Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bump express to v^4.21 #29079

Closed
wants to merge 9 commits into from
Closed

Conversation

tommasini
Copy link

@tommasini tommasini commented Sep 10, 2024

Closes #

What I did

Hey Storybook team, I have bumped express on the repo to address this audit advisory: GHSA-m6fv-jmcg-4jfg

Checklist for Contributors

Testing

The changes in this PR are covered in the following automated tests:

  • stories
  • unit tests
  • integration tests
  • end-to-end tests

Manual testing

This section is mandatory for all contributions. If you believe no manual test is necessary, please state so explicitly. Thanks!

Documentation

  • Add or update documentation reflecting your changes
  • If you are deprecating/removing a feature, make sure to update
    MIGRATION.MD

Checklist for Maintainers

  • When this PR is ready for testing, make sure to add ci:normal, ci:merged or ci:daily GH label to it to run a specific set of sandboxes. The particular set of sandboxes can be found in code/lib/cli/src/sandbox-templates.ts

  • Make sure this PR contains one of the labels below:

    Available labels
    • bug: Internal changes that fixes incorrect behavior.
    • maintenance: User-facing maintenance tasks.
    • dependencies: Upgrading (sometimes downgrading) dependencies.
    • build: Internal-facing build tooling & test updates. Will not show up in release changelog.
    • cleanup: Minor cleanup style change. Will not show up in release changelog.
    • documentation: Documentation only changes. Will not show up in release changelog.
    • feature request: Introducing a new feature.
    • BREAKING CHANGE: Changes that break compatibility in some way with current major version.
    • other: Changes that don't fit in the above categories.

🦋 Canary release

This PR does not have a canary release associated. You can request a canary release of this pull request by mentioning the @storybookjs/core team here.

core team members can create a canary release here or locally with gh workflow run --repo storybookjs/storybook canary-release-pr.yml --field pr=<PR_NUMBER>

name before after diff z %
createSize 0 B 0 B 0 B - -
generateSize 77.4 MB 77.4 MB 16 kB 4.14 0%
initSize 162 MB 162 MB 15.1 kB -0.12 0%
diffSize 85 MB 85 MB -874 B -0.34 0%
buildSize 7.57 MB 7.57 MB 0 B 0.32 0%
buildSbAddonsSize 1.66 MB 1.66 MB 0 B 0.41 0%
buildSbCommonSize 195 kB 195 kB 0 B - 0%
buildSbManagerSize 2.34 MB 2.34 MB 0 B 0.33 0%
buildSbPreviewSize 352 kB 352 kB 0 B - 0%
buildStaticSize 0 B 0 B 0 B - -
buildPrebuildSize 4.55 MB 4.55 MB 0 B 0.41 0%
buildPreviewSize 3.02 MB 3.02 MB 0 B -1 0%
testBuildSize 0 B 0 B 0 B - -
testBuildSbAddonsSize 0 B 0 B 0 B - -
testBuildSbCommonSize 0 B 0 B 0 B - -
testBuildSbManagerSize 0 B 0 B 0 B - -
testBuildSbPreviewSize 0 B 0 B 0 B - -
testBuildStaticSize 0 B 0 B 0 B - -
testBuildPrebuildSize 0 B 0 B 0 B - -
testBuildPreviewSize 0 B 0 B 0 B - -
name before after diff z %
createTime 24.7s 18.9s -5s -727ms 0.73 -30.2%
generateTime 21.8s 21s -786ms 0.33 -3.7%
initTime 16.7s 15.8s -902ms -0.81 -5.7%
buildTime 10.2s 10.3s 132ms -1.06 1.3%
testBuildTime 0ms 0ms 0ms - -
devPreviewResponsive 6.6s 7.6s 1s 1.03 13.2%
devManagerResponsive 4.3s 5.2s 901ms 1.85 🔺17%
devManagerHeaderVisible 745ms 856ms 111ms 0.43 13%
devManagerIndexVisible 776ms 887ms 111ms 0.34 12.5%
devStoryVisibleUncached 1.7s 1.3s -346ms 0.05 -25.2%
devStoryVisible 777ms 897ms 120ms 0.43 13.4%
devAutodocsVisible 700ms 793ms 93ms 0.61 11.7%
devMDXVisible 660ms 764ms 104ms 0.66 13.6%
buildManagerHeaderVisible 716ms 752ms 36ms -0.3 4.8%
buildManagerIndexVisible 755ms 788ms 33ms -0.18 4.2%
buildStoryVisible 754ms 786ms 32ms -0.5 4.1%
buildAutodocsVisible 680ms 744ms 64ms 0.35 8.6%
buildMDXVisible 690ms 775ms 85ms 0.92 11%

Greptile Summary

This pull request updates the express dependency from version 4.19.2 to 4.20.0 across multiple package.json files in the Storybook repository to address a security advisory.

  • Updated express to ^4.20.0 in five package.json files: builder-vite, builder-webpack5, core, scripts, and server-kitchen-sink
  • Addresses security advisory GHSA-m6fv-jmcg-4jfg, improving overall security
  • Minor version bump, likely to maintain compatibility with existing codebase
  • Consistent change across all affected files, simplifying the update process
  • No other modifications made, focusing solely on the express dependency update

Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

5 file(s) reviewed, no comment(s)
Edit PR Review Bot Settings

@tommasini
Copy link
Author

We should bump it again when this change is released on a patch version of express: expressjs/serve-static#176

@tommasini tommasini changed the title bump express to v^4.20 bump express to v^4.21 Sep 13, 2024
@valentinpalkovic valentinpalkovic self-assigned this Sep 16, 2024
@valentinpalkovic valentinpalkovic added bug patch:yes Bugfix & documentation PR that need to be picked to main branch security ci:normal labels Sep 16, 2024
Copy link

nx-cloud bot commented Sep 16, 2024

☁️ Nx Cloud Report

CI is running/has finished running commands for commit 45f3a87. As they complete they will appear below. Click to see the status, the terminal output, and the build insights.

📂 See all runs for this CI Pipeline Execution


✅ Successfully ran 1 target

Sent with 💌 from NxCloud.

Copy link
Contributor

@ahayes91 ahayes91 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my approval means nothing! but would be great to get this in to solve some snyk noise for us 💯

@jbouder
Copy link

jbouder commented Oct 5, 2024

Just curious what the plan is here. Can we get this updated? Or is express being replaced? Seeing multiple PRs with replacements

@rkh
Copy link

rkh commented Oct 6, 2024

Note that 4.21 is still impacted by CVE-2024-47764

@jbouder
Copy link

jbouder commented Oct 6, 2024

Note that 4.21 is still impacted by CVE-2024-47764

That’s true. Might be worth waiting for a new version of express which includes that being fixed :/

@shilman
Copy link
Member

shilman commented Oct 6, 2024

Likely superseded by #29230

@jbouder
Copy link

jbouder commented Oct 6, 2024

Likely superseded by #29230

Good to know. Thank you!

@t2y
Copy link

t2y commented Oct 9, 2024

express 4.21.1 and 5.0.1 are available in npm with the patch 🥳
expressjs/express#6019 (comment)

@tommasini tommasini closed this Oct 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug ci:normal patch:yes Bugfix & documentation PR that need to be picked to main branch security
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants