outdated dependencies

[UlisesGascon]

👉 SEE

[dougwilson]

Yea, we can look at updating them :) for the non dev ones, would you be willing to list what all has chaned in each one so we can determine if updating it would be a patch version, minor version, or major version for express? For example cookie-signature drops support for Node.js less than 6.6 I believe making it a major version bump for express. Getting the details for each one of thos will help plan.

We'd want to split into the three version buckets so we can make the relevant releases which each type of change. We need to gather what the differences are anyway for HISTORY.md file.

[UlisesGascon]

Thanks for the fast replay @dougwilson!

Sure. I will create new PRs follow your advise. As we are looking to support old nodejs version (0.10) I will investigate each of them to see how far I can go with the upgrade and create separete PRs 👍

After that I will open an issue for branch 5.0. There I will use a different strategy as I assume we only need to support v10. Maybe I can wait until branch 5.0 got updated with master changes?, seems like last sync was at 5f0c829

[dougwilson]

Ah, yes, we will get 4.17 line into the 5.0 branch along with the router updates that will make up the beta.1 release this month.

Depending on how this dep updates shake out, we may do a patch 4.17, then merge into 5.0.

[UlisesGascon]

So, time for a new approach:

⚠️ Important

• This message will be changing once this issue is getting fix. So please refresh the browser before replay :-)

ℹ️ Context

• Outdated dependencies update is not an easy tasks at the current status of Express.
• I will use this issue (outdated dependencies #4171) to coordinate dependencies upgrade for version 4.x (not breaking with Nodejs v0.10)
• I will use a different issue (Not yet created) to coordinate dependencies upgrade for Express 5.x (not breaking with Nodejs v10)
• As suggest by @dougwilson, I will create a new PR per dependency in order to simplify the express bumping versioning and HISTORY.md sustainability.

🌮 Pending actions for @UlisesGascon

• Evaluate which libraries are in scope for this change (not development)
• Evaluate what are the latests non-breaking versions (compatible to v0.10)
• Create PRs per each one including impact evaluation (semver impact, changes to make, etc...) so the Express team can coordinate the next 4.x release w/o suffering ❤️
• Document the missing ones for further discussions and 5.x target

💪 Pending PRs

Extra context

• debug version 4.1.1 will break.
• qs version 6.9.1 is working but @dougwilson recommend 6.7.0. see
• safe-buffer version 5.2.0 is working but @dougwilson recommend 5.1.2. see
• debug update is not backwards-compatible. In scope for 5.0. see: deps: bump debug version to 3.2.6 #4173

Expected PRs

• array-flatten -> 2.1.2 (OK) -> 3.0.0 (Need work)
• path-to-regexp -> 6.1.0 (Need Work)
• cookie-signature -> 1.1.0 (OK) PR: Feature/4171 depd #4174
• depd -> 2.0.0 (OK) PR: Feature/4171 depd #4174
• setprototypeof -> 1.2.0 (OK) PR: Feature/4171 depd #4174

Notes:

List of libraries in scope for the current issue and derivate PRs:

In scope for v4.x

• array-flatten
• cookie-signature
• debug
• depd
• path-to-regexp
• qs
• safe-buffer
• setprototypeof

Out of scope

• connect-redis (due devDependencie)
• cookie-session (due devDependencie)
• ejs (due devDependencie)
• eslint (due devDependencie)
• express-session (due devDependencie)
• hbs (due devDependencie)
• marked (due devDependencie)
• mocha (due devDependencie)
• supertest (due devDependencie)

Starting point for Express 4.0

Just the npm outdatemessage for context. Nothing else ;-)

Package           Current  Wanted  Latest  Location
array-flatten       1.1.1   1.1.1   3.0.0  express
connect-redis       3.4.1   3.4.1   4.0.4  express
cookie-session      1.3.3   1.3.3   1.4.0  express
cookie-signature    1.0.6   1.0.6   1.1.0  express
debug               2.6.9   2.6.9   4.1.1  express
depd                1.1.2   1.1.2   2.0.0  express
ejs                 2.6.1   2.6.1   3.0.1  express
eslint             2.13.1  2.13.1   6.8.0  express
express-session    1.16.1  1.16.1  1.17.0  express
hbs                 4.0.4   4.0.4   4.1.0  express
marked              0.6.2   0.6.2   0.8.0  express
mocha               5.2.0   5.2.0   7.0.1  express
path-to-regexp      0.1.7   0.1.7   6.1.0  express
qs                  6.7.0   6.7.0   6.9.1  express
safe-buffer         5.1.2   5.1.2   5.2.0  express
setprototypeof      1.1.1   1.1.1   1.2.0  express
supertest           3.3.0   3.3.0   4.0.2  express

Fancy bash script to simulate CI for Node v0.10

[UlisesGascon]

@dougwilson do you think that array-flatten@2.1.2 or array-flatten@3.0.0 and path-to-regexp still relevant for 4.0 or just to 5.0?

[dougwilson]

Sorry, just took a look and yea, I don't think any of those can be upgraded; path-to-regexp we know cannot because it changes how you declare the routes in a non-backwards-compatible manner, and array-flatten is exported externally in 4.x, so even though it wouldn't break our internal usage, there is code in the wild using our export.

[dougwilson]

So this is the outdated (production) tree of the current version, where I have removed the ones already excluded in conversation above:

Package           Current  Wanted  Latest  Location
depd                1.1.2   1.1.2   2.0.0  express
depd                1.1.2   1.1.2   2.0.0  express > body-parser
depd                1.1.2   1.1.2   2.0.0  express > send
depd                1.1.2   1.1.2   2.0.0  express > serve-static > send
http-errors         1.7.2   1.7.2   1.7.3  express > body-parser
http-errors         1.7.2   1.7.3   1.7.3  express > send
http-errors         1.7.2   1.7.3   1.7.3  express > serve-static > send
iconv-lite         0.4.24  0.4.24   0.5.1  express > body-parser
ipaddr.js           1.9.0   1.9.0   1.9.1  express > proxy-addr
media-typer         0.3.0   0.3.0   1.1.0  express > type-is
media-typer         0.3.0   0.3.0   1.1.0  express > body-parser > type-is
mime                1.6.0   1.6.0   2.4.4  express > send
mime                1.6.0   1.6.0   2.4.4  express > serve-static > send
qs                  6.7.0   6.7.0   6.9.1  express
qs                  6.7.0   6.7.0   6.9.1  express > body-parser
raw-body            2.4.0   2.4.0   2.4.1  express > body-parser
safe-buffer         5.1.2   5.1.2   5.2.0  express
safe-buffer         5.1.2   5.1.2   5.2.0  express > content-disposition
ms                  2.1.1   2.1.1   2.1.2  express > send
ms                  2.1.1   2.1.1   2.1.2  express > serve-static > send
setprototypeof      1.1.1   1.1.1   1.2.0  express

[dougwilson]

So from that, I think there is a quick patch version we can release of 4.17 to get some of them updated, namely updated (bubble them up from the deps as well) the following:

• http-errors
• ipaddr.js

These are "hidden" deps that even though they look non-patch, depending on the change may surface to our users as a patch, but just needs investigation to confirm:

• media-typer
• qs
• safe-buffer
• setprototypeof

[dougwilson]

Hi @UlisesGascon just wanted to check in on if you have done any additional research, or should I take over this?

[UlisesGascon]

As you wish ;-)

I can submit a PR for http-errors@1.7.3 and ipaddr.js@1.9.1 in their relevant repos. And the same for "hidden" deps.

What do you want me to do? 🤔

[dougwilson]

I can submit a PR for http-errors@1.7.3 and ipaddr.js@1.9.1 in their relevant repos.

Sure!

And the same for "hidden" deps.

Well, we need to research on if they would result in a patch, minor, or major of the relevant repo first. Would you want to take on that research task, or wait to hear back on it and do the prs?

[sarthak0906]

Hello everyone,
I can help with array-flatten (2.1.2) -> (3.0.0) if someone can mentor me a bit.

[dougwilson]

Hi @sarthak0906 the array-flatten is not possible to updated in the 4.x line, which this issue is tracking.

[khassel]

Sorry, no enterprise licence ...

They are writing here some lines about false positives. I can take a look in the logs tomorow (its to late now ...).

So far here are the full results of the 2 scans:

k13@k8s:~/tmp$ docker exec anchore_api anchore-cli image vuln registry.gitlab.com/khassel/container/cookie:0.4.0 non-os
Vulnerability ID           Package                        Severity        Fix          CVE Refs              Vulnerability URL                                        Type        Feed Group        Package Path
CVE-2017-18589             cookie-0.4.0                   High            None         CVE-2017-18589        https://nvd.nist.gov/vuln/detail/CVE-2017-18589          npm         nvdv2:cves        /usr/local/lib/node_modules/cookie/package.json
CVE-2020-7754              npm-user-validate-1.0.0        High            None         CVE-2020-7754         https://nvd.nist.gov/vuln/detail/CVE-2020-7754           npm         nvdv2:cves        /usr/local/lib/node_modules/npm/node_modules/npm-user-validate/package.json
CVE-2020-7774              y18n-4.0.0                     High            None         CVE-2020-7774         https://nvd.nist.gov/vuln/detail/CVE-2020-7774           npm         nvdv2:cves        /usr/local/lib/node_modules/npm/node_modules/y18n/package.json
GHSA-xgh6-85xh-479p        npm-user-validate-1.0.0        Low             1.0.1                              https://github.com/advisories/GHSA-xgh6-85xh-479p        npm         github:npm        /usr/local/lib/node_modules/npm/node_modules/npm-user-validate/package.json

k13@k8s:~/tmp$ docker exec anchore_api anchore-cli image vuln registry.gitlab.com/khassel/container/cookie:0.4.1 non-os
Vulnerability ID           Package                        Severity        Fix          CVE Refs             Vulnerability URL                                        Type        Feed Group        Package Path
CVE-2020-7754              npm-user-validate-1.0.0        High            None         CVE-2020-7754        https://nvd.nist.gov/vuln/detail/CVE-2020-7754           npm         nvdv2:cves        /usr/local/lib/node_modules/npm/node_modules/npm-user-validate/package.json
CVE-2020-7774              y18n-4.0.0                     High            None         CVE-2020-7774        https://nvd.nist.gov/vuln/detail/CVE-2020-7774           npm         nvdv2:cves        /usr/local/lib/node_modules/npm/node_modules/y18n/package.json
GHSA-xgh6-85xh-479p        npm-user-validate-1.0.0        Low             1.0.1                             https://github.com/advisories/GHSA-xgh6-85xh-479p        npm         github:npm        /usr/local/lib/node_modules/npm/node_modules/npm-user-validate/package.json

[letmejustputthishere]

Would be super cool if the depd dependency could be upgraded to 2.0.0. When using express with rollup there's always a warning:

Use of eval is strongly discouraged, as it poses security risks and may cause issues with minification

depd stopped using eval in their 2.0.0 release, but apparently express still depends on the 1.1.2 version.

[wenqiw0919]

Is there any plan to bump qs to the latest version 6.10.3?

[krzysdz]

Is there any plan to bump qs to the latest version 6.10.3?

Express 4.18 should be using qs@6.10.3 or newer. qs has been upgraded in 1df7576

[dougwilson]

Yea, this was a tracking issue that was a combination of dependencies for 4.x and 5.x The 5.x ones are just about done and the 4.x ones that were left have all been landed in 4.18, due out in just a bit. I think we're safe to close this issue now. If there are any remaining stragglers, feel free to open issues (or prs) for just them, as I'll be easier to track vs a giant issue.