issues Search Results · language:Dune language:JavaScript language:Java linked:pr language:JavaScript linked:pr
Filter by
3.2M results
Summary
GET /api/messages in apps/api/src/routes/messageRoutes.js has no authMiddleware. Any unauthenticated client can read all
messages in the system.
Impact
- All private user messages are publicly ...
XananasX7
Summary
GET /api/proposals in apps/api/src/routes/proposalRoutes.js has no authMiddleware. Any unauthenticated client can fetch
all proposals in the system.
Impact
- Proposals (including sensitive ...
Summary
In apps/api/src/routes/uploadRoutes.js, multer is configured with only multer.memoryStorage() and no limits option. This
means clients can upload files of unlimited size, buffering the entire ...
Summary
Set up minimum-viable CI, a pre-commit hook, and branch protection for this TypeScript/Node repo.
Changes
- CI (.github/workflows/ci.yml): runs the CI-parity trio — npm test, npm run typecheck, ...
mault-agent
michelle-villegass
Summary
express.json() in apps/api/src/app.js is called without a limit option. Express s default body size limit is 100 KB, but
with older or misconfigured setups the limit can be effectively unbounded. ...
Summary
In apps/api/src/app.js, app.use(express.json()) is registered before app.use(apiLimiter). This means body parsing
happens before rate limiting, so a client can send many large or malformed JSON ...
Summary
loginUser in apps/api/src/services/authService.js hardcodes role: client in the JWT and does not return a user id in
the response. The login response shape is incomplete.
Impact
- All authenticated ...
Summary
GET /api/users in apps/api/src/routes/userRoutes.js has no authMiddleware. Any unauthenticated client can enumerate all
user records.
Impact
- Full user list (emails, roles, IDs) is publicly ...
Summary
postUser in apps/api/src/controllers/userController.js passes req.body directly to createUser() with no Zod validation
and no authentication middleware. The route is publicly accessible.
Impact ...
Summary
postNotification in apps/api/src/controllers/notificationController.js passes req.body directly to createNotification()
with no Zod validation.
Impact
- Notifications can be created with missing ...
Learn how you can use GitHub Issues to plan and track your work.
Save views for sprints, backlogs, teams, or releases. Rank, sort, and filter issues to suit the occasion. The possibilities are endless.Learn more about GitHub IssuesProTip! Restrict your search to the title by using the in:title qualifier.
Learn how you can use GitHub Issues to plan and track your work.
Save views for sprints, backlogs, teams, or releases. Rank, sort, and filter issues to suit the occasion. The possibilities are endless.Learn more about GitHub IssuesProTip! Restrict your search to the title by using the in:title qualifier.