Snyk Remediation Summary¶
Statement¶
In April 2026, ClaimGuard ran a full Snyk Open Source + Snyk Code scan over
the application repository and remediated every finding. Each finding was
either fixed by a code change or formally deferred in a versioned policy
file (.snyk) with a per-CVE justification, a code-level invariant where
applicable, and a one-year expiry that forces re-review.
Implementation¶
Numbers¶
- Scan date: 2026-04-22.
- Total findings: 188 across npm, PyPI, and Snyk Code.
- Disposition: every finding either fixed by a code change in the
security/remediation-2026-04branch (now merged tomain) or formally deferred in.snykwith a justification. - Active deferrals in
.snyk: 19 entries (one-year expiry, all reviewed and renewed annually).
Categories of fix¶
The remediation work is organized into seven topical commits on top of
1eea37e. Per-finding narrative lives in docs/security/findings/P0-01.md
through P3-02.md. The high-level shape:
| Severity tier | Examples | Fix shape |
|---|---|---|
| P0 (boot-blocking + critical) | JWT_SECRET fallback, SQL injection in claims/admin, hardcoded secrets, h11 HTTP smuggling |
Mandatory-at-boot assertions, parameterized queries, secret externalization, dep pin floors |
| P1 (high) | SSRF in outbound webhook fetch, path-traversal in HTTP layer, Node major bumps, Python transitive pins | New safeFetch keystone with rebinding-pinned undici Agent; safePath containment; full Node 22 + ESM migration |
| P2 (medium) | Test passwords, DOM XSS, open redirect, Express hardening, internal path-traversal | React Router 6.30.x bump; helmet+CSP defaults; safePath NUL-byte rejection |
| P3 (low / info) | Type validation gaps, miscellaneous low-severity hits | Type narrowing, schema tightening |
Categories of deferral¶
The 19 entries in .snyk fall into five buckets, each with a documented
reason:
- Scanner false positives —
h11,urllib3,python-multipartare pinned directly in ourrequirements.txtfiles at versions above the CVE thresholds. Snyk's Python resolver doesn't see direct pins against a parent's metadata floor and reports the parent's declared minimum as if our override line did not exist. - Upstream SDK transitives —
@base44/sdk > axios,@base44/sdk > socket.io-client > socket.io-parser. No fix released by the SDK vendor yet; tracked for upgrade when one ships. - Dev-only build-tool transitives —
eslint,tailwindcss,vite,vitestchains. Not in the production bundle. - Runtime deps with verified non-reachable vectors — e.g.,
lodashhas no_.templatecall sites in the codebase, so the related CVE doesn't apply. - Snyk Code SAST false positives — flow-analysis hits where the
guard the analyzer missed is documented (UUID gates, whitelisted
column names, path containment helpers,
safeFetchwraps).
Every entry carries a reason: field that names the specific code path or
invariant that disposes of the finding. No entry is open-ended.
Engineering invariants now load-bearing¶
The remediation introduced — and the codebase now depends on — a set of invariants that future changes must preserve:
- Outbound HTTP must go through
server/src/lib/safeFetch.js, which rejects private/link-local/CGNAT/IMDS, rebinding-pinned IPs, unknown schemes, oversized bodies, and 3xx redirects by default. JWT_SECRET≥ 32 bytes mandatory at boot. No fallback. The server refuses to start without it.- Audit log authorization hard-scopes non-super-admins to their own org regardless of query params.
- Global rate limiter (300 / 15 min) is scoped to
/api+/predictonly — not the full app — so static and/healthpaths stay exempt. safePathrejects NUL bytes before its containment check; NUL is treated as a signal, not noise to be sanitized away.- CSP
default-src 'none'in all environments.
The full invariant list is in docs/security/README.md ("Invariants you
must preserve") and is the canonical reference for engineers touching
auth, uploads, outbound HTTP, or rate limiting.
Repo-side enforcement¶
- The
.snykpolicy file lives at the root of the repository under source control. - Per-finding narrative lives in
docs/security/findings/. - The remediation branch (
security/remediation-2026-04) was merged tomainafter a multi-agent code review. Subsequent regression-gap commits closed test coverage gaps surfaced by the merge.
Status¶
implemented — verified 2026-04-26.
The remediation branch was merged to main. Every active .snyk entry
has a 2027-04-22 expiry; the next scheduled review is 2027-04-22.
Roadmap¶
- Continuous scanning in CI — Snyk Open Source + Snyk Code on every pull request. (Tracked separately under Secure SDLC.)
- SBOM generation in CI artifacts (planned).
- Annual renewal pass of the
.snykdeferrals — confirm each reason still holds, rotate expiry, and remove entries the upstream has fixed.