fix: replace serve-static with express.static in CSP demo server to resolve CodeQL alert#32925
Conversation
There was a problem hiding this comment.
Pull request overview
This PR addresses a security/static-analysis concern in the demos CSP server by replacing a custom in-memory rate limiter with the maintained express-rate-limit middleware, and wiring the new dependency into the demos workspace.
Changes:
- Add
express-rate-limit@7.5.0toapps/demosdevDependencies and updatepnpm-lock.yamlaccordingly. - Replace the custom
Map-based rate limiter inapps/demos/utils/server/csp-server.jswithexpress-rate-limitconfiguration and middleware.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
apps/demos/utils/server/csp-server.js |
Replaces the hand-rolled rate limiter middleware with express-rate-limit and applies it to the Express app. |
apps/demos/package.json |
Adds express-rate-limit to the demos app dependencies (devDependencies). |
pnpm-lock.yaml |
Locks express-rate-limit@7.5.0 for the apps/demos importer and adds the corresponding package/snapshot entries. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
There was a problem hiding this comment.
Pull request overview
Updates the CSP demo server under apps/demos to use the maintained express-rate-limit middleware (instead of a custom in-memory limiter), addressing a CodeQL alert in the demo tooling.
Changes:
- Add
express-rate-limit@8.3.1toapps/demosdevDependencies. - Replace the custom Map-based rate limiter in
csp-server.jswithexpress-rate-limitmiddleware. - Update
pnpm-lock.yamlsnapshots/importer entries accordingly.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
apps/demos/utils/server/csp-server.js |
Replaces custom rate-limiting middleware with express-rate-limit. |
apps/demos/package.json |
Adds express-rate-limit dependency for the demos workspace. |
pnpm-lock.yaml |
Locks the newly added dependency for the apps/demos importer. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
EugeniyKiyashko
changed the title
There was a problem hiding this comment.
Pull request overview
This PR aims to address a CodeQL alert for the CSP demo server by switching to express-rate-limit and adjusting related demo tooling.
Changes:
- Added
express-rate-limitto the workspace lockfile. - Removed the custom in-memory rate limiter from the CSP demo server and switched static serving to
express.static. - Reduced CSP check concurrency and lowered the Chrome exec timeout.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
pnpm-lock.yaml |
Adds a direct lockfile entry for express-rate-limit and a new snapshot resolution. |
apps/demos/utils/server/csp-server.js |
Removes the custom rate limiter and replaces serve-static usage with express.static. |
apps/demos/utils/server/csp-check.js |
Tweaks execution parameters (concurrency and timeout) for CSP checking runs. |
There was a problem hiding this comment.
Pull request overview
Updates the CSP demo server and the CSP checking script used by the demos workflow, primarily to address a CodeQL alert by removing the direct serve-static usage and to adjust how CSP checks are executed in CI.
Changes:
- Replace
serve-staticwithexpress.staticin the CSP demo server. - Remove the server-side in-memory rate limiter middleware.
- Refactor
csp-check.jsto use a concurrency pool, increase default concurrency, and reduce the Chrome launch timeout.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| apps/demos/utils/server/csp-server.js | Switches static file serving to express.static and drops the in-memory rate limiter. |
| apps/demos/utils/server/csp-check.js | Introduces a concurrency pool and changes timing/timeout behavior for the CSP CI check. |
There was a problem hiding this comment.
Pull request overview
Updates the CSP demo server and CSP check tooling used by the demos CI workflow, primarily aiming to address a CodeQL alert by switching static-file serving to Express’s built-in middleware.
Changes:
- Replaced
serve-staticusage withexpress.staticin the CSP demo server. - Removed the CSP demo server’s in-memory rate limiter middleware.
- Reworked
csp-check.jsto use a worker pool concurrency model and adjusted Chrome execution parameters (timeouts/budgets).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| apps/demos/utils/server/csp-server.js | Switches static serving to express.static; also removes rate limiting middleware. |
| apps/demos/utils/server/csp-check.js | Changes concurrency execution model and Chrome invocation settings; alters how violations are fetched/attributed. |
No description provided.