Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Express to 4.21.2, path-to-regexp 0.1.12 #10322

Open
Visible-Radio opened this issue Dec 10, 2024 · 2 comments
Open

Update Express to 4.21.2, path-to-regexp 0.1.12 #10322

Visible-Radio opened this issue Dec 10, 2024 · 2 comments
Labels
bug:unverified

Comments

@Visible-Radio
Copy link

Reproduction

Run npm list path-to-regexp with @remix-run/[email protected]

├─┬ @remix-run/[email protected]
│ └─┬ [email protected]
│   └── [email protected]

check out this CVE: https://nvd.nist.gov/vuln/detail/CVE-2024-52798

See the related issue in the express repo here:
expressjs/express#6216

Looks like express @4.21.2 addresses it
https://github.com/expressjs/express/releases/tag/4.21.2

System Info

N/A

Used Package Manager

npm

Expected Behavior

vulnerabilities in dependencies are addressed in a timely manner

Actual Behavior

Y'all are doing a great job - this is a new vulnerability. Our scanner is yelling at me.
@jamesRRL
Copy link

+1 for this

@timdorr
Copy link
Member

timdorr commented Dec 16, 2024

The version isn't pinned to prevent this:

remix/packages/remix-dev/package.json

Line 50 in 3bb9e85

"express": "^4.20.0",

You can install the updated version yourself with npm update or npm update express

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug:unverified
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@timdorr @jamesRRL @Visible-Radio