-
Notifications
You must be signed in to change notification settings - Fork 399
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
package vulnerabilities with dependency "path-to-regexp" and "send" #2242
Comments
Hi @nirh1989, thank you so much for flagging this. The "express" dependency and its sub-dependencies are only used by ExpressReceiver, so if you don't use ExpressReceiver (note that the default one is HTTPReceiver, which uses only Node standard modules), there is no actual security risk with this alert. With that being said, this project will take necessary actions to eliminate the high-severity audit error when feasible. At this moment, there is nothing we can do (if I understand correctly). |
Hi @seratch Thank you for your comment,
and this is what i get what i run
everything in the message seems to come from |
Hi @seratch I created the same in Stackblitz: you go in, run |
I do understand this is happening. Let me clarify a bit more. The actual dependency tree is Regarding the short-term actions this project can take, the |
Hi @seratch, I understand what you are saying, so i dig further. This will solve it |
Actually I already tried it but it didn't work out. Even with it, any version of express 4.x still uses 6.x. It seems the only solution at this moment seems to be upgrading express to ^5.0. If it's inevitable to upgrade express, we will do so. By the way, let me correct this:
Since #1785 was merged, SocketModeReceiver and a few others use |
Update: I created a draft pull request (#2244) to upgrade Express to v5, which was released just a day ago. This resolves the issue, but I'd like to avoid doing this as much as possible because it requires existing ExpressReceiver users to immediately migrate to Express v5. If we have to do this, the release version must be either minor or major. |
Thank you @seratch When i should expect this to be merged? |
I cannot tell the exact timing but if it'll be merged, it won't take long (meaning it won't be next week); thank you so much for being patient with this |
thank you very much @seratch for being responsive and handle this issue :) |
We are still investigating the scope of addressing this. It may require a major new version. Your patience is appreciated. |
To resolve the issue, we would require upgrading express from v4 to v5, as @seratch has explored in #2244. Because bolt-js supports, as a first-class option, different kinds of 'receivers' (that is, different mechanisms of receiving events from Slack, described in more detail here), and one of the supported receivers in this project is the Given that, I think the only way to address this security vulnerability is to release a new major version of bolt that moves from express v4 to v5. |
@filmaj Thank you for looking into this. Regarding the plans for bolt v4 including express v5 and dropping EOLed runtimes, it looks great to me too. At the same time, I came to think that we should quickly release |
Sounds good. I'll release a patch with upgraded I will update this issue once 3.21.4 is live. |
This may not be so easy and still support node 12... because the latest path-to-regexp uses language features that are not supported in node 12 (optional chaining, the |
@filmaj Hmm, if there is no workaround, I think it's okay to drop Node 12 tests this time. It's not great in principle, but the version was EOLed 2.5 years ago. I believe no one will complain about it. |
OK, #2251 is ready for review. |
Reopened this because the complete resolution for both path-to-regexp and send will be done when we release a new major version w/ Express v5 requirement. No blocker for 3.21.4 release. |
bolt v3.21.4 is live on npm and at least upgrades
|
Hi, what about @nestjs/platform-express ? seems like its also breaking |
It seems serve-static's latest version no longer has the vul issue (meaning no [email protected] dependency via the package):
|
@MeiravShimelman Sorry, I don't understand your question yet, but express's latest version no longer has the "send" package's vulnerability issue. Also, in general, bolt-js does not work properly within a Nest.js app due to bolt-js's restriction. If you have follow-up questions, please feel free to create a new issue for them. |
bolt-js 3.x does not have this issue anymore, so let me close this issue now |
Hello, it appears that |
We don't lock express version. 4.16.4 is the oldest version we support: https://github.com/slackapi/bolt-js/blob/%40slack/bolt%403.21.4/package.json#L53 Indeed, future releases in bolt-js 3.x should upgrade the oldest version, but for now, you can quickly upgrade express by |
I see, thanks for the kind response. |
Hi Team,
I am using
"@slack/bolt": "^3.21.2"
and getting vulnerabilities notification.Can you please fix the following vulnerabilities?
The text was updated successfully, but these errors were encountered: