Conversation
Update test_file.txt
Snyk actions
… package-lock.json
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR is being reviewed by Cursor Bugbot
Details
Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| "typeorm": "^0.2.24", | ||
| "validator": "^13.5.2" | ||
| "validator": "^13.5.2", | ||
| "form-data": "1.0.1" |
There was a problem hiding this comment.
Bug: Dependency Hell: Form-Data Version Incompatibility
Adding form-data version 1.0.1 as a direct dependency conflicts with the request package's dependency on form-data ~2.3.2. This major version downgrade (from 2.x to 1.x) will cause npm to install two different versions of form-data, potentially leading to unexpected behavior, increased bundle size, and API incompatibilities since version 1.0.1 is significantly older and has different APIs than 2.3.x.
| iug9W+Di3upLf0UMC1TqADGphsIHRU7RbmHQ8Rwp7dogswmDfpRSapPt9p0D+6Ad5VBzi3 | ||
| f3BPXj76UBLMEJCrZR1P28vnAA7AyNHaLvMPlWDMG5v3V/UV+ugyFcoBAOyjiQgYST8F3e | ||
| Hx7UPVlTK8dyvk1Z+Yw0nrfNClI= | ||
| -----END OPENSSH PRIVATE KEY----- |
There was a problem hiding this comment.
Bug: Repository Compromise: Sensitive Data Exposed
Multiple API keys (Clockify, AbuseIPDB, Bulbul), basic auth credentials, and an OpenSSH private key have been committed to the repository. These sensitive credentials should never be stored in version control as they become permanently accessible in git history and pose a significant security risk.
There was a problem hiding this comment.
This PR is being reviewed by Cursor Bugbot
Details
Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| "dustjs-helpers": "1.5.0", | ||
| "dustjs-linkedin": "2.5.0", | ||
| "ejs": "1.0.0", | ||
| "ejs": "0.8.8", |
There was a problem hiding this comment.
EJS downgraded to older vulnerable version
The ejs package is being downgraded from version 1.0.0 to 0.8.8. The package metadata explicitly warns "Critical security bugs fixed in 2.5.5", meaning both versions have known security vulnerabilities, but 0.8.8 is an even older version. This increases exposure to remote code execution and other template injection vulnerabilities in ejs.
1 participant
Note
Removes CI/workflow config and exploit samples, adjusts deps, and adds test/keys files.
.github/CODEOWNERSand workflows (codeql-analysis.yml,snyk-code*.yml,snyk-test-sarif.yml)exploits/scripts/assets andtests/authentication.component.spec.jsejsto0.8.8, addsform-data@1.0.1; updatespackage-lock.jsonaccordinglyfake.aws.file,jit_secret_test_tile.py,keys,test_file.txtWritten by Cursor Bugbot for commit 85c62c0. This will update automatically on new commits. Configure here.