10841150 critical + SNYK-JS-FORMDATA-17337015 medium; via openai > @types/node-fetch)
- jws ^4.0.1       (SNYK-JS-JWS-14188253 high; via @google/genai > google-auth-library)
- ws ^8.21.0       (SNYK-JS-WS-17344547 high + SNYK-JS-WS-16722635 medium; via @google/genai)
- uuid@9 ^11.1.1   (SNYK-JS-UUID-16133035 medium; transitive 9.0.1 via gaxios; major-scoped because uuid 9.x and 11.x coexist)

Result: snyk test reports no vulnerable paths (92 deps tested). Only
package.json / package-lock.json changed; no application source touched.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: a89068a1-ce52-4fd1-a754-f714ba16eaf7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant