socket-security[bot]
commented
1 year ago Socket Security Pull Request Report
Dependency issues detected. If you merge this pull request, you will not be alerted to the instances of these issues again.
📜 Install scripts
Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.
Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.
| Package | Script field | Source |
|---|---|---|
| hiredis@0.5.0 (added) | binding.gyp |
package.json via koa-middlewares@5.0.0, koa-redis@2.1.3 |
🫣 Native code
Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.
Ensure that native code bindings are expected. Consumers may consider pure JS and functionally similar alternatives to avoid the challenges and risks associated with native code bindings.
| Package | Location | Source |
|---|---|---|
| hiredis@0.5.0 (added) | binding.gyp | package.json via koa-middlewares@5.0.0, koa-redis@2.1.3 |
Pull request report summary
| Issue | Status |
|---|---|
| Install scripts | ⚠️ 1 issue |
| Native code | ⚠️ 1 issue |
| Bin script confusion | ✅ 0 issues |
| Bin script shell injection | ✅ 0 issues |
| Unresolved require | ✅ 0 issues |
| Invalid package.json | ✅ 0 issues |
| HTTP dependency | ✅ 0 issues |
| Git dependency | ✅ 0 issues |
| Potential typo squat | ✅ 0 issues |
| Known Malware | ✅ 0 issues |
| Telemetry | ✅ 0 issues |
| Protestware/Troll package | ✅ 0 issues |
Bot Commands
To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@2.4.2
@SocketSecurity ignore hiredis@0.5.0
Powered by socket.dev
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.
#### Changes included in this PR - Changes to the following files to upgrade the vulnerable dependencies to a fixed version: - package.json #### Vulnerabilities that will be fixed ##### With an upgrade: Severity | Priority Score (*) | Issue | Breaking Change | Exploit Maturity :-------------------------:|-------------------------|:-------------------------|:-------------------------|:-------------------------  | **768/1000****Why?** Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 7.5 | Prototype Pollution
[SNYK-JS-QS-3153490](https://snyk.io/vuln/SNYK-JS-QS-3153490) | Yes | Proof of Concept (*) Note that the real score may have changed since the PR was raised.
Commit messages
Package name: koa-middlewares
The new version differs by 12 commits.- f49a6aa Release 5.0.0
- 34fc67b deps: update all dependencies
- 8e74e71 Release 4.1.0
- 94e51e8 bump dependencies
- fde10e5 Release 4.0.0
- 839a54a bump dependencies: koa-router@5
- edccf83 Release 3.1.0
- 8c6cb0d bump: koa-bodyparser
- ce743ed Release 3.0.1
- 1c762a2 bump bodyparser
- 8cb5e84 Release 3.0.0
- 47e67bc bump dependencies
See the full diff