fix: update snyk

[frontegg-david]

Summary by CodeRabbit

• Chores
  • Added development configuration and tooling dependencies to the project.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

A Snyk policy configuration file (v1.25.0) was introduced to define code scanning exclusions, and the Snyk CLI tool was added as a development dependency. These changes establish security scanning tooling without modifying runtime code or application logic.

Changes

Cohort / File(s)	Change Summary
Snyk Configuration .snyk, package.json	Added .snyk policy file with version and exclude rules for test files, examples, build scripts, and legacy components; added snyk devDependency (^1.1301.2) to package.json

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

A watchful rabbit plants the seed of security,
Snyk scans the burrows for vulnerability.
With config in place and dependencies spun,
The warren is safer—protection is fun! 🐰🔒

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'fix: update snyk' is vague and doesn't clearly convey what the snyk update entails. It mentions updating snyk but doesn't specify whether it's a dependency version bump, policy configuration, security rules, or configuration changes.	Make the title more specific, such as 'fix: add snyk configuration and update snyk dependency' or 'fix: configure snyk policy and add snyk devDependency' to clearly indicate what changes are being made.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix-snyk

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[frontegg-david]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c41666b and ab5f6be.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

• .snyk (1 hunks)
• package.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Lint & Format Checks
• GitHub Check: Build Libraries

🔇 Additional comments (5)

.snyk (4)

1-3: LGTM: Snyk policy file structure.

The policy file version and structure are properly formatted for Snyk configuration.

---

6-17: LGTM: Test and development file exclusions.

Excluding test files, examples, build scripts, and testing libraries from security scanning is appropriate since these are not production code and often contain intentional test data or mock implementations.

---

25-26: Express adapter exclusion is intentional for serverless deployments.

The Snyk exclusion for X-Powered-By and HTTP is documented in the policy. The adapter is designed primarily for serverless deployments (Vercel, AWS Lambda) where the platform provides HTTPS. The getHandler() method exports the Express app for serverless environments, while start() creates a plain HTTP server for local development.

If using start() in production, ensure HTTPS is enforced at the deployment/infrastructure layer. The X-Powered-By header exposure may be acceptable for a client-side SDK but consider disabling it via app.disable('x-powered-by') if information hiding is required.

---

28-29: Path traversal protections are adequately implemented in the CLI create command.

The code uses a whitelist-based sanitization approach via sanitizeForFolder() that only permits alphanumeric characters, dots, underscores, and hyphens. User input is sanitized before being passed to path.resolve(), which canonicalizes the path. The implementation then validates that the target directory is empty and creates it only if it doesn't exist. All subsequent file operations use path.join() with the validated base directory, preventing traversal attempts. This design follows OWASP path traversal prevention best practices for CLI tools and is intentionally excluded from Snyk scanning per the security policy.

package.json (1)

61-61: Snyk package version is current.

Version 1.1301.2 is the latest release, published a day ago. It includes a recent bugfix for MCP compliance with agentic integrations. No known vulnerabilities exist for this version. The caret (^) constraint properly allows for compatible minor and patch updates.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if legacy SSE transporter is still actively used in the codebase

echo "=== Checking for imports/usage of the legacy transporter ==="
rg -n --type=ts --type=js -C2 "from ['\"].*transport/legacy" 

echo -e "\n=== Checking for any file matching the legacy transport path ==="
fd "legacy" libs/sdk/src/transport 2>/dev/null || echo "No files found in that path"

echo -e "\n=== Reading the .snyk file for context ==="
cat -n .snyk 2>/dev/null || echo ".snyk file not found"

echo -e "\n=== Searching for deprecation notices about legacy transporter ==="
rg -i "legacy.*deprecat|deprecat.*legacy" --type=ts --type=js --type=md

echo -e "\n=== Searching for any comments or issues about XSS in legacy transport ==="
rg -i "xss|security" libs/sdk/src/transport/legacy 2>/dev/null || echo "No results in legacy path"

Repository: agentfront/frontmcp

Length of output: 2253

---

XSS vulnerabilities in actively-used code should not be excluded from scanning.

The legacy SSE transporter is imported in libs/sdk/src/server/server.types.ts and actively used throughout the codebase. Excluding it from Snyk scanning suppresses critical security findings without addressing the underlying vulnerabilities.

• Fix the XSS vulnerabilities in the legacy transporter
• If this code is truly being phased out, establish a clear deprecation and removal timeline in the code comments
• If the XSS reports are false positives, document the analysis in the source file explaining why they're safe

The current approach of silently excluding active code from security scanning creates a maintenance debt and security risk.

🤖 Prompt for AI Agents

.snyk around lines 19-20: the legacy SSE transporter path is being excluded from
Snyk scans which hides XSS vulnerabilities; either remove the exclusion so the
path "libs/sdk/src/transport/legacy/**" is scanned, or if you intend to keep it
excluded: (a) fix the XSS issues in libs/sdk/src/transport/legacy/* (sanitize
outputs, validate inputs, use safe encoding, add tests), or (b) add in-file
documentation in the legacy transporter with a deprecation timeline and
justification (or false-positive analysis) and link to a bug/issue tracking the
removal; in short, do not silently exclude active code—either remediate,
document and schedule removal, or stop excluding the path from .snyk.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Address information exposure and open redirect vulnerabilities.

Excluding the flow instance file suppresses security findings for information exposure and open redirect vulnerabilities. These are legitimate security concerns:

• Information exposure can leak sensitive data to unauthorized parties
• Open redirect can be exploited for phishing attacks by redirecting users to malicious sites

These vulnerabilities should be addressed rather than excluded from scanning.

Do you want me to review the flow instance file and suggest security hardening approaches?

🤖 Prompt for AI Agents

In .snyk around lines 22-23 the flow.instance.ts file is excluded which hides
legitimate "information exposure" and "open redirect" findings; remove the
exclusion and instead remediate the root causes: run the scanner on
libs/sdk/src/flows/flow.instance.ts, inspect any places that return or log
sensitive data (strip or redact secrets, avoid embedding env vars or tokens, and
restrict data returned to the minimum), ensure any redirect URL handling
validates against an allowlist or enforces same-origin/relative URLs and rejects
external targets, add strict input validation and output encoding/sanitization
where user-controlled values are used in responses, add unit tests covering
redirect behavior and data leakage scenarios, and only re-add an exclusion in
.snyk if you document a valid false-positive with justification and link to a
mitigating control.