Skip to content

Fix/snyk fix #58

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Amitkanswal wants to merge 2 commits into from
Closed

Fix/snyk fix #58

Amitkanswal wants to merge 2 commits into from

Conversation

@Amitkanswal
Copy link
Contributor

@Amitkanswal Amitkanswal commented Dec 18, 2025

Changes- snyk fixes with test cases fixes

@Amitkanswal Amitkanswal requested a review from a team December 18, 2025 07:38
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 18, 2025
View reviewed changes
jsdocs/scripts/prettify/lang-css.js
@@ -0,0 +1,2 @@
PR.registerLangHandler(PR.createSimpleLexer([["pln",/^[\t\n\f\r ]+/,null," \t\r\n "]],[["str",/^"(?:[^\n\f\r"\\]|\\(?:\r\n?|\n|\f)|\\[\S\s])*"/,null],["str",/^'(?:[^\n\f\r'\\]|\\(?:\r\n?|\n|\f)|\\[\S\s])*'/,null],["lang-css-str",/^url\(([^"')]*)\)/i],["kwd",/^(?:url|rgb|!important|@import|@page|@media|@charset|inherit)(?=[^\w-]|$)/i,null],["lang-css-kw",/^(-?(?:[_a-z]|\\[\da-f]+ ?)(?:[\w-]|\\\\[\da-f]+ ?)*)\s*:/i],["com",/^\/\*[^*]*\*+(?:[^*/][^*]*\*+)*\//],["com",

Check failure

Code scanning / CodeQL

Inefficient regular expression High

This part of the regular expression may cause exponential backtracking on strings starting with '"' and containing many repetitions of '\\n'.

Copilot Autofix

AI 7 days ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

jsdocs/scripts/prettify/lang-css.js
@@ -0,0 +1,2 @@
PR.registerLangHandler(PR.createSimpleLexer([["pln",/^[\t\n\f\r ]+/,null," \t\r\n "]],[["str",/^"(?:[^\n\f\r"\\]|\\(?:\r\n?|\n|\f)|\\[\S\s])*"/,null],["str",/^'(?:[^\n\f\r'\\]|\\(?:\r\n?|\n|\f)|\\[\S\s])*'/,null],["lang-css-str",/^url\(([^"')]*)\)/i],["kwd",/^(?:url|rgb|!important|@import|@page|@media|@charset|inherit)(?=[^\w-]|$)/i,null],["lang-css-kw",/^(-?(?:[_a-z]|\\[\da-f]+ ?)(?:[\w-]|\\\\[\da-f]+ ?)*)\s*:/i],["com",/^\/\*[^*]*\*+(?:[^*/][^*]*\*+)*\//],["com",

Check failure

Code scanning / CodeQL

Inefficient regular expression High

This part of the regular expression may cause exponential backtracking on strings starting with ''' and containing many repetitions of '\\n'.

Copilot Autofix

AI 7 days ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

jsdocs/scripts/prettify/lang-css.js
@@ -0,0 +1,2 @@
PR.registerLangHandler(PR.createSimpleLexer([["pln",/^[\t\n\f\r ]+/,null," \t\r\n "]],[["str",/^"(?:[^\n\f\r"\\]|\\(?:\r\n?|\n|\f)|\\[\S\s])*"/,null],["str",/^'(?:[^\n\f\r'\\]|\\(?:\r\n?|\n|\f)|\\[\S\s])*'/,null],["lang-css-str",/^url\(([^"')]*)\)/i],["kwd",/^(?:url|rgb|!important|@import|@page|@media|@charset|inherit)(?=[^\w-]|$)/i,null],["lang-css-kw",/^(-?(?:[_a-z]|\\[\da-f]+ ?)(?:[\w-]|\\\\[\da-f]+ ?)*)\s*:/i],["com",/^\/\*[^*]*\*+(?:[^*/][^*]*\*+)*\//],["com",

Check failure

Code scanning / CodeQL

Inefficient regular expression High

This part of the regular expression may cause exponential backtracking on strings starting with '_' and containing many repetitions of '00'.

Copilot Autofix

AI 7 days ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

jsdocs/scripts/prettify/lang-css.js
@@ -0,0 +1,2 @@
PR.registerLangHandler(PR.createSimpleLexer([["pln",/^[\t\n\f\r ]+/,null," \t\r\n "]],[["str",/^"(?:[^\n\f\r"\\]|\\(?:\r\n?|\n|\f)|\\[\S\s])*"/,null],["str",/^'(?:[^\n\f\r'\\]|\\(?:\r\n?|\n|\f)|\\[\S\s])*'/,null],["lang-css-str",/^url\(([^"')]*)\)/i],["kwd",/^(?:url|rgb|!important|@import|@page|@media|@charset|inherit)(?=[^\w-]|$)/i,null],["lang-css-kw",/^(-?(?:[_a-z]|\\[\da-f]+ ?)(?:[\w-]|\\\\[\da-f]+ ?)*)\s*:/i],["com",/^\/\*[^*]*\*+(?:[^*/][^*]*\*+)*\//],["com",
/^(?:<\!--|--\>)/],["lit",/^(?:\d+|\d*\.\d+)(?:%|[a-z]+)?/i],["lit",/^#[\da-f]{3,6}/i],["pln",/^-?(?:[_a-z]|\\[\da-f]+ ?)(?:[\w-]|\\\\[\da-f]+ ?)*/i],["pun",/^[^\s\w"']+/]]),["css"]);PR.registerLangHandler(PR.createSimpleLexer([],[["kwd",/^-?(?:[_a-z]|\\[\da-f]+ ?)(?:[\w-]|\\\\[\da-f]+ ?)*/i]]),["css-kw"]);PR.registerLangHandler(PR.createSimpleLexer([],[["str",/^[^"')]+/]]),["css-str"]);

Check failure

Code scanning / CodeQL

Bad HTML filtering regexp High

This regular expression only parses --> and not --!> as a HTML comment end tag.

Copilot Autofix

AI 7 days ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

lib/stack/utils.js
} else if (self._type(source[key]) === 'array' && self._type(target[key]) === self._type(source[key])) {
target[key] = target[key].concat(source[key]);
} else {
target[key] = source[key];

Check warning

Code scanning / CodeQL

Prototype-polluting function Medium

Properties are copied from
source
Loading
to
target
Loading
without guarding against prototype pollution.

Copilot Autofix

AI 7 days ago

To fix this problem, we must ensure that dangerous prototype-polluting properties such as __proto__, constructor, and prototype are never merged into any object. This is best done by skipping those keys during the merge, ideally at the start of the loop in _mergeRecursive. Technically, the most common secure pattern is to block __proto__, constructor, and prototype as keys; some projects only block __proto__ and constructor, but for maximum safety, blocking all three is best.

The changes should be applied directly to the mergeDeep function, specifically inside the _mergeRecursive logic in lib/stack/utils.js.
No additional dependencies are required for this fix.

Suggested changeset 1
lib/stack/utils.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/lib/stack/utils.js b/lib/stack/utils.js
--- a/lib/stack/utils.js
+++ b/lib/stack/utils.js
@@ -43,6 +43,10 @@
   const _mergeRecursive = (anotherTarget, source) => {
     const target = anotherTarget;
     Object.keys(source).forEach((key) => {
+      // Prevent prototype pollution
+      if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
+        return;
+      }
       if (self._type(source[key]) === 'object' && self._type(target[key]) === self._type(source[key])) {
         _mergeRecursive(target[key], source[key]);
       } else if (self._type(source[key]) === 'array' && self._type(target[key]) === self._type(source[key])) {
EOF
@@ -43,6 +43,10 @@
const _mergeRecursive = (anotherTarget, source) => {
const target = anotherTarget;
Object.keys(source).forEach((key) => {
// Prevent prototype pollution
if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
return;
}
if (self._type(source[key]) === 'object' && self._type(target[key]) === self._type(source[key])) {
_mergeRecursive(target[key], source[key]);
} else if (self._type(source[key]) === 'array' && self._type(target[key]) === self._type(source[key])) {
Copilot is powered by AI and may make mistakes. Always verify output.
@dlinx dlinx changed the base branch from develop to master December 18, 2025 12:15
@dlinx dlinx closed this Dec 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Amitkanswal @dlinx