[Snyk] Fix for 2 vulnerabilities

[saurabharch]

Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• api/package.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Predictable Value Range from Previous Values SNYK-JS-FORMDATA-10841150	863
	Uncaught Exception SNYK-JS-MULTER-10773732	721

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Uncaught Exception

[gemini-code-assist]

Summary of Changes

Hello @saurabharch, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request, automatically generated by Snyk, focuses on enhancing the project's security posture by updating two key npm dependencies. The changes specifically target and resolve a critical and a high severity vulnerability by upgrading the bcrypt and multer packages to their patched versions, ensuring the application remains secure against known exploits.

Highlights

• Dependency Upgrades for Security: Upgraded the bcrypt dependency from version ^1.0.3 to ^5.0.1 to address the critical vulnerability SNYK-JS-FORMDATA-10841150 (Predictable Value Range from Previous Values).
• Dependency Upgrades for Security: Upgraded the multer dependency from version ^1.3.0 to ^2.0.2 to address the high severity vulnerability SNYK-JS-MULTER-10773732 (Uncaught Exception).

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments or fill out our survey to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request, automatically generated by Snyk, aims to fix two security vulnerabilities by upgrading bcrypt and multer. While the bcrypt upgrade is valid, it highlights a performance issue in the existing codebase due to the use of synchronous functions. The multer upgrade, however, is critically flawed as it targets a non-existent package version and introduces an incompatibility with multer-s3, which would break the application. My review includes a recommendation to address the performance concern and a critical note to reject the multer change until a viable upgrade path is found.

[gemini-code-assist]

This proposed upgrade for multer is critically flawed and will break the build.

1. Invalid Version: [email protected] does not exist on the npm registry. This will cause npm install to fail.

2. Dependency Conflict: The project uses multer-s3@^2.7.0, which is incompatible with [email protected]. Upgrading multer without a compatible version of multer-s3 will break the file upload functionality.

While this change is intended to fix vulnerabilities, the multer upgrade is not viable. I recommend reverting this specific change to unblock other fixes and creating a separate technical debt ticket to investigate a safe upgrade path for multer and multer-s3.

"multer": "^1.3.0",

[gemini-code-assist]

While upgrading bcrypt to ^5.0.1 is necessary to resolve security vulnerabilities, it's important to be aware of the performance implications of how this library is used in the project.

The application currently uses the synchronous methods bcrypt.hashSync() and bcrypt.compareSync() (in api/src/models/user.js). These are CPU-intensive operations that will block the Node.js event loop, severely impacting the application's performance and ability to handle concurrent requests.

I strongly recommend creating a follow-up task to refactor the code to use the asynchronous versions (bcrypt.hash() and bcrypt.compare()) to prevent these performance bottlenecks.