Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-QS-14724253
There was a problem hiding this comment.
Pull request overview
This PR fixes a high-severity security vulnerability (SNYK-JS-QS-14724253, score 828) related to "Allocation of Resources Without Limits or Throttling" in the qs package, which is a transitive dependency. The fix requires updating multiple packages that depend on qs.
Key Changes:
- Updates
body-parserfrom 1.18.3 to 1.20.4 to resolve theqsvulnerability - Updates
expressfrom 4.17.1 to 4.22.0 for compatibility and security - Updates
juice,node-gcm, andturndownwith major version bumps to maintain compatibility
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "bcrypt": "^5.0.0", | ||
| "blockstack": "19.3.0", | ||
| "body-parser": "1.18.3", | ||
| "body-parser": "1.20.4", |
There was a problem hiding this comment.
The version specifier for body-parser has been updated without a caret (^) prefix, which means it will only accept exactly version 1.20.4. This is inconsistent with most other dependencies in this file which use caret ranges to allow minor and patch updates. Consider changing to ^1.20.4 to allow automatic security and bug fix updates within the 1.x version range.
| "body-parser": "1.20.4", | |
| "body-parser": "^1.20.4", |
| "nats": "^1.4.8", | ||
| "node-dogstatsd": "^0.0.7", | ||
| "node-gcm": "0.14.4", | ||
| "node-gcm": "1.1.0", |
There was a problem hiding this comment.
The version specifier for node-gcm has been updated without a caret (^) prefix, which means it will only accept exactly version 1.1.0. This is inconsistent with most other dependencies in this file which use caret ranges to allow minor and patch updates. Consider changing to ^1.1.0 to allow automatic security and bug fix updates within the 1.x version range.
| "node-gcm": "1.1.0", | |
| "node-gcm": "^1.1.0", |
| "jschardet": "^1.6.0", | ||
| "jsrsasign": "^8.0.24", | ||
| "juice": "^5.2.0", | ||
| "juice": "^7.0.0", |
There was a problem hiding this comment.
This update involves a major version jump from 5.x to 7.x, skipping version 6 entirely. Major version updates typically include breaking changes that may affect functionality. It's recommended to review the CHANGELOG and migration guides for juice versions 6.0.0 and 7.0.0 to ensure compatibility with your current usage, particularly around CSS inlining behavior and API changes.
| "juice": "^7.0.0", | |
| "juice": "^5.0.0", |
| "nats": "^1.4.8", | ||
| "node-dogstatsd": "^0.0.7", | ||
| "node-gcm": "0.14.4", | ||
| "node-gcm": "1.1.0", |
There was a problem hiding this comment.
This update involves a major version jump from 0.x to 1.x. Major version updates typically include breaking changes. Note that node-gcm is a deprecated library (Google Cloud Messaging has been deprecated in favor of Firebase Cloud Messaging). Consider migrating to a modern Firebase Cloud Messaging library in the future to avoid using deprecated services.
| "node-gcm": "1.1.0", | |
| "node-gcm": "^0.14.0", |
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-QS-14724253
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Allocation of Resources Without Limits or Throttling