Update dependency findup-sync to v4

[mend-for-github-com]

This PR contains the following updates:

Package	Type	Update	Change
findup-sync	dependencies	major	2.0.0 -> 4.0.0

By merging this PR, the below vulnerabilities will be automatically resolved:

Severity	CVSS Score	CVE
Medium	5.3	CVE-2024-4067

---

Release Notes

gulpjs/findup-sync (findup-sync)

v4.0.0

Compare Source

Breaking

• Drop support for node <8 (4e46134)

Upgrade

• Update micromatch & devDeps (b926b21)

Build

• Ignore fixtures directory when linting (35cd0a2)
• Disable npm audit (3cee51e)

Scaffold

• Update license year (513e4de)
• Update repository template (67fa64b)

v3.0.0

Compare Source

Upgrade

• Update is-glob and normalize-path (73312e6)

Scaffold

• Normalize repository (72c44b5)

---

• If you want to rebase/retry this PR, check this box

[socket-security]

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@cyclonedx/cyclonedx-npm@1.20.0	environment, filesystem, shell Transitive: eval	+7	5.59 MB	cyclonedx-automation
npm/@istanbuljs/nyc-config-typescript@1.0.2	None	+1	23.3 kB	oss-bot
npm/@types/chai-as-promised@7.1.8	None	0	26.1 kB	types
npm/@types/chai@4.3.20	None	0	82.2 kB	types
npm/@types/clarinet@0.12.3	None	0	6.73 kB	types
npm/@types/compression@1.7.5	None	0	10.9 kB	types
npm/@types/config@3.3.5	None	0	8.67 kB	types
npm/@types/cookie-parser@1.4.8	None	0	5.73 kB	types
npm/@types/cross-spawn@6.0.6	None	0	4.85 kB	types
npm/@types/cypress@1.1.6	None	0	1.71 kB	types
npm/@types/download@8.0.5	Transitive: filesystem, network	+20	348 kB	types
npm/@types/errorhandler@1.5.3	None	0	4.83 kB	types
npm/@types/exif@0.6.5	None	0	9.78 kB	types
npm/@types/express-jwt@6.0.4	None	+2	15.7 kB	types
npm/@types/frisby@2.0.17	None	+1	7.22 kB	types
npm/@types/fs-extra@9.0.13	None	0	27.9 kB	types
npm/@types/glob@7.2.0	None	+1	19.1 kB	types
npm/@types/graceful-fs@4.1.9	None	0	3.9 kB	types
npm/@types/i18n@0.12.0	None	0	19.3 kB	types
npm/@types/jest@26.0.24	None	0	71.7 kB	types
npm/@types/js-yaml@3.12.10	None	0	8.22 kB	types
npm/@types/jsonwebtoken@8.5.9	None	0	13.8 kB	types
npm/@types/jws@3.2.10	None	0	7.61 kB	types
npm/@types/mocha@8.2.3	None	0	94 kB	types
npm/@types/morgan@1.9.9	None	0	13.9 kB	types
npm/@types/multer@1.4.12	None	0	16.5 kB	types
npm/@types/on-finished@2.3.4	None	0	3.57 kB	types
npm/@types/pdfkit@0.10.6	None	0	21.3 kB	types
npm/@types/portscanner@2.1.4	None	0	5.3 kB	types
npm/@types/pug@2.0.10	None	0	9.7 kB	types
npm/@types/request@2.48.12	Transitive: filesystem, network	+19	341 kB	types
npm/@types/sanitize-html@1.27.2	Transitive: network	+7	330 kB	types
npm/@types/sequelize@4.28.20	None	+3	1.18 MB	types
npm/@types/sinon-chai@3.2.12	None	0	6.53 kB	types
npm/@types/sinon@10.0.20	None	+1	93 kB	types
npm/@types/socket.io@2.1.13	None	+2	47.9 kB	types
npm/@types/swagger-ui-express@4.1.8	None	+4	34.6 kB	types
npm/@types/unzipper@0.10.10	None	0	6.16 kB	types
npm/@types/validator@13.12.2	None	0	73.2 kB	types
npm/chai-as-promised@7.1.2	None	+2	51.3 kB	chaijs
npm/chai@4.5.0	None	+4	798 kB	chaijs
npm/check-dependencies@1.1.1	filesystem, shell Transitive: environment	+12	275 kB	mgol
npm/check-internet-connected@2.0.6	network Transitive: environment, eval, unsafe	+1	636 kB	aankur
npm/clarinet@0.12.6	environment	0	34.8 kB	evan-king
npm/concurrently@5.3.0	environment	+9	7.06 MB	gustavohenke
npm/config@3.3.12	environment, filesystem	0	94.4 kB	lorenwest
npm/cookie-parser@1.4.7	None	+2	40.3 kB	ulisesgascon
npm/cypress@13.17.0	Transitive: environment, eval, filesystem, network, shell, unsafe	+68	11.7 MB	cypress-npm-publisher
npm/dottie@2.0.6	None	0	10.4 kB	mickhansen
npm/download@8.0.0	environment, filesystem Transitive: eval, network	+36	458 kB	sindresorhus
npm/errorhandler@1.5.1	environment, filesystem	+3	63 kB	dougwilson
npm/ethers@6.13.5 🔁 npm/ethers@5.7.2	network	+5	18.2 MB	ricmoo
npm/exif@0.6.0	filesystem	0	7.89 MB	oeuillot
npm/express-ipfilter@1.3.2	None	+1	30.3 kB	jetersen
npm/express-jwt@0.1.3	None	+1	22.3 kB	jfromaniello
npm/express-rate-limit@5.5.1	None	0	22.1 kB	nfriedly
npm/express-robots-txt@0.4.1	filesystem	0	173 kB	modosc
npm/express-security.txt@2.0.0	None	0	4.02 kB	gergelyke
npm/feature-policy@0.5.0	None	0	10.5 kB	evanhahn
npm/file-stream-rotator@0.5.7	filesystem	+1	4.4 MB	rogerc
npm/file-type@16.5.4	eval	0	76.7 kB	sindresorhus
npm/filesniffer@1.0.3	filesystem Transitive: environment, eval, unsafe	+11	11 MB	nspragg
npm/finale-rest@1.2.2	Transitive: environment, eval, unsafe	+2	751 kB	tommybananas
npm/findup-sync@4.0.0	filesystem	+5	96.9 kB	phated
npm/fs-extra@9.1.0 🔁 npm/fs-extra@8.1.0	None	+1	132 kB	ryanzim
npm/fuzzball@1.4.0	None	+1	746 kB	nbkap
npm/grunt-cli@1.5.0	Transitive: environment, filesystem, shell	+4	40 kB	vladikoff
npm/grunt-contrib-compress@1.6.0	filesystem Transitive: environment, shell	+14	2.71 MB	vladikoff
npm/grunt-replace-json@0.1.0	None	0	4.42 kB	exo-dev
npm/grunt@1.6.1	Transitive: environment, filesystem, shell	+29	1.42 MB	vladikoff
npm/hashids@2.3.0	None	0	137 kB	niieani
npm/hbs@4.2.0	filesystem	+2	2.78 MB	dougwilson
npm/helmet@4.6.0	None	0	73.8 kB	evanhahn
npm/html-entities@1.4.0 🔁 npm/html-entities@2.5.2	None	0	68.6 kB	mdevils
npm/http-server@0.12.3	filesystem, network Transitive: environment	+7	793 kB	thornjad
npm/i18n@0.11.1	filesystem Transitive: environment	+1	390 kB	mashpie

🚮 Removed packages: npm/@angular-builders/custom-webpack@15.0.0, npm/@angular-devkit/build-angular@15.2.11, npm/@angular-eslint/builder@0.8.0-beta.7, npm/@angular-material-extensions/password-strength@6.0.0, npm/@angular/animations@15.2.10, npm/@angular/cdk@14.2.7, npm/@angular/cli@15.2.11, npm/@angular/common@15.2.10, npm/@angular/compiler-cli@15.2.10, npm/@angular/compiler@15.2.10, npm/@angular/core@15.2.10, npm/@angular/flex-layout@10.0.0-beta.32, npm/@angular/forms@15.2.10, npm/@angular/http@8.0.0-beta.10, npm/@angular/language-service@15.2.10, npm/@angular/material@14.2.7, npm/@angular/platform-browser-dynamic@15.2.10, npm/@angular/platform-browser@15.2.10, npm/@angular/router@15.2.10, npm/@ctrl/ngx-codemirror@6.1.0, npm/@cyclonedx/webpack-plugin@3.17.0, npm/@fortawesome/fontawesome-svg-core@1.2.36, npm/@fortawesome/free-brands-svg-icons@5.15.4, npm/@fortawesome/free-regular-svg-icons@5.15.4, npm/@fortawesome/free-solid-svg-icons@5.15.4, npm/@nguniversal/express-engine@10.0.1, npm/@ngx-translate/core@13.0.0, npm/@ngx-translate/http-loader@6.0.0, npm/@types/file-saver@2.0.7, npm/@types/jasminewd2@2.0.13, npm/@types/jwt-decode@2.2.1, npm/@typescript-eslint/eslint-plugin-tslint@6.21.0, npm/@wagmi/core@0.5.8, npm/anuglar2-qrcode@2.0.9998, npm/canvas-confetti@1.9.3, npm/codelyzer@6.0.2, npm/codemirror-solidity@0.2.5, npm/codemirror@5.65.18, npm/core-js@3.40.0, npm/eslint-config-prettier@7.1.0, npm/eslint-plugin-jsdoc@30.7.13, npm/eslint-plugin-standard@4.1.0, npm/file-saver@2.0.5, npm/flag-icons@6.15.0, npm/font-mfizz@2.4.1

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
Critical CVE	npm/crypto-js@3.3.0	CVE: GHSA-xwcq-pm8m-c4vf crypto-js PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard (CRITICAL) Affected versions: < 4.2.0 Patched version: 4.2.0	Source	⚠︎
Critical CVE	npm/jsonwebtoken@0.1.0	CVE: GHSA-c7hr-j4mj-j2w6 Verification Bypass in jsonwebtoken (CRITICAL) Affected versions: < 4.2.2 Patched version: 4.2.2	package.json	⚠︎

View full report↗︎

Next steps

What is a critical CVE?

Contains a Critical Common Vulnerability and Exposure (CVE).

Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/crypto-js@3.3.0
• @SocketSecurity ignore npm/jsonwebtoken@0.1.0

[rafikmojr]

Checkmarx One – Scan Summary & Details – 138ead5f-90a0-4226-8dbc-333ea3e09068

New Issues (19)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CVE-2024-48949	Npm-elliptic-6.5.4	details Recommended version: 6.6.1 Description: The verify function in "lib/elliptic/eddsa/index.js" in the Elliptic versions 4.0.0 through 6.5.5 for Node.js omits "sig.S().gte(sig.eddsa.curve.n)... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	Cx88b46a98-47a5	Npm-elliptic-6.5.4	details Recommended version: 6.6.1 Description: The elliptic package is a plain JavaScript implementation of elliptic-curve cryptography. Versions of elliptic package prior to 6.6.1 are vulnerabl... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	MongoDB_NoSQL_Injection	/routes/showProductReviews.ts: 30	details The application relies on user inputs provided in id in /routes/showProductReviews.ts at line 30 to construct a raw MongoDB query with id in /route... Attack Vector
	MongoDB_NoSQL_Injection	/routes/trackOrder.ts: 15	details The application relies on user inputs provided in id in /routes/trackOrder.ts at line 15 to construct a raw MongoDB query with id in /routes/trackO... Attack Vector
	MongoDB_NoSQL_Injection	/routes/trackOrder.ts: 15	details The application relies on user inputs provided in id in /routes/trackOrder.ts at line 15 to construct a raw MongoDB query with id in /routes/trackO... Attack Vector
	Stored_XSS	/routes/userProfile.ts: 55	details The method Lambda embeds untrusted data in generated output with send, at line 65 of /routes/userProfile.ts. This untrusted data is embedded into t... Attack Vector
	Stored_XSS	/routes/userProfile.ts: 76	details The method Lambda embeds untrusted data in generated output with send, at line 65 of /routes/userProfile.ts. This untrusted data is embedded into t... Attack Vector
	Stored_XSS	/routes/videoHandler.ts: 79	details The method Lambda embeds untrusted data in generated output with send, at line 70 of /routes/videoHandler.ts. This untrusted data is embedded into ... Attack Vector
	Stored_XSS	/routes/videoHandler.ts: 74	details The method Lambda embeds untrusted data in generated output with send, at line 70 of /routes/videoHandler.ts. This untrusted data is embedded into ... Attack Vector
	Angular_Client_DOM_XSS	/frontend/src/app/search-result/search-result.component.ts: 144	details The method search_result_component embeds untrusted data in generated output with searchValue, at line 13 of /frontend/src/app/search-result/search... Attack Vector
	CVE-2024-11831	Npm-serialize-javascript-5.0.1	details Recommended version: 6.0.2 Description: A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain i... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2024-36751	Npm-parseuri-0.0.6	details Description: An issue in parse-uri and parseuri allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL. Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2024-47764	Npm-cookie-0.4.2	details Recommended version: 0.7.0 Description: The NPM package cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cook... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2024-55565	Npm-nanoid-3.1.20	details Recommended version: 3.3.8 Description: The package nanoid versions through 3.3.7 and 4.0.0 through 5.0.8 mishandle non-integer values. Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	Cxbb85e86c-2fac	Npm-esbuild-wasm-0.17.8	details Recommended version: 0.25.0 Description: esbuild is an extremely fast bundler for the web, allowing any website to send any request to the development server and read the response due to d... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
	Cxbb85e86c-2fac	Npm-esbuild-0.17.8	details Recommended version: 0.25.0 Description: esbuild is an extremely fast bundler for the web, allowing any website to send any request to the development server and read the response due to d... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
	Privacy_Violation	/routes/wallet.ts: 27	details Method Lambda at line 27 of /routes/wallet.ts sends user information outside the application. This may constitute a Privacy Violation. Attack Vector
	CVE-2024-48948	Npm-elliptic-6.5.4	details Recommended version: 6.6.1 Description: The Elliptic package versions through 6.5.7 for Node.js, in their ECDSA implementation, do not correctly verify valid signatures if the hash contai... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
	Use_Of_Hardcoded_Password	/frontend/src/app/register/register.component.spec.ts: 136	details The application uses the hard-coded password "aaaaa" for authentication purposes, either using it to verify users' identities, or to access another... Attack Vector

Fixed Issues (2004)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	Code_Injection	/routes/showProductReviews.ts: 30
	Code_Injection	/routes/trackOrder.ts: 15
	Code_Injection	/routes/trackOrder.ts: 15
	Code_Injection	/routes/showProductReviews.ts: 30
	Code_Injection	/routes/trackOrder.ts: 15
	Code_Injection	/routes/trackOrder.ts: 15
	Code_Injection	/routes/trackOrder.ts: 15
	Code_Injection	/routes/trackOrder.ts: 15
	Code_Injection	/routes/showProductReviews.ts: 30
	Code_Injection	/routes/trackOrder.ts: 15
	Code_Injection	/routes/trackOrder.ts: 15
	Code_Injection	/routes/showProductReviews.ts: 30
	Code_Injection	/routes/trackOrder.ts: 15
	Code_Injection	/routes/showProductReviews.ts: 30
	Code_Injection	/routes/trackOrder.ts: 15
	Cxf6e7f2c1-dc59	Npm-yauzl-2.10.0
	Stored_XSS	/routes/vulnCodeFixes.ts: 28
	Stored_XSS	/routes/vulnCodeFixes.ts: 80
	Stored_XSS	/routes/vulnCodeFixes.ts: 80
	Stored_XSS	/routes/vulnCodeSnippet.ts: 94
	Stored_XSS	/routes/search.ts: 24
	Stored_XSS	/data/static/codefixes/dbSchemaChallenge_3.ts: 12
	Stored_XSS	/data/static/codefixes/unionSqlInjectionChallenge_3.ts: 11
	Stored_XSS	/data/static/codefixes/dbSchemaChallenge_2_correct.ts: 8
	Stored_XSS	/data/static/codefixes/unionSqlInjectionChallenge_2_correct.ts: 8
	Stored_XSS	/data/static/codefixes/unionSqlInjectionChallenge_1.ts: 7
	Stored_XSS	/data/static/codefixes/dbSchemaChallenge_1.ts: 6
	Stored_XSS	/routes/vulnCodeFixes.ts: 28
	Stored_XSS	/routes/vulnCodeFixes.ts: 80
	Stored_XSS	/routes/vulnCodeFixes.ts: 80
	Stored_XSS	/routes/vulnCodeSnippet.ts: 94
	Stored_XSS	/routes/search.ts: 24
	Stored_XSS	/data/static/codefixes/dbSchemaChallenge_3.ts: 12
	Stored_XSS	/data/static/codefixes/unionSqlInjectionChallenge_3.ts: 11
	Stored_XSS	/data/static/codefixes/dbSchemaChallenge_2_correct.ts: 8
	Stored_XSS	/data/static/codefixes/unionSqlInjectionChallenge_2_correct.ts: 8
	Stored_XSS	/data/static/codefixes/unionSqlInjectionChallenge_1.ts: 7
	Stored_XSS	/data/static/codefixes/dbSchemaChallenge_1.ts: 6
	Stored_XSS	/data/static/codefixes/unionSqlInjectionChallenge_2_correct.ts: 8
	Stored_XSS	/routes/vulnCodeFixes.ts: 80
	Stored_XSS	/data/static/codefixes/dbSchemaChallenge_3.ts: 12
	Stored_XSS	/data/static/codefixes/unionSqlInjectionChallenge_1.ts: 7
	Stored_XSS	/data/static/codefixes/unionSqlInjectionChallenge_3.ts: 11
	Stored_XSS	/routes/vulnCodeFixes.ts: 80
	Stored_XSS	/routes/vulnCodeFixes.ts: 28
	Stored_XSS	/data/static/codefixes/dbSchemaChallenge_1.ts: 6
	Stored_XSS	/routes/search.ts: 24
	Stored_XSS	/routes/vulnCodeSnippet.ts: 94
	Stored_XSS	/data/static/codefixes/dbSchemaChallenge_2_correct.ts: 8
	Stored_XSS	/routes/vulnCodeFixes.ts: 28
	Stored_XSS	/data/static/codefixes/unionSqlInjectionChallenge_1.ts: 7
	Stored_XSS	/routes/vulnCodeFixes.ts: 80
	Stored_XSS	/data/static/codefixes/dbSchemaChallenge_1.ts: 6
	Stored_XSS	/data/static/codefixes/dbSchemaChallenge_2_correct.ts: 8
	Stored_XSS	/routes/search.ts: 24
	Stored_XSS	/routes/vulnCodeFixes.ts: 80
	Stored_XSS	/data/static/codefixes/unionSqlInjectionChallenge_3.ts: 11
	Stored_XSS	/data/static/codefixes/unionSqlInjectionChallenge_2_correct.ts: 8
	Stored_XSS	/data/static/codefixes/dbSchemaChallenge_3.ts: 12
	Stored_XSS	/routes/vulnCodeSnippet.ts: 94
	Stored_XSS	/data/static/codefixes/dbSchemaChallenge_1.ts: 6
	Stored_XSS	/data/static/codefixes/loginAdminChallenge_1.ts: 21
	Stored_XSS	/data/static/codefixes/unionSqlInjectionChallenge_1.ts: 7
	Stored_XSS	/routes/vulnCodeSnippet.ts: 94
	Stored_XSS	/routes/search.ts: 24
	Stored_XSS	/data/static/codefixes/loginBenderChallenge_1.ts: 21
	Stored_XSS	/data/static/codefixes/loginJimChallenge_4.ts: 21
	Stored_XSS	/data/static/codefixes/loginAdminChallenge_1.ts: 21
	Stored_XSS	/data/static/codefixes/dbSchemaChallenge_3.ts: 12
	Stored_XSS	/routes/login.ts: 37
	Stored_XSS	/routes/vulnCodeFixes.ts: 80
	Stored_XSS	/routes/vulnCodeFixes.ts: 28
	Stored_XSS	/data/static/codefixes/loginBenderChallenge_1.ts: 21
	Stored_XSS	/data/static/codefixes/loginJimChallenge_4.ts: 21
	Stored_XSS	/data/static/codefixes/unionSqlInjectionChallenge_2_correct.ts: 8
	Stored_XSS	/routes/login.ts: 37
	Stored_XSS	/routes/vulnCodeFixes.ts: 80

More results are available on the CxOne platform