So, recently I have been testing and using snyk to scan all Docker images I build using Wappler to see if there are vulnerability that are introduce from other packages dependencies in any of the Node.js projects that I am using Wappler to spin up and test.
Here are some screenshots of the snyk report and I was wondering if these finding are something that the Wappler team can speak to or keep an eye out for, when fix are available or how to protect against?
…
…
As I continue to add more dependencies to this image and rebuild it and scan it I will report back here with screenshot but for now I just want to see how significant these finding are? Looking forward to here if this is something I should be worrying about.
Thank you for taking the time to upload and share all of these.
I’m curious if Snyk understand the JS Execution Context when it flags these - especially the ones in the second post.
My own Snyk results were similar on a test run and some of the flags seemed to be protected or somewhat unlikely to be a problem given the context of the specific functions.
So, Snyk has suggested a fix for the SQL injection vulnerability for the package.json (connect-session-knex and knex) dependencies. They suggest a version update for those dependencies.
My question is, If I go ahead and update the dependencies version in my test project will it cause any significant breaking to functionalities?
I have found this useful to ‘force’ patch package vulnerabilities, but of course it could break stuff…
“You can now specify an overrides property in your package.json to override and enforce nested dependency versions.”*
