Downgrade express to version 4.21.2 to fix CVE-2025-13466 vulnerability

[tharindulak]

Purpose

Downgraded Express from version ^5.1.0 to ^4.21.2 in package.json. Express 4.x uses [email protected], which doesn't have the vulnerability.

Goals

Describe the solutions that this feature/fix will introduce to resolve the problems described above

Approach

Describe how you are implementing the solutions. Include an animated GIF or screenshot if the change affects the UI (email [email protected] to review all UI text). Include a link to a Markdown file or Google doc if the feature write-up is too long to paste here.

UI Component Development

Specify the reason if following are not followed.

• Added reusable UI components to the ui-toolkit. Follow the intructions when adding the componenent.
• Use ui-toolkit components wherever possible. Run npm run storybook from the root directory to view current components.
• Matches with the native VSCode look and feel.

Manage Icons

Specify the reason if following are not followed.

• Added Icons to the font-wso2-vscode. Follow the instructions.

User stories

Summary of user stories addressed by this change>

Release note

Brief description of the new feature or bug fix as it will appear in the release notes

Documentation

Link(s) to product documentation that addresses the changes of this PR. If no doc impact, enter “N/A” plus brief explanation of why there’s no doc impact

Training

Link to the PR for changes to the training content in https://github.com/wso2/WSO2-Training, if applicable

Certification

Type “Sent” when you have provided new/updated certification questions, plus four answers for each question (correct answer highlighted in bold), based on this change. Certification questions/answers should be sent to [email protected] and NOT pasted in this PR. If there is no impact on certification exams, type “N/A” and explain why.

Marketing

Link to drafts of marketing content that will describe and promote this feature, including product page changes, technical articles, blog posts, videos, etc., if applicable

Automation tests

• Unit tests

  Code coverage information

• Integration tests

  Details about the test cases and coverage

Security checks

• Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines? yes/no
• Ran FindSecurityBugs plugin and verified report? yes/no
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets? yes/no

Samples

Provide high-level details about the samples related to this feature

Related PRs

List any other related PRs

Migrations (if applicable)

Describe migration steps and platforms on which migration has been tested

Test environment

List all JDK versions, operating systems, databases, and browser/versions on which this feature/fix was tested

Learning

Describe the research phase and any blog posts, patterns, libraries, or add-ons you used to solve the problem.

Summary by CodeRabbit

• Chores
  • Updated development environment configuration for improved compatibility and stability.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The express package dependency in the low-code diagram workspace was downgraded from version 5.1.0 to 4.21.2. This is a single-line modification to package.json affecting the development dependency configuration.

Changes

Cohort / File(s)	Change Summary
Dependency version update workspaces/ballerina/ballerina-low-code-diagram/package.json	DevDependency express downgraded from ^5.1.0 to ^4.21.2

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• Verify the rationale for downgrading express (compatibility issues, breaking changes in v5, etc.)
• Confirm that existing functionality remains compatible with express 4.21.2
• Check if any code changes are needed to accommodate the older version

Suggested reviewers

• hevayo
• gigara

Poem

🐰 A hop and a skip through version land,
Express takes a step back, as we planned,
From five to four, a gentle descent,
Stability first—this change is well-meant! 🔧✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is largely incomplete. While the Purpose section is filled with relevant context, most other required sections remain unfilled placeholder text (Goals, Approach, User stories, Release note, Documentation, Training, Certification, Marketing, Automation tests, Security checks, Samples, Related PRs, Migrations, Test environment, Learning).	Complete the critical sections: Goals (explain how downgrade resolves the vulnerability), Approach (testing performed), Security checks (confirm standard compliance), and Test environment (specify tested configurations).

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: downgrading express to a specific version to fix a named CVE vulnerability.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 534b3ad and 70fd033.

⛔ Files ignored due to path filters (1)

• common/config/rush/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• workspaces/ballerina/ballerina-low-code-diagram/package.json (1 hunks)

🧰 Additional context used

🧠 Learnings (5)

📚 Learning: 2025-11-25T06:34:10.812Z

Learnt from: CR
Repo: wso2/vscode-extensions PR: 0
File: workspaces/ballerina/component-diagram/AGENTS.md:0-0
Timestamp: 2025-11-25T06:34:10.812Z
Learning: Applies to workspaces/ballerina/component-diagram/src/**/*.{ts,tsx} : Use TypeScript 5.8.3 with strict type checking enabled for all source files

Applied to files:

• workspaces/ballerina/ballerina-low-code-diagram/package.json

📚 Learning: 2025-11-25T06:34:10.812Z

Learnt from: CR
Repo: wso2/vscode-extensions PR: 0
File: workspaces/ballerina/component-diagram/AGENTS.md:0-0
Timestamp: 2025-11-25T06:34:10.812Z
Learning: Applies to workspaces/ballerina/component-diagram/src/components/**/*.tsx : Use React 18.2.0 features including concurrent rendering and automatic batching; avoid class components in favor of functional components with hooks

Applied to files:

• workspaces/ballerina/ballerina-low-code-diagram/package.json

📚 Learning: 2025-11-25T06:34:10.812Z

Learnt from: CR
Repo: wso2/vscode-extensions PR: 0
File: workspaces/ballerina/component-diagram/AGENTS.md:0-0
Timestamp: 2025-11-25T06:34:10.812Z
Learning: Applies to workspaces/ballerina/component-diagram/**/*.config.{js,ts} : Use minimatch-compatible glob patterns for file matching in build and test configuration files

Applied to files:

• workspaces/ballerina/ballerina-low-code-diagram/package.json

📚 Learning: 2025-11-25T06:34:10.812Z

Learnt from: CR
Repo: wso2/vscode-extensions PR: 0
File: workspaces/ballerina/component-diagram/AGENTS.md:0-0
Timestamp: 2025-11-25T06:34:10.812Z
Learning: Applies to workspaces/ballerina/component-diagram/src/index.ts : Export the main Diagram component as the default export from the package entry point (index.ts)

Applied to files:

• workspaces/ballerina/ballerina-low-code-diagram/package.json

📚 Learning: 2025-11-25T06:34:10.812Z

Learnt from: CR
Repo: wso2/vscode-extensions PR: 0
File: workspaces/ballerina/component-diagram/AGENTS.md:0-0
Timestamp: 2025-11-25T06:34:10.812Z
Learning: Applies to workspaces/ballerina/component-diagram/src/**/*.{ts,tsx} : Define all constants (node types, sizing, spacing) in src/resources/constants.ts and import them where needed instead of hardcoding values

Applied to files:

• workspaces/ballerina/ballerina-low-code-diagram/package.json

🔇 Additional comments (1)

workspaces/ballerina/ballerina-low-code-diagram/package.json (1)

105-105: Based on the web search results, I can now verify the CVE and provide a refined review comment. The searches confirm:

1. CVE-2025-13466 is real and affects body-parser 2.2.0 (DoS vulnerability)
2. Express 5.1.0 is vulnerable - it depends on body-parser ^2.2.0
3. Express 4.21.2 is not vulnerable - it depends on body-parser 1.20.3
4. The downgrade does fix the CVE, but raises strategy questions

However, the shell script failed to execute, which prevents me from verifying whether Express is actually used in the codebase and confirming code compatibility. Let me provide the rewritten review comment with the verified CVE information and remaining concerns:

---

CVE-2025-13466 is confirmed, but consider if downgrading Express is the best fix strategy.

The vulnerability is real: CVE-2025-13466 is a DoS in body-parser 2.2.0, and Express 5.1.0 indeed depends on body-parser ^2.2.0 (vulnerable). Express 4.21.2 ships body-parser 1.20.3 (not vulnerable), so the downgrade does fix the CVE.

However, concerns remain:

1. Fix strategy: Downgrading Express from 5.x to 4.x is a major version change with breaking changes. A better approach would be to upgrade body-parser to ≥2.2.1 within Express 5.x, or apply stricter urlencoded parsing limits while waiting for a patched Express 5.x release. Verify this downgrade was the chosen approach for a specific reason (e.g., Express 5.x patches not yet available, or breaking changes already addressed elsewhere).

2. Compatibility: Confirm that code using Express doesn't rely on Express 5.x-only APIs and that all breaking changes have been addressed. No evidence of testing is visible in the PR.

3. DevDependency scope: express is in devDependencies. Confirm this is intentional—if Express is only used for development tooling or tests, production security impact is limited. If Express is also a production dependency elsewhere in the monorepo, that must be updated as well.

4. Version constraint rationale: The caret range (^4.21.2) allows updates within 4.x. Verify this is intentional and document the minimum required version to avoid accidental upgrades that might reintroduce risk.

Tip

📝 Customizable high-level summaries are now available in beta!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

• Provide your own instructions using the high_level_summary_instructions setting.
• Format the summary however you like (bullet lists, tables, multi-section layouts, contributor stats, etc.).
• Use high_level_summary_in_walkthrough to move the summary from the description to the walkthrough section.

Example instruction:

"Divide the high-level summary into five sections:

1. 📝 Description — Summarize the main change in 50–60 words, explaining what was done.
2. 📓 References — List relevant issues, discussions, documentation, or related PRs.
3. 📦 Dependencies & Requirements — Mention any new/updated dependencies, environment variable changes, or configuration updates.
4. 📊 Contributor Summary — Include a Markdown table showing contributions:
   | Contributor | Lines Added | Lines Removed | Files Changed |
5. ✔️ Additional Notes — Add any extra reviewer context.
   Keep each section concise (under 200 words) and use bullet or numbered lists for clarity."

Note: This feature is currently in beta for Pro-tier users, and pricing will be announced later.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}