Update dependency express to ^4.21.2 #53

mend-for-jackfan.us.kg · 2025-02-25T09:47:59Z

This PR contains the following updates:

Package	Type	Update	Change
express (source)	dependencies	minor	`^4.17.1` -> `^4.21.2`

By merging this PR, the below vulnerabilities will be automatically resolved:

Severity	CVSS Score	CVE
High	7.5	CVE-2024-52798
Medium	5.3	CVE-2024-47764

Release Notes

expressjs/express (express)

==========

deps: [email protected]
- Remove link renderization in html while redirecting
deps: [email protected]
- Remove link renderization in html while redirecting
deps: [email protected]
- add depth option to customize the depth level in the parser
- IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
Remove link renderization in html while using res.redirect
deps: [email protected]
- Adds support for named matching groups in the routes using a regex
- Adds backtracking protection to parameters without regexes defined
deps: encodeurl@~2.0.0
- Removes encoding of \, |, and ^ to align better with URL spec
Deprecate passing options.maxAge and options.expires to res.clearCookie
- Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

`v4.19.2`

Compare Source

==========

Improved fix for open redirect allow list bypass

`v4.19.1`

Compare Source

==========

Allow passing non-strings to res.location with new encoding handling checks

`v4.19.0`

Compare Source

==========

Prevent open redirect allow list bypass due to encodeurl
deps: [email protected]

`v4.18.3`

Compare Source

==========

Fix routing requests without method
deps: [email protected]
- Fix strict json error message on Node.js 19+
- deps: content-type@~1.0.5
- deps: [email protected]
deps: [email protected]
- Add partitioned option

`v4.18.2`

Compare Source

===================

Fix regression routing a large stack in a single route
deps: [email protected]
- deps: [email protected]
- perf: remove unnecessary object clone
deps: [email protected]

`v4.18.1`

Compare Source

===================

Fix hanging on large stack of sync routes

`v4.18.0`

Compare Source

===================

Add "root" option to res.download
Allow options without filename in res.download
Deprecate string and non-integer arguments to res.status
Fix behavior of null/undefined as maxAge in res.cookie
Fix handling very large stacks of sync middleware
Ignore Object.prototype values in settings through app.set/app.get
Invoke default with same arguments as types in res.format
Support proper 205 responses using res.send
Use http-errors for res.format error
deps: [email protected]
- Fix error message for json parse whitespace in strict
- Fix internal error when inflated body exceeds limit
- Prevent loss of async hooks context
- Prevent hanging when request already read
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
deps: [email protected]
- Add priority option
- Fix expires option to reject invalid dates
deps: [email protected]
- Replace internal eval usage with Function constructor
- Use instance methods on process to check for listeners
deps: [email protected]
- Remove set content headers that break response
- deps: [email protected]
- deps: [email protected]
deps: [email protected]
- Prevent loss of async hooks context
deps: [email protected]
deps: [email protected]
- Fix emitted 416 error missing headers property
- Limit the headers removed for 304 response
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
deps: [email protected]
- deps: [email protected]
deps: [email protected]
- Remove code 306
- Rename 425 Unordered Collection to standard 425 Too Early

`v4.17.3`

Compare Source

===================

deps: accepts@~1.3.8
- deps: mime-types@~2.1.34
- deps: [email protected]
deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
deps: [email protected]
deps: [email protected]
- Fix handling of __proto__ keys
pref: remove unnecessary regexp for trust proxy

`v4.17.2`

Compare Source

===================

Fix handling of undefined in res.jsonp
Fix handling of undefined when "json escape" is enabled
Fix incorrect middleware execution with unanchored RegExps
Fix res.jsonp(obj, status) deprecation message
Fix typo in res.is JSDoc
deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- deps: type-is@~1.6.18
deps: [email protected]
- deps: [email protected]
deps: [email protected]
- Fix maxAge option to reject invalid values
deps: proxy-addr@~2.0.7
- Use req.socket over deprecated req.connection
- deps: [email protected]
- deps: [email protected]
deps: [email protected]
deps: [email protected]
deps: [email protected]
- deps: [email protected]
- deps: [email protected]
- pref: ignore empty http tokens
deps: [email protected]
- deps: [email protected]
deps: [email protected]

If you want to rebase/retry this PR, check this box

socket-security · 2025-02-25T09:49:25Z

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher

View full report↗︎

rafikmojr · 2025-02-25T09:56:20Z

Checkmarx One – Scan Summary & Details – fa8cd9fc-2354-472c-b870-ad4d3c87cf81

New Issues (19)

Checkmarx found the following issues in this Pull Request

Issue	Source File / Package	Checkmarx Insight
CVE-2024-48949	Npm-elliptic-6.5.4	details Recommended version: 6.6.1 Description: The verify function in "lib/elliptic/eddsa/index.js" in the Elliptic versions 4.0.0 through 6.5.5 for Node.js omits "sig.S().gte(sig.eddsa.curve.n)... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
Cx88b46a98-47a5	Npm-elliptic-6.5.4	details Recommended version: 6.6.1 Description: The elliptic package is a plain JavaScript implementation of elliptic-curve cryptography. Versions of elliptic package prior to 6.6.1 are vulnerabl... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
MongoDB_NoSQL_Injection	/routes/showProductReviews.ts: 30	details The application relies on user inputs provided in id in /routes/showProductReviews.ts at line 30 to construct a raw MongoDB query with id in /route... Attack Vector
MongoDB_NoSQL_Injection	/routes/trackOrder.ts: 15	details The application relies on user inputs provided in id in /routes/trackOrder.ts at line 15 to construct a raw MongoDB query with id in /routes/trackO... Attack Vector
MongoDB_NoSQL_Injection	/routes/trackOrder.ts: 15	details The application relies on user inputs provided in id in /routes/trackOrder.ts at line 15 to construct a raw MongoDB query with id in /routes/trackO... Attack Vector
Stored_XSS	/routes/userProfile.ts: 76	details The method Lambda embeds untrusted data in generated output with send, at line 65 of /routes/userProfile.ts. This untrusted data is embedded into t... Attack Vector
Stored_XSS	/routes/videoHandler.ts: 79	details The method Lambda embeds untrusted data in generated output with send, at line 70 of /routes/videoHandler.ts. This untrusted data is embedded into ... Attack Vector
Stored_XSS	/routes/videoHandler.ts: 74	details The method Lambda embeds untrusted data in generated output with send, at line 70 of /routes/videoHandler.ts. This untrusted data is embedded into ... Attack Vector
Stored_XSS	/routes/userProfile.ts: 55	details The method Lambda embeds untrusted data in generated output with send, at line 65 of /routes/userProfile.ts. This untrusted data is embedded into t... Attack Vector
Angular_Client_DOM_XSS	/frontend/src/app/search-result/search-result.component.ts: 144	details The method search_result_component embeds untrusted data in generated output with searchValue, at line 13 of /frontend/src/app/search-result/search... Attack Vector
CVE-2024-11831	Npm-serialize-javascript-5.0.1	details Recommended version: 6.0.2 Description: A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain i... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
CVE-2024-36751	Npm-parseuri-0.0.6	details Description: An issue in parse-uri and parseuri allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL. Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
CVE-2024-47764	Npm-cookie-0.4.2	details Recommended version: 0.7.0 Description: The NPM package cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cook... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
CVE-2024-55565	Npm-nanoid-3.1.20	details Recommended version: 3.3.8 Description: The package nanoid versions through 3.3.7 and 4.0.0 through 5.0.8 mishandle non-integer values. Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
Cxbb85e86c-2fac	Npm-esbuild-wasm-0.17.8	details Recommended version: 0.25.0 Description: esbuild is an extremely fast bundler for the web, allowing any website to send any request to the development server and read the response due to d... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
Cxbb85e86c-2fac	Npm-esbuild-0.17.8	details Recommended version: 0.25.0 Description: esbuild is an extremely fast bundler for the web, allowing any website to send any request to the development server and read the response due to d... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
Privacy_Violation	/routes/wallet.ts: 27	details Method Lambda at line 27 of /routes/wallet.ts sends user information outside the application. This may constitute a Privacy Violation. Attack Vector
CVE-2024-48948	Npm-elliptic-6.5.4	details Recommended version: 6.6.1 Description: The Elliptic package versions through 6.5.7 for Node.js, in their ECDSA implementation, do not correctly verify valid signatures if the hash contai... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
Use_Of_Hardcoded_Password	/frontend/src/app/register/register.component.spec.ts: 136	details The application uses the hard-coded password "aaaaa" for authentication purposes, either using it to verify users' identities, or to access another... Attack Vector

Fixed Issues (2004)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	~~Code_Injection~~	/routes/showProductReviews.ts: 30
	~~Code_Injection~~	/routes/trackOrder.ts: 15
	~~Code_Injection~~	/routes/trackOrder.ts: 15
	~~Code_Injection~~	/routes/showProductReviews.ts: 30
	~~Code_Injection~~	/routes/trackOrder.ts: 15
	~~Code_Injection~~	/routes/trackOrder.ts: 15
	~~Code_Injection~~	/routes/trackOrder.ts: 15
	~~Code_Injection~~	/routes/trackOrder.ts: 15
	~~Code_Injection~~	/routes/showProductReviews.ts: 30
	~~Code_Injection~~	/routes/trackOrder.ts: 15
	~~Code_Injection~~	/routes/trackOrder.ts: 15
	~~Code_Injection~~	/routes/showProductReviews.ts: 30
	~~Code_Injection~~	/routes/trackOrder.ts: 15
	~~Code_Injection~~	/routes/showProductReviews.ts: 30
	~~Code_Injection~~	/routes/trackOrder.ts: 15
	~~Cxf6e7f2c1-dc59~~	Npm-yauzl-2.10.0
	~~Stored_XSS~~	/routes/vulnCodeFixes.ts: 28
	~~Stored_XSS~~	/routes/vulnCodeFixes.ts: 80
	~~Stored_XSS~~	/routes/vulnCodeFixes.ts: 80
	~~Stored_XSS~~	/routes/vulnCodeSnippet.ts: 94
	~~Stored_XSS~~	/routes/search.ts: 24
	~~Stored_XSS~~	/data/static/codefixes/dbSchemaChallenge_3.ts: 12
	~~Stored_XSS~~	/data/static/codefixes/unionSqlInjectionChallenge_3.ts: 11
	~~Stored_XSS~~	/data/static/codefixes/dbSchemaChallenge_2_correct.ts: 8
	~~Stored_XSS~~	/data/static/codefixes/unionSqlInjectionChallenge_2_correct.ts: 8
	~~Stored_XSS~~	/data/static/codefixes/unionSqlInjectionChallenge_1.ts: 7
	~~Stored_XSS~~	/data/static/codefixes/dbSchemaChallenge_1.ts: 6
	~~Stored_XSS~~	/routes/vulnCodeFixes.ts: 28
	~~Stored_XSS~~	/routes/vulnCodeFixes.ts: 80
	~~Stored_XSS~~	/routes/vulnCodeFixes.ts: 80
	~~Stored_XSS~~	/routes/vulnCodeSnippet.ts: 94
	~~Stored_XSS~~	/routes/search.ts: 24
	~~Stored_XSS~~	/data/static/codefixes/dbSchemaChallenge_3.ts: 12
	~~Stored_XSS~~	/data/static/codefixes/unionSqlInjectionChallenge_3.ts: 11
	~~Stored_XSS~~	/data/static/codefixes/dbSchemaChallenge_2_correct.ts: 8
	~~Stored_XSS~~	/data/static/codefixes/unionSqlInjectionChallenge_2_correct.ts: 8
	~~Stored_XSS~~	/data/static/codefixes/unionSqlInjectionChallenge_1.ts: 7
	~~Stored_XSS~~	/data/static/codefixes/dbSchemaChallenge_1.ts: 6
	~~Stored_XSS~~	/data/static/codefixes/unionSqlInjectionChallenge_2_correct.ts: 8
	~~Stored_XSS~~	/routes/vulnCodeFixes.ts: 80
	~~Stored_XSS~~	/data/static/codefixes/dbSchemaChallenge_3.ts: 12
	~~Stored_XSS~~	/data/static/codefixes/unionSqlInjectionChallenge_1.ts: 7
	~~Stored_XSS~~	/data/static/codefixes/unionSqlInjectionChallenge_3.ts: 11
	~~Stored_XSS~~	/routes/vulnCodeFixes.ts: 80
	~~Stored_XSS~~	/routes/vulnCodeFixes.ts: 28
	~~Stored_XSS~~	/data/static/codefixes/dbSchemaChallenge_1.ts: 6
	~~Stored_XSS~~	/routes/search.ts: 24
	~~Stored_XSS~~	/routes/vulnCodeSnippet.ts: 94
	~~Stored_XSS~~	/data/static/codefixes/dbSchemaChallenge_2_correct.ts: 8
	~~Stored_XSS~~	/routes/vulnCodeFixes.ts: 28
	~~Stored_XSS~~	/data/static/codefixes/unionSqlInjectionChallenge_1.ts: 7
	~~Stored_XSS~~	/routes/vulnCodeFixes.ts: 80
	~~Stored_XSS~~	/data/static/codefixes/dbSchemaChallenge_1.ts: 6
	~~Stored_XSS~~	/data/static/codefixes/dbSchemaChallenge_2_correct.ts: 8
	~~Stored_XSS~~	/routes/search.ts: 24
	~~Stored_XSS~~	/routes/vulnCodeFixes.ts: 80
	~~Stored_XSS~~	/data/static/codefixes/unionSqlInjectionChallenge_3.ts: 11
	~~Stored_XSS~~	/data/static/codefixes/unionSqlInjectionChallenge_2_correct.ts: 8
	~~Stored_XSS~~	/data/static/codefixes/dbSchemaChallenge_3.ts: 12
	~~Stored_XSS~~	/routes/vulnCodeSnippet.ts: 94
	~~Stored_XSS~~	/data/static/codefixes/dbSchemaChallenge_1.ts: 6
	~~Stored_XSS~~	/data/static/codefixes/loginAdminChallenge_1.ts: 21
	~~Stored_XSS~~	/data/static/codefixes/unionSqlInjectionChallenge_1.ts: 7
	~~Stored_XSS~~	/routes/vulnCodeSnippet.ts: 94
	~~Stored_XSS~~	/routes/search.ts: 24
	~~Stored_XSS~~	/data/static/codefixes/loginBenderChallenge_1.ts: 21
	~~Stored_XSS~~	/data/static/codefixes/loginJimChallenge_4.ts: 21
	~~Stored_XSS~~	/data/static/codefixes/loginAdminChallenge_1.ts: 21
	~~Stored_XSS~~	/data/static/codefixes/dbSchemaChallenge_3.ts: 12
	~~Stored_XSS~~	/routes/login.ts: 37
	~~Stored_XSS~~	/routes/vulnCodeFixes.ts: 80
	~~Stored_XSS~~	/routes/vulnCodeFixes.ts: 28
	~~Stored_XSS~~	/data/static/codefixes/loginBenderChallenge_1.ts: 21
	~~Stored_XSS~~	/data/static/codefixes/loginJimChallenge_4.ts: 21
	~~Stored_XSS~~	/data/static/codefixes/unionSqlInjectionChallenge_2_correct.ts: 8
	~~Stored_XSS~~	/routes/login.ts: 37
	~~Stored_XSS~~	/routes/vulnCodeFixes.ts: 80
	~~Stored_XSS~~	/data/static/codefixes/unionSqlInjectionChallenge_3.ts: 11

More results are available on the CxOne platform

Update dependency express to ^4.21.2

6da2064

mend-for-jackfan.us.kg bot added the security fix Security fix generated by Mend label Feb 25, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency express to ^4.21.2 #53

Update dependency express to ^4.21.2 #53

mend-for-jackfan.us.kg bot commented Feb 25, 2025

socket-security bot commented Feb 25, 2025

rafikmojr commented Feb 25, 2025

Update dependency express to ^4.21.2 #53

Are you sure you want to change the base?

Update dependency express to ^4.21.2 #53

Conversation

mend-for-jackfan.us.kg bot commented Feb 25, 2025

Release Notes

What's Changed

What's Changed

What's Changed

New Contributors

socket-security bot commented Feb 25, 2025

rafikmojr commented Feb 25, 2025