Skip to content

🔒 Fix 1 security vulnerabilities#299

Closed
james-snyk wants to merge 1 commit intomainfrom
fix/vuln-bot-2026-04-28-210743
Closed

🔒 Fix 1 security vulnerabilities#299
james-snyk wants to merge 1 commit intomainfrom
fix/vuln-bot-2026-04-28-210743

Conversation

@james-snyk
Copy link
Copy Markdown
Contributor

@james-snyk james-snyk commented Apr 28, 2026

🔒 Security Vulnerability Fixes

This PR addresses security vulnerabilities detected by Snyk for project snyk-python-plugin.

🔍 Test Failure Analysis

This report analyzes the test failures that occurred after upgrading the snyk-poetry-lockfile-parser npm package. The failures are consistent across multiple tests and point to a clear environmental issue.

1. Root Cause

The root cause of the failures is the absence of the python executable in the test environment's PATH.

The upgraded package, snyk-poetry-lockfile-parser, has likely changed its implementation. While a previous version may have parsed the poetry.lock file using pure JavaScript/TypeScript, the new version appears to be shelling out to a Python process to resolve dependencies. This is a common strategy to improve the accuracy of dependency analysis by leveraging the native toolchain. This change introduced a new, implicit dependency on a Python runtime, which is not present in the environment where the tests were executed.

2. Category

This is primarily a Missing dependencies or environment setup issue.

The upgrade to snyk-poetry-lockfile-parser introduced a breaking change in its runtime requirements, making a previously self-contained process now dependent on an external tool (python). The test environment was not updated to meet this new requirement.

3. Specific Issues

Two distinct types of failures were observed:

  1. Explicit Python Not Found Errors (6 failures)

    • Error Message: Error processing poetry project. Could not find 'python' on your PATH. stderr: spawn python ENOENT
    • Affected Tests: All tests related to Poetry projects (poetry-app, poetry-v2-app, etc.) failed with this identical error. The ENOENT error code confirms that the system tried to execute the python command but could not find it.

  2. Test Timeout (1 failure)

    • Error Message: Exceeded timeout of 180000 ms for a test.
    • Affected Test: The test for pipfile-optional-dependencies timed out after 3 minutes.
    • Analysis: This is very likely a symptom of the same root cause. Pipfile is also a Python dependency format. The test is probably attempting to invoke a Python-related process which hangs or fails silently because Python is missing, causing the test to wait indefinitely until the Jest timeout is reached.

4. Recommendations

To resolve these failures, the developer should update the execution environment.

  1. Install Python: Modify the test environment (e.g., the CI/CD job's Dockerfile, VM setup script, or local development environment) to install a compatible version of Python (Python 3 is recommended).

  2. Ensure Python is in PATH: Verify that the python executable is available in the system's PATH. In many modern Linux distributions, Python 3 is installed as python3. If the parser specifically calls python, you may need to create a symbolic link:

    # Example for Debian/Ubuntu based systems
sudo apt-get update && sudo apt-get install -y python3 python3-pip
# Create a symlink so 'python' points to 'python3'
sudo ln -s /usr/bin/python3 /usr/bin/python

  3. Address the Timeout: Once Python is correctly installed, re-run the tests. The pipfile test that was timing out should now either pass or fail quickly with a more descriptive error, which can then be addressed.

  4. Update Documentation: Update the project's README.md or contributor documentation to explicitly state that Python is a required dependency for running the test suite. This will prevent similar issues for other developers in the future.

📋 View Full Test Output 

> test
> npm run test:jest


> test:jest
> jest

  console.warn
    [snyk-python-plugin] Filtered contamination from JSON output: 38 characters removed. Contamination content: "pip_system_certs configuration loaded\n"

      30 |
      31 |         if (filteredContent.length > 0) {
    > 32 |           console.warn(
         |                   ^
      33 |             `[snyk-python-plugin] Filtered contamination from JSON output: ` +
      34 |               `${filteredContent.length} characters removed. ` +
      35 |               `Contamination content: ${JSON.stringify(

      at parseJsonWithContaminationFiltering (lib/dependencies/inspect-implementation.ts:32:19)
      at Object.<anonymous> (test/contamination-filtering.spec.ts:39:57)

  console.warn
    [snyk-python-plugin] Filtered contamination from JSON output: 43 characters removed. Contamination content: "\npip_system certificate validation complete"

      30 |
      31 |         if (filteredContent.length > 0) {
    > 32 |           console.warn(
         |                   ^
      33 |             `[snyk-python-plugin] Filtered contamination from JSON output: ` +
      34 |               `${filteredContent.length} characters removed. ` +
      35 |               `Contamination content: ${JSON.stringify(

      at parseJsonWithContaminationFiltering (lib/dependencies/inspect-implementation.ts:32:19)
      at Object.<anonymous> (test/contamination-filtering.spec.ts:45:57)

  console.warn
    [snyk-python-plugin] Filtered contamination from JSON output: 53 characters removed. Contamination content: "SSL certificate verification\n\npip_system cleanup done"

      30 |
      31 |         if (filteredContent.length > 0) {
    > 32 |           console.warn(
         |                   ^
      33 |             `[snyk-python-plugin] Filtered contamination from JSON output: ` +
      34 |               `${filteredContent.length} characters removed. ` +
      35 |               `Contamination content: ${JSON.stringify(

      at parseJsonWithContaminationFiltering (lib/dependencies/inspect-implementation.ts:32:19)
      at Object.<anonymous> (test/contamination-filtering.spec.ts:51:57)

  console.warn
    [snyk-python-plugin] Filtered contamination from JSON output: 42 characters removed. Contamination content: "prefix contamination  suffix contamination"

      30 |
      31 |         if (filteredContent.length > 0) {
    > 32 |           console.warn(
         |                   ^
      33 |             `[snyk-python-plugin] Filtered contamination from JSON output: ` +
      34 |               `${filteredContent.length} characters removed. ` +
      35 |               `Contamination content: ${JSON.stringify(

      at parseJsonWithContaminationFiltering (lib/dependencies/inspect-implementation.ts:32:19)
      at Object.<anonymous> (test/contamination-filtering.spec.ts:59:57)

  console.warn
    [snyk-python-plugin] Filtered contamination from JSON output: 71 characters removed. Contamination content: "Loading certificates...\npip_system_certs initializing\n\nCleanup complete"

      30 |
      31 |         if (filteredContent.length > 0) {
    > 32 |           console.warn(
         |                   ^
      33 |             `[snyk-python-plugin] Filtered contamination from JSON output: ` +
      34 |               `${filteredContent.length} characters removed. ` +
      35 |               `Contamination content: ${JSON.stringify(

      at parseJsonWithContaminationFiltering (lib/dependencies/inspect-implementation.ts:32:19)
      at Object.<anonymous> (test/contamination-filtering.spec.ts:71:57)

ts-jest[versions] (WARN) Version 5.9.3 of typescript installed has not been tested with ts-jest. If you're experiencing issues, consider using a supported version (>=4.3.0 <5.0.0-0). Please do not report issues in ts-jest if you are using unsupported versions.
ts-jest[versions] (WARN) Version 5.9.3 of typescript installed has not been tested with ts-jest. If you're experiencing issues, consider using a supported version (>=4.3.0 <5.0.0-0). Please do not report issues in ts-jest if you are using unsupported versions.
ts-jest[versions] (WARN) Version 5.9.3 of typescript installed has not been tested with ts-jest. If you're experiencing issues, consider using a supported version (>=4.3.0 <5.0.0-0). Please do not report issues in ts-jest if you are using unsupported versions.
ts-jest[versions] (WARN) Version 5.9.3 of typescript installed has not been tested with ts-jest. If you're experiencing issues, consider using a supported version (>=4.3.0 <5.0.0-0). Please do not report issues in ts-jest if you are using unsupported versions.
ts-jest[versions] (WARN) Version 5.9.3 of typescript installed has not been tested with ts-jest. If you're experiencing issues, consider using a supported version (>=4.3.0 <5.0.0-0). Please do not report issues in ts-jest if you are using unsupported versions.
ts-jest[versions] (WARN) Version 5.9.3 of typescript installed has not been tested with ts-jest. If you're experiencing issues, consider using a supported version (>=4.3.0 <5.0.0-0). Please do not report issues in ts-jest if you are using unsupported versions.
ts-jest[versions] (WARN) Version 5.9.3 of typescript installed has not been tested with ts-jest. If you're experiencing issues, consider using a supported version (>=4.3.0 <5.0.0-0). Please do not report issues in ts-jest if you are using unsupported versions.
PASS test/unit/build-args.spec.ts
  build args
    ✓ should return expected args (1 ms)
    ✓ should return expected args when allowMissing is true
    ✓ should return expected args when includeDevDeps is true
    ✓ should return expected args when allowMissing and includeDevDeps are true

PASS test/contamination-filtering.spec.ts
  parseJsonWithContaminationFiltering
    Strategy 1: Clean JSON (most common case)
      ✓ should parse clean JSON output successfully (2 ms)
      ✓ should handle JSON with extra whitespace
    Strategy 2: JSON extraction from contaminated output
      ✓ should extract valid JSON from output with prefix contamination (23 ms)
      ✓ should extract valid JSON from output with suffix contamination
      ✓ should extract valid JSON from output with surrounding contamination (1 ms)
    Strategy 2 edge cases
      ✓ should extract JSON using brace boundaries (1 ms)
      ✓ should find valid JSON line in multi-line output (2 ms)
    Error handling
      ✓ should provide descriptive error with original output for debugging (9 ms)

PASS test/unit/poetry.spec.ts
  getPoetryDepencies
    ✓ should use absolute targetFile path directly without joining to root (3 ms)
    ✓ should throw exception when manifest does not exist
    ✓ should throw exception when lockfile does not exist
    ✓ should throw exception when lockfile parser throws exception (1 ms)

FAIL test/unit/setup_file.spec.ts
  Test setup_file.py
    ✕ parse works for 'import setuptools;setuptools.setup(name="test")' (147 ms)
    ✕ parse works for 'from setuptools import setup;setup(name="test")' (86 ms)
    ✓ should work when --dev-deps is set but not dev-packages in Pipfile (315 ms)

  ● Test setup_file.py › parse works for 'import setuptools;setuptools.setup(name="test")'

    expect(received).toBe(expected) // Object.is equality

    Expected: 0
    Received: 1

      14 |     );
      15 |
    > 16 |     expect(result.status).toBe(0);
         |                           ^
      17 |   });
      18 |
      19 |   it('should work when --dev-deps is set but not dev-packages in Pipfile', async () => {

      at test/unit/setup_file.spec.ts:16:27

  ● Test setup_file.py › parse works for 'from setuptools import setup;setup(name="test")'

    expect(received).toBe(expected) // Object.is equality

    Expected: 0
    Received: 1

      14 |     );
      15 |
    > 16 |     expect(result.status).toBe(0);
         |                           ^
      17 |   });
      18 |
      19 |   it('should work when --dev-deps is set but not dev-packages in Pipfile', async () => {

      at test/unit/setup_file.spec.ts:16:27

PASS test/unit/sub-process.spec.ts
  Test sub-process.ts
    ✓ test restoring proxy setting in executeSync() (383 ms)
    ✓ test executeSync() (211 ms)

PASS test/unit/inspect-implementation.spec.ts
  Test inspect-implementation.ts
    inspectInstalledDeps
      ✓ should call tmp.dirSync with tmpdir option when SNYK_TMP_PATH is set (326 ms)
      ✓ should call tmp.dirSync without tmpdir option when SNYK_TMP_PATH is not set (238 ms)

FAIL test/system/inspect.spec.ts (1450.385 s)
  inspect
    ✕ should return correct target file for poetry project when relative path to poetry lock file is passed (4 ms)
    ✕ should return correct target file for poetry v2 project when relative path to poetry lock file is passed (3 ms)
    when doing inspect with --only-provenance
      ✓ should get a valid dependency graph for workspace = pip-app (202 ms)
      ✓ should get a valid dependency graph for workspace = pipfile-pipapp (1188 ms)
      ✓ should get a valid dependency graph for workspace = setup_py-app (227 ms)
      ✕ should get a valid dependency graph for workspace = pipfile-optional-dependencies (386334 ms)
    when testing pip projects
      ✓ should get a valid dependency graph for workspace = pip-app-local-whl-file (8193 ms)
      ✓ should get a valid dependency graph for workspace = pip-app (1794 ms)
      ✓ should get a valid dependency graph for workspace = pip-app-bom (2195 ms)
      ✓ should get a valid dependency graph for workspace = pip-app-deps-with-urls (2418 ms)
      ✓ should get a valid dependency graph for workspace = pip-app-without-markupsafe (2468 ms)
      ✓ should get a valid dependency graph for workspace = pip-app-deps-not-installed (3744 ms)
      ✓ should get a valid dependency graph for workspace = pip-app-trusted-host (3778 ms)
      ✓ should get a valid dependency graph for workspace = pip-app-deps-with-dashes (2306 ms)
      ✓ should get a valid dependency graph for workspace = pip-app-with-openapi_spec_validator (3007 ms)
      ✓ should get a valid dependency graph for workspace = pip-app-deps-conditional (2086 ms)
      ✓ should get a valid dependency graph for workspace = pip-app-deps-editable (9553 ms)
      ✓ should get a valid dependency graph for workspace = pip-app-deps-canonicalization (4404 ms)
      ✓ should get a valid dependency graph for workspace = pip-app-optional-dependencies (4203 ms)
      ✓ should get a valid dependency graph for workspace = pip-app-dev-alpha-beta-python-version (2435 ms)
      ✓ should get correct pkgIdProvenance labels for packages in graph for workspace = pip-app (1713 ms)
      ✓ should get correct pkgIdProvenance labels for packages in graph for workspace = pip-app (1635 ms)
      ✓ should get correct pkgIdProvenance labels for packages in graph for workspace = pip-app-deps-conditional (366 ms)
      ✓ should get correct pkgIdProvenance labels for packages in graph for workspace = pip-app-deps-editable (6179 ms)
      ✓ should get correct pkgIdProvenance labels for packages in graph for workspace = pip-app (1849 ms)
      ✓ should get correct pkgIdProvenance labels for packages in graph for workspace = pip-app-deps-with-dashes (377 ms)
      ✓ should succeed on package name/local dir name clash (3326 ms)
      ✓ should get a valid dependency graph for workspace = pip-app without setuptools previously installed (2725 ms)
      ✓ should get a valid dependency graph for workspace = pip-app-bom without setuptools previously installed (527 ms)
      ✓ should get a valid dependency graph for workspace = pip-app-deps-with-urls without setuptools previously installed (588 ms)
      ✓ should get a valid dependency graph for workspace = pip-app-without-markupsafe without setuptools previously installed (844 ms)
      ✓ should get a valid dependency graph for workspace = pip-app-deps-not-installed without setuptools previously installed (581 ms)
      ✓ should get a valid dependency graph for workspace = pip-app-trusted-host without setuptools previously installed (570 ms)
      ✓ should get a valid dependency graph for workspace = pip-app-deps-with-dashes without setuptools previously installed (533 ms)
      ✓ should get a valid dependency graph for workspace = pip-app-with-openapi_spec_validator without setuptools previously installed (612 ms)
      ✓ should get a valid dependency graph for workspace = pip-app-deps-conditional without setuptools previously installed (559 ms)
      ✓ should get a valid dependency graph for workspace = pip-app-deps-editable without setuptools previously installed (6290 ms)
      ✓ should get a valid dependency graph for workspace = pip-app-deps-canonicalization without setuptools previously installed (1174 ms)
      ✓ should get a valid dependency graph for workspace = pip-app-optional-dependencies without setuptools previously installed (1218 ms)
      ✓ should get a valid dependency graph for workspace = pip-app-dev-alpha-beta-python-version without setuptools previously installed (573 ms)
      ✓ should fail on missing transitive dependencies (1874 ms)
      ✓ should fail on nonexistent referenced local depedency (1520 ms)
      ✓ should not fail on nonexistent referenced local depedency when --skip-unresolved (123 ms)
    Circular deps
      ✓ Should get a valid dependency graph for circular dependencies (2344 ms)
    poetry projects
      ✕ should return expected dependencies for poetry-app (7 ms)
      ✕ should return expected dependencies for poetry-v2-app (4 ms)
      ✕ should return expected dependencies for poetry-optional-dependencies (7 ms)
      ✕ should return expected dependencies for poetry-v2-app-optional-dependencies (6 ms)
    Pipfile projects
      ✓ should return correct target file for pipenv project when relative path to pipfile lock file is passed (20 ms)
    when testing pipenv projects simulating pipenv install
      ✓ should get a valid dependency graph for workspace = pipfile-pipapp-pinned (16315 ms)
      ✓ should get a valid dependency graph for workspace = pipenv-app (7354 ms)
      ✓ should get correct pkgIdProvenance labels for packages in graph for workspace = pipfile-pipapp-pinned (1759 ms)
    when generating Pipfile depGraphs 
      ✓ should get a valid dependency graph for workspace = pipfile-pipapp-pinned (972 ms)
      ✓ should get a valid dependency graph for workspace = pipenv-app (976 ms)
      ✓ should get a valid dependency graph for workspace = pipfile-pipapp (990 ms)
      ✓ should get a valid dependency graph for workspace = pipfile-nested-dirs (975 ms)
      ✓ should fail with no deps or dev-deps (993 ms)
    setup.py projects
      ✓ should return correct target file for setuptools project when relative path to setup lock file is passed (21 ms)
    setup.py projects without mocks
      ✓ should get a valid dependency graph for workspace = setup_py-app (7946 ms)
    dep-graph
      ✓ should return dep graph for very dense input (38 ms)
      ✓ projectName option should set the dep graph root node name (25 ms)
    error scenarios
      manifest file is empty
        ✓ should throw PythonEmptyManifestError (19 ms)
      required packages were not installed
        ✓ should throw PythonRequiredPackagesMissingError (19 ms)

  ● inspect › when doing inspect with --only-provenance › should get a valid dependency graph for workspace = pipfile-optional-dependencies

    thrown: "Exceeded timeout of 180000 ms for a test.
    Use jest.setTimeout(newTimeout) to increase the timeout value, if this is a long-running test."

      107 |         targetFile: FILENAMES.pipenv.manifest,
      108 |       },
    > 109 |     ])(
          |       ^
      110 |       'should get a valid dependency graph for workspace = $workspace',
      111 |       async ({ workspace, targetFile }) => {
      112 |         testUtils.chdirWorkspaces(workspace);

      at node_modules/jest-each/build/bind.js:45:11
          at Array.forEach (<anonymous>)
      at test/system/inspect.spec.ts:109:7
      at test/system/inspect.spec.ts:78:3
      at Object.<anonymous> (test/system/inspect.spec.ts:71:1)

  ● inspect › poetry projects › should return expected dependencies for poetry-app

    Error processing poetry project. Could not find 'python' on your PATH.
    stderr: spawn python ENOENT
    stdout:

      58 |     }
      59 |
    > 60 |     throw new Error('Error processing poetry project. ' + errorMessage);
         |           ^
      61 |   }
      62 | }
      63 |

      at lib/dependencies/poetry.ts:60:11
          at Generator.throw (<anonymous>)
      at rejected (node_modules/tslib/tslib.js:113:69)

  ● inspect › poetry projects › should return expected dependencies for poetry-v2-app

    Error processing poetry project. Could not find 'python' on your PATH.
    stderr: spawn python ENOENT
    stdout:

      58 |     }
      59 |
    > 60 |     throw new Error('Error processing poetry project. ' + errorMessage);
         |           ^
      61 |   }
      62 | }
      63 |

      at lib/dependencies/poetry.ts:60:11
          at Generator.throw (<anonymous>)
      at rejected (node_modules/tslib/tslib.js:113:69)

  ● inspect › poetry projects › should return expected dependencies for poetry-optional-dependencies

    Error processing poetry project. Could not find 'python' on your PATH.
    stderr: spawn python ENOENT
    stdout:

      58 |     }
      59 |
    > 60 |     throw new Error('Error processing poetry project. ' + errorMessage);
         |           ^
      61 |   }
      62 | }
      63 |

      at lib/dependencies/poetry.ts:60:11
          at Generator.throw (<anonymous>)
      at rejected (node_modules/tslib/tslib.js:113:69)

  ● inspect › poetry projects › should return expected dependencies for poetry-v2-app-optional-dependencies

    Error processing poetry project. Could not find 'python' on your PATH.
    stderr: spawn python ENOENT
    stdout:

      58 |     }
      59 |
    > 60 |     throw new Error('Error processing poetry project. ' + errorMessage);
         |           ^
      61 |   }
      62 | }
      63 |

      at lib/dependencies/poetry.ts:60:11
          at Generator.throw (<anonymous>)
      at rejected (node_modules/tslib/tslib.js:113:69)

  ● inspect › should return correct target file for poetry project when relative path to poetry lock file is passed

    Error processing poetry project. Could not find 'python' on your PATH.
    stderr: spawn python ENOENT
    stdout:

      58 |     }
      59 |
    > 60 |     throw new Error('Error processing poetry project. ' + errorMessage);
         |           ^
      61 |   }
      62 | }
      63 |

      at lib/dependencies/poetry.ts:60:11
          at Generator.throw (<anonymous>)
      at rejected (node_modules/tslib/tslib.js:113:69)

  ● inspect › should return correct target file for poetry v2 project when relative path to poetry lock file is passed

    Error processing poetry project. Could not find 'python' on your PATH.
    stderr: spawn python ENOENT
    stdout:

      58 |     }
      59 |
    > 60 |     throw new Error('Error processing poetry project. ' + errorMessage);
         |           ^
      61 |   }
      62 | }
      63 |

      at lib/dependencies/poetry.ts:60:11
          at Generator.throw (<anonymous>)
      at rejected (node_modules/tslib/tslib.js:113:69)

Test Suites: 2 failed, 5 passed, 7 total
Tests:       9 failed, 77 passed, 86 total
Snapshots:   0 total
Time:        1450.954 s
Ran all test suites.

Fixed Vulnerabilities

high - Arbitrary Code Injection

  • CVE: CVE-2026-4800
  • Package: snyk-poetry-lockfile-parser
  • Fix: Updated snyk-poetry-lockfile-parser from ^1.9.1 to ^1.9.2

📝 Testing Recommendations

Please verify:

  1. All tests pass
  2. Application builds successfully
  3. No breaking changes in upgraded dependencies

Generated by Vuln-Bot 🤖

@snyk-io
Copy link
Copy Markdown

snyk-io Bot commented Apr 28, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@james-snyk james-snyk force-pushed the fix/vuln-bot-2026-04-28-210743 branch from 606298b to 85d7e41 Compare April 28, 2026 20:38
@james-snyk
🔒 Fix 1 security vulnerabilities
8740fc9 
Automated fix by Vuln-Bot
@james-snyk james-snyk force-pushed the fix/vuln-bot-2026-04-28-210743 branch from 85d7e41 to 8740fc9 Compare April 28, 2026 20:51
@james-snyk james-snyk closed this Apr 29, 2026
@james-snyk james-snyk deleted the fix/vuln-bot-2026-04-28-210743 branch April 29, 2026 08:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@james-snyk