Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update express to version 4.20.0 to update fix npm audit error #3533

Closed
wants to merge 1 commit into from
Closed

update express to version 4.20.0 to update fix npm audit error #3533

wants to merge 1 commit into from

Conversation

spearmootz
Copy link

Summary

fixes the following


body-parser  <1.20.3

Severity: high

body-parser vulnerable to denial of service when url encoding is enabled - https://github.com/advisories/GHSA-qwcr-r2fm-qrc7

fix available via `npm audit fix`

node_modules/body-parser

  express  <=4.19.2 || 5.0.0-alpha.1 - 5.0.0-beta.3

  Depends on vulnerable versions of body-parser

  Depends on vulnerable versions of path-to-regexp

  Depends on vulnerable versions of send

  Depends on vulnerable versions of serve-static

  node_modules/express

path-to-regexp  <0.1.10

Severity: high

path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j

fix available via `npm audit fix`

node_modules/path-to-regexp

send  <0.19.0

Severity: moderate

send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg

fix available via `npm audit fix`

node_modules/send

  serve-static  <=1.16.0

  Depends on vulnerable versions of send

  node_modules/serve-static

5 vulnerabilities (2 moderate, 3 high)```

(If you have not already please refer to the contributing guideline as [described
here](https://github.com/feathersjs/feathers/blob/dove/.github/contributing.md#pull-requests))

- [x ] Tell us about the problem your pull request is solving.
- [ ] Are there any open issues that are related to this?
- [ ] Is this PR dependent on PRs in other repos?

If so, please mention them to keep the conversations linked together.

### Other Information

If there's anything else that's important and relevant to your pull
request, mention that information here. This could include
benchmarks, or other information.

Your PR will be reviewed by a core team member and they will work with you to get your changes merged in a timely manner. If merged your PR will automatically be added to the changelog in the next release.

If this is a new feature, please remember to add the appropriate documentation in their respective pages in the `docs` folder.

Thanks for contributing to Feathers! :heart:

@daffl
Copy link
Member

daffl commented Oct 31, 2024

Thank you for the pull request. I ended up merging this change via #3543

@daffl daffl closed this Oct 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@spearmootz @daffl