Skip to content

fix(security): patch express-rate-limit and socket.io-parser high-severity vulnerabilities#36

Closed
lupita-hom wants to merge 1 commit intomainfrom
security/auto-fix-2026-03-18
Closed

fix(security): patch express-rate-limit and socket.io-parser high-severity vulnerabilities#36
lupita-hom wants to merge 1 commit intomainfrom
security/auto-fix-2026-03-18

Conversation

@lupita-hom
Copy link
Collaborator

@lupita-hom lupita-hom commented Mar 19, 2026

🔒 Automated Security Scan — March 18, 2026

Vulnerabilities Fixed (2 high)

Package Severity Issue
express-rate-limit 8.2.0–8.2.1 🔴 High IPv4-mapped IPv6 addresses bypass per-client rate limiting (GHSA-46wh-pxpv-q5gq)
socket.io-parser 4.0.0–4.2.5 🔴 High Unbounded binary attachments DoS (GHSA-677m-j7p3-52f9)

Code Review

Manual review of the following files found no additional vulnerabilities:

  • server/server.js — CORS, rate limiting, helmet, error handling ✅
  • server/src/middleware/socket.js — Socket.IO CORS origin validation ✅
  • server/src/middleware/github.js — Webhook signature verification (timingSafeEqual) ✅
  • server/src/utils/githubAuth.js — GitHub App auth, no credential leaks ✅
  • server/src/config/db.js — DB config with production enforcement ✅
  • docker-compose.yml — Secrets via env vars, MongoDB not exposed to host ✅
  • .env.example — Placeholder values only, no real secrets ✅

Applied via npm audit fix. No breaking changes.

@lupita-hom
fix(security): patch express-rate-limit and socket.io-parser high-sev…
207a91a 
…erity vulnerabilities

- express-rate-limit 8.2.0-8.2.1: IPv4-mapped IPv6 addresses bypass per-client rate limiting (GHSA-46wh-pxpv-q5gq)
- socket.io-parser 4.0.0-4.2.5: unbounded binary attachments (GHSA-677m-j7p3-52f9)

Applied via npm audit fix. Code review of server.js, socket.js, github.js, githubAuth.js, db.js, docker-compose.yml, and .env.example found no additional vulnerabilities.
@github-actions
Copy link

github-actions bot commented Mar 19, 2026

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ✅ 0 package(s) with unknown licenses.
  • ⚠️ 2 packages with OpenSSF Scorecard issues.
See the Details below.

OpenSSF Scorecard

PackageVersionScoreDetails
npm/debug 4.4.3 ⚠️ 2.6
Details
CheckScoreReason
Code-Review🟢 3Found 11/30 approved changesets -- score normalized to 3
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow⚠️ -1no workflows found
Packaging⚠️ -1packaging workflow not detected
Maintained⚠️ 11 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 1
Token-Permissions⚠️ -1No tokens found
Pinned-Dependencies⚠️ -1no dependencies found
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/express-rate-limit 8.3.1 UnknownUnknown
npm/ip-address 10.1.0 ⚠️ 2.5
Details
CheckScoreReason
Maintained⚠️ 01 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Dangerous-Workflow⚠️ -1no workflows found
Code-Review⚠️ 1Found 4/28 approved changesets -- score normalized to 1
Packaging⚠️ -1packaging workflow not detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ -1No tokens found
Pinned-Dependencies⚠️ -1no dependencies found
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/socket.io-parser 4.2.6 🟢 6.4
Details
CheckScoreReason
Code-Review⚠️ 1Found 4/30 approved changesets -- score normalized to 1
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Maintained🟢 1030 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10
Token-Permissions🟢 9detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 9binaries present in source code
License🟢 10license file detected
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Packaging🟢 10packaging workflow detected
Pinned-Dependencies⚠️ 1dependency not pinned by hash detected -- score normalized to 1
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0

Scanned Files

  • server/package-lock.json

@lupita-hom
Copy link
Collaborator Author

lupita-hom commented Mar 24, 2026

Closing — superseded by PR #37 which included this fix along with broader security patches.

@lupita-hom lupita-hom closed this Mar 24, 2026
@lupita-hom lupita-hom deleted the security/auto-fix-2026-03-18 branch March 24, 2026 16:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lupita-hom