Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mismatched dependency versions #5943

Closed
NewEraCracker opened this issue Sep 10, 2024 · 15 comments
Closed

Mismatched dependency versions #5943

NewEraCracker opened this issue Sep 10, 2024 · 15 comments

Comments

@NewEraCracker
Copy link

NewEraCracker commented Sep 10, 2024

I propose:

Please see:

ec4a01b#commitcomment-146499333

Please sync "qs": "6.11.0", to the actual version "body-parser": "1.20.3", is using which is "qs": "6.13.0",

4c9ddc1#commitcomment-146501448

You should also bump send within "serve-static": "1.16.0", .
express requires "send": "0.19.0", but "serve-static": "1.16.0", requires "send": "0.18.0",

So, bump where applicable the following two packages:

    "qs": "6.13.0",
    "send": "0.19.0",

My two cents.

Related:

Linking more related issues:

@UlisesGascon
Copy link
Member

Do you want to create a PR for this @NewEraCracker ? :)

@agadzinski93
Copy link

I created a PR for the qs issue @UlisesGascon
Someone else has already made a PR for the send issue for the package serve-static

@NewEraCracker
Copy link
Author

NewEraCracker commented Sep 11, 2024

There is another one that should be urgently looked at by the maintainers:

This is new version it is important to update: https://github.com/pillarjs/encodeurl/releases/tag/v2.0.0

Express is on latest, but serve-static is still using the vulnerable version.

Edit: This also affects send and finalhandler

The workaround for now is (and it may not be possible for everyone if other dependencies use a completely different version):

  "overrides": {
    "encodeurl": "~2.0.0",
    "qs": "^6.13.0",
    "send": "^0.19.0"
  },

My two cents.

@wesleytodd
Copy link
Member

For the serve static and send part: #5951

@wesleytodd
Copy link
Member

For qs: #5946

We are already on encodeurl@2.0.0 for 4.x I thought?

I think that means we can close this?

@wesleytodd
Copy link
Member

wesleytodd commented Sep 11, 2024

Oh! https://github.com/expressjs/serve-static/blob/1.x/package.json#L9C6-L9C15

Sorry, I should have seen this. I just bumped that lib with only the send update, I guess we will do another patch.

Edit: expressjs/serve-static#180

@wesleytodd
Copy link
Member

wesleytodd commented Sep 11, 2024

And finalhandler: pillarjs/finalhandler#62

and the PR into express: #5954

@nwalters512
Copy link

Is there a reason that Express pins dependencies like this? I could maybe see the argument to pin third-party packages (though I'd say this is far more uncommon than not in the JS ecosystem), but it's not clear to me why dependencies from the expressjs/pillarjs orgs are pinned since presumably those are all controlled by the same group of people and thus trusted to follow semver and not suddenly become malicious.

@wesleytodd
Copy link
Member

wesleytodd commented Sep 11, 2024

We are removing these pins in v5. This is historical from when the ecosystem was MUCH more volatile and the entire project was primarily maintained by one person. It made more sense then, it makes less sense now.

EDIT: You can see we use ^ for any that we updated here

@wesleytodd
Copy link
Member

Prepping this release: https://github.com/expressjs/express/compare/4.20.0..4.x

@wesleytodd
Copy link
Member

https://github.com/expressjs/express/releases/tag/4.21.0

@NewEraCracker
Copy link
Author

send@0.19.0 depends on: "encodeurl": "~1.0.2", - It should be updated to v2.

I'll continue forcing it on my overrides to workaround: "encodeurl": "~2.0.0",

@UlisesGascon @wesleytodd

@wesleytodd
Copy link
Member

pillarjs/send#240

@kjugi
Copy link

kjugi commented Sep 12, 2024

Does it make sense to introduce patch updates for packages in v4 in that case? It's a simple change which could simplify fix on the project level at least a bit more

We are removing these pins in v5. This is historical from when the ecosystem was MUCH more volatile and the entire project was primarily maintained by one person. It made more sense then, it makes less sense now.

We can't predict when it will happen again. v5 adoption will take some time and I would prefer to stay on v4 for now. It can be limited to the packages that you have already changed. So you can avoid adding it blindly to every package.

EDIT: You can see we use ^ for any that we updated here

@wesleytodd

@wesleytodd
Copy link
Member

wesleytodd commented Sep 12, 2024

We are working on those patches. But with the time commitment this week from the release I needed to spend some time on my actual job today. v4 is absolutely still the main line version of express and is fully supported. We will be publishing more docs soon about it, just please be patient with us. :)

EDIT: been a long day, I am re-reading your post and thinking maybe now you are asking if we should move to ~ or ^ prefixes in package.json for v4. To answer that in case that is what you meant, in this case it wouldnt have helped because it was a major we needed to update to.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants