npm audit fail on last Express version (4.20.0) due to send(0.19.0) vulnerability #5947

poiuylkkk · 2024-09-11T05:18:15Z

Bug Report: npm audit fails on latest Express version (4.20.0) due to send(0.19.0) vulnerability

Issue Description

Running npm audit on the latest version of Express (4.20.0) fails due to a moderate severity vulnerability in send (<0.19.0).

Here’s the relevant output from npm audit:

npm audit report send <0.19.0

Severity: moderate
send vulnerability to template injection can lead to XSS - http://github.com/advisories/GHSA-m6fv-jmcg-4jfg
No fix available

Steps to reproduce

npm install express --save

porschesstein · 2024-09-11T06:43:01Z

Belonging report in serve-static, where the upgrade to send 0.19.0 is already prepared: expressjs/serve-static#175

NewEraCracker · 2024-09-11T14:18:11Z

My advice for now, if using express v4, until the maintainers actually fix this. See: Mismatched dependency versions

  "overrides": {
    "encodeurl": "~2.0.0",
    "qs": "^6.13.0",
    "send": "^0.19.0"
  },

Be aware it may not be possible for every occasion if other dependencies use a completely different version. My two cents.

wesleytodd · 2024-09-11T17:44:24Z

Closing this in favor of this more complete list of things we need to align versions for: #5943

wesleytodd · 2024-09-11T22:34:52Z

poiuylkkk added the bug label Sep 11, 2024

This was referenced Sep 11, 2024

Mismatched dependency versions #5943

Closed

Create dependabot.yml expressjs/serve-static#178

Closed

UlisesGascon self-assigned this Sep 11, 2024

jonatanschroeder mentioned this issue Sep 11, 2024

Bump express and dependencies PrairieLearn/PrairieLearn#10641

Closed

wesleytodd closed this as completed Sep 11, 2024

NewEraCracker mentioned this issue Oct 8, 2024

Updating to version 0.19.0 tries to install old webpack-dev-server version pillarjs/send#239

Open