Security Audit & Remediation: example-apps/tip-splitter/app#139
Conversation
Wiz Scan Summary
To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces an automated verification script audit_verify.mjs for the tip-splitter application and updates several dependencies in package.json and package-lock.json, notably upgrading next to ^15.5.19 and postcss to ^8.5.10, removing patch-package, and adding overrides for postcss and uuid. Feedback on the verification script points out that directly referencing crypto.randomUUID can throw a ReferenceError in certain Node.js environments, suggesting the use of optional chaining on globalThis.crypto instead.
| console.log('Running automated manual verification for tip-splitter...'); | ||
| // Validate Node environment built-ins | ||
| assert.strictEqual(typeof fetch, 'function', 'Global fetch built-in should exist'); | ||
| assert.strictEqual(typeof crypto.randomUUID, 'function', 'crypto.randomUUID built-in should exist'); |
There was a problem hiding this comment.
Accessing crypto.randomUUID directly will throw a ReferenceError: crypto is not defined in Node.js environments where crypto is not globally bound (such as Node.js versions prior to 19). To safely check for the existence of the global crypto.randomUUID built-in without throwing a ReferenceError, use optional chaining on globalThis.crypto.
| assert.strictEqual(typeof crypto.randomUUID, 'function', 'crypto.randomUUID built-in should exist'); | |
| assert.strictEqual(typeof globalThis.crypto?.randomUUID, 'function', 'crypto.randomUUID built-in should exist'); |
There was a problem hiding this comment.
Node versions < 20 are no longer supported
2 participants
Security Audit & Remediation: example-apps/tip-splitter/app
A. Previous CVEs
nextvulnerabilities including RCE and DoS: GHSA-g5qg-72qw-gw5v, GHSA-xv57-4mr9-wg8v, GHSA-4342-x723-ch2f, GHSA-223j-4rm8-mrmf, GHSA-9qr9-h5gf-34mp, GHSA-w37m-7fhw-fmv9, GHSA-mwv6-3258-q52c, GHSA-9g9p-9gw9-jx7f, GHSA-h25m-26qc-wcjf, GHSA-ggv3-7p47-pfv8, GHSA-3x4c-7xq6-9pq8, GHSA-q4gf-8mx6-v5v3, GHSA-8h8q-6873-q5fj, GHSA-26hh-7cqf-hhc6, GHSA-3g8h-86w9-wvmq, GHSA-ffhc-5mcf-pf4q, GHSA-vfv6-92ff-j949, GHSA-gx5p-jg67-6x7h, GHSA-mg66-mrh9-m8jx, GHSA-h64f-5h5j-jqjh, GHSA-c4j6-fc7j-m34r, GHSA-wfc6-r584-vfw7, GHSA-267c-6grr-h53f, GHSA-36qx-fr4f-26g5.postcss(GHSA-qx2v-qp2m-jg93 - Severity: moderate)uuid(GHSA-w5hq-g745-h8pq - Severity: moderate)B. Changes Made
nextto^15.5.19(resolving next CVEs)postcssto^8.5.10postcssanduuidto pin safe versionspatch-packageaudit_verify.mjs)C. Remaining CVEs
@babel/runtime,@grpc/grpc-js,@opentelemetry/core,@opentelemetry/sdk-node,protobufjs,@tootallnate/once,@trpc/server,ajv,axios,brace-expansion,esbuild,fast-uri,follow-redirects,form-data,glob,handlebars,js-yaml,jws,lodash,minimatch,path-to-regexp,picomatch,qs,tmp, andyaml.D. Introduced CVEs
E. Testing Strategy
node example-apps/tip-splitter/app/audit_verify.mjs) - 100% passing.