Mismatched dependency versions

[NewEraCracker]

I propose:

• Create dependabot.yml #5949
• Create dependabot.yml serve-static#178

Please see:

ec4a01b#commitcomment-146499333

Please sync "qs": "6.11.0", to the actual version "body-parser": "1.20.3", is using which is "qs": "6.13.0",

4c9ddc1#commitcomment-146501448

You should also bump send within "serve-static": "1.16.0", .
express requires "send": "0.19.0", but "serve-static": "1.16.0", requires "send": "0.18.0",

So, bump where applicable the following two packages:

    "qs": "6.13.0",
    "send": "0.19.0",

My two cents.

Related:

• npm audit fail on last Express version (4.20.0) due to send(0.19.0) vulnerability #5947
• Dependency on vulnerable version of send package serve-static#175
• Upgraded dependency qs to 6.13.0 to match qs in body-parser #5946
• bump send to 0.19 serve-static#176

Linking more related issues:

• Send 0.19.0 version showing vulnerability pillarjs/send#237
• Vulnerability to template injection that can lead to XSS. pillarjs/send#238
• Updating to version 0.19.0 tries to install old webpack-dev-server version pillarjs/send#239

[UlisesGascon]

Do you want to create a PR for this @NewEraCracker ? :)

[agadzinski93]

I created a PR for the qs issue @UlisesGascon
Someone else has already made a PR for the send issue for the package serve-static

[NewEraCracker]

There is another one that should be urgently looked at by the maintainers:

This is new version it is important to update: https://github.com/pillarjs/encodeurl/releases/tag/v2.0.0

Express is on latest, but serve-static is still using the vulnerable version.

Edit: This also affects send and finalhandler

The workaround for now is (and it may not be possible for everyone if other dependencies use a completely different version):

  "overrides": {
    "encodeurl": "~2.0.0",
    "qs": "^6.13.0",
    "send": "^0.19.0"
  },

My two cents.

[wesleytodd]

For the serve static and send part: #5951

[wesleytodd]

For qs: #5946

We are already on encodeurl@2.0.0 for 4.x I thought?

I think that means we can close this?

[wesleytodd]

Oh! https://github.com/expressjs/serve-static/blob/1.x/package.json#L9C6-L9C15

Sorry, I should have seen this. I just bumped that lib with only the send update, I guess we will do another patch.

Edit: expressjs/serve-static#180

[wesleytodd]

And finalhandler: pillarjs/finalhandler#62

and the PR into express: #5954

[nwalters512]

Is there a reason that Express pins dependencies like this? I could maybe see the argument to pin third-party packages (though I'd say this is far more uncommon than not in the JS ecosystem), but it's not clear to me why dependencies from the expressjs/pillarjs orgs are pinned since presumably those are all controlled by the same group of people and thus trusted to follow semver and not suddenly become malicious.

[wesleytodd]

We are removing these pins in v5. This is historical from when the ecosystem was MUCH more volatile and the entire project was primarily maintained by one person. It made more sense then, it makes less sense now.

EDIT: You can see we use ^ for any that we updated here

[wesleytodd]

Prepping this release: https://github.com/expressjs/express/compare/4.20.0..4.x