[@rushstack/rush-serve-plugin] express 4.20.0 dependency has security vulnerabilities #5327
Description
Summary
rush-serve-plugin depends on express 4.20.0 that depends on a vulnerable versions of various packages.
Repro steps
- Run
npm auditfrom a project that depends on@rushstack/rush-serve-plugin(say@microsoft/generator-sharepoint) - See following reports and tracking down the dependency tree, these are coming from
rush-serve-plugin
cookie <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix --force`
Will install @microsoft/spfx-web-build-rig@1.13.1, which is a breaking change
node_modules/cookie
path-to-regexp <=0.1.11
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
path-to-regexp contains a ReDoS - https://github.com/advisories/GHSA-rhx6-c78j-4q9w
fix available via `npm audit fix --force`
Will install @microsoft/spfx-web-build-rig@1.13.1, which is a breaking change
node_modules/path-to-regexp
send <0.19.0
send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
fix available via `npm audit fix --force`
Will install @microsoft/spfx-web-build-rig@1.13.1, which is a breaking change
node_modules/send
serve-static <=1.16.0
Depends on vulnerable versions of send
node_modules/serve-static
Expected result: npm audit returns nothing.
Actual result: Returns the above three vulnerabilities from a dependency on rush-serve-plugin.
Details
Bump the version of express to at least 5.0.0 in rush-serve-plugin
Standard questions
Please answer these questions to help us investigate your issue more quickly:
| Question | Answer |
|---|---|
| Package name: | @rushstack/rush-serve-plugin |
| Package version? | 5.158.0 |
| Operating system? | Windows |
| Would you consider contributing a PR? | |
Node.js version (node -v)? |
v18.20.2 |