From f827d845ece4c4808f1ecadb99388da2df3519cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ulises=20Gasc=C3=B3n?= Date: Wed, 9 Oct 2024 11:16:27 +0200 Subject: [PATCH] docs: added links to CVE-2024-45590 --- _posts/2024-09-12-v5-release.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/_posts/2024-09-12-v5-release.md b/_posts/2024-09-12-v5-release.md index 49af28b740..17d716f4a0 100644 --- a/_posts/2024-09-12-v5-release.md +++ b/_posts/2024-09-12-v5-release.md @@ -14,7 +14,9 @@ Council](https://github.com/openjs-foundation/cross-project-council/) and its me This release is designed to be boring! That may seem odd, but we've intentionally kept it simple to unblock the ecosystem and enable more impactful changes in future releases. The focus of this release was on dropping old Node.js version support, addressing security concerns, and simplifying maintenance. -Before going into the changes in this release, let's address why we released v5 on the `next` dist-tag. As part of reviving the project, we started a [Security Working Group](https://github.com/expressjs/security-wg) and security triage team to address the growing needs around open source supply chain security. We undertook a security audit (more details to come on that) and uncovered some problems that needed to be addressed. Thus, in addition to the "normal" work that we did in public issues, we also did a lot of security work in private forks. This security work required orchestration when releasing, to enure the code and CVE reports went out together. While we weren't able to simultaneously release this blog post, our changelog, and the documentation, we felt it was most important to have a secure and stable release. +Before going into the changes in this release, let's address why we released v5 on the `next` dist-tag. As part of reviving the project, we started a [Security Working Group](https://github.com/expressjs/security-wg) and [security triage team](https://github.com/expressjs/security-wg?tab=readme-ov-file#security-triage-team) to address the growing needs around open source supply chain security. We undertook a security audit (more details to come on that) and uncovered some problems that needed to be addressed. Thus, in addition to the "normal" work that we did in public issues, we also did a lot of security work in private forks. This security work required orchestration when releasing, to ensure the code and CVE reports went out together. You can find a summary of the most recent vulnerabilities patched in [our security release notes](https://expressjs.com/2024/09/29/security-releases.html). + +While we weren't able to simultaneously release this blog post, our changelog, and the documentation, we felt it was most important to have a secure and stable release. As soon as possible, we'll provide more details on our long-term support (LTS) plans, including when the release will move from `next` to `latest`. For now, if you are uncomfortable being on the bleeding edge (even if it is a rather dull edge) then you should wait to upgrade until the release is on tagged as `latest`. That said, we look forward to working with you to address any bugs you encounter as you upgrade. @@ -73,7 +75,7 @@ NOTE: Best practice is to handle errors as close to the site as possible. So whi There are a number of `body-parser` changes: -- Add option to customize the urlencoded body depth with a default value of 32 (@TODO see CVE) +- Add option to customize the urlencoded body depth with a default value of 32 as mitigation for [CVE-2024-45590](https://nvd.nist.gov/vuln/detail/CVE-2024-45590) ([technical details](https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce)) - Remove deprecated `bodyParser()` combination middleware - `req.body` is no longer always initialized to `{}` - `urlencoded` parser now defaults `extended` to false