Transcript
And to do that, we're gonna use Snyk to see what security issues there might be with the project that Composer 2.5 made for us here. All right, so I have the Snyk extension set up, installed, logged into my account, and I scanned the project, and we can see we have quite a bit of security issues that came up, both in the open source security, the dependencies that we have for the project here that Composer 2.5 chose, and the code that it wrote. So looking at these issues, we have three high and four medium severity issues, all based on this tar package that it chose, and that's being introduced via the bcrypt package, our direct dependency. One of the fixes is upgrading to bcrypt 6.0.0 versus the 5.1.1 that we're using here. That has the fixed version for that. We can go ahead and fix that and get that remediated. We have a symlink attack, also introduced via there, and a couple other ones. I'm not gonna bore you with all the details, but you get the idea. It didn't really choose the best versions of the packages, not necessarily bad packages, but versions of packages that have known vulnerabilities in them. In addition to that, we'll take a look at the code security, and we can see, okay, allocation of resources without limits. I've mentioned this in the past videos. I'll call it out again here in case you've missed that. This type of thing is for rate limiting, and I take this a little bit with a grain of salt whenever I see it come up as an issue, because I tend to deploy these applications in environments where there is rate limiting on the outskirts of it, not directly written in the code of my application. That's what I choose to do. You may choose differently, but that's just a heads up with that, and so take this with a grain of salt. It's not a huge issue, so I don't count it as a knock against Cursor Composer 2.5 in this situation. However, the open source dependencies are not a good look there, so that's a bit of a knock as well. Thank you.