Merge pull request #329 from ejarocki-cloudlinux/master

move express to a separate page

Author: ejarocki-cloudlinux

docs/.vuepress/components/ELSTechnology.vue

@@ -318,7 +318,7 @@ const techData = [
       {
         name: "express",
         versions: "3.21.2",
-        link: "./javascript-libraries/",
+        link: "./express/",
       },
       {
         name: "express-jwt",

docs/.vuepress/config-client/sidebar.ts

@@ -235,6 +235,10 @@ export default {
                     path: '/els-for-libraries/bootstrap/',
                     icon: '/images/bootstrap-logo.webp',
                 },
+                {
+                    path: '/els-for-libraries/express/',
+                    icon: '/images/express-logo.webp',
+                },
                 {
                     path: '/els-for-libraries/fastify/',
                     icon: '/images/fastify-logo.webp',

docs/els-for-libraries/express/README.md

@@ -0,0 +1,187 @@
+# express
+
+Endless Lifecycle Support (ELS) for express from TuxCare provides security fixes for express versions that have reached their end of life. This allows you to continue running express applications without vulnerability concerns, even after official support has ended.
+
+## Supported express Versions
+
+* express 3.21.2
+
+## Connection to ELS for express Library
+
+This guide outlines the steps needed to integrate the TuxCare ELS for the express library.
+
+## Step 1: Get Token
+
+You need a token in order to use TuxCare ELS express library. Anonymous access is disabled. To receive the token, please contact [[email protected]](mailto:[email protected]).
+
+## Step 2: Set Up ELS for express
+
+TuxCare provides ELS for express as an NPM package, hosted on a secure internal registry. Follow the steps below to add it to your project and get started.
+
+1. Navigate to the root directory of your express project.
+2. Create a `.npmrc` file or update it if it already exists.
+
+   **Example:**
+
+   ```text
+   my-express-project/
+   ├── node_modules/
+   ├── package.json
+   ├── .npmrc         ⚠️ ← Create it here
+   └── package-lock.json
+   ```
+
+3. Use an editor of your choice (e.g., VS Code) to add the following registry address line:
+
+   <CodeWithCopy>
+
+   ```text
+   registry=https://registry.npmjs.org/
+   @els-js:registry=https://nexus.repo.tuxcare.com/repository/els_js/
+   //nexus.repo.tuxcare.com/repository/els_js/:_auth=${TOKEN}
+   ```
+
+   </CodeWithCopy>
+
+   :::warning
+   Replace ${TOKEN} with the token you received from [[email protected]](mailto:[email protected]).
+   :::
+
+4. Update your `package.json` file to replace your express dependencies with the TuxCare packages. You can do this in two ways:
+
+   * **Option 1: TuxCare Patcher (Automated)**
+
+     Install the Patcher globally and run it. The TuxCare Patcher automatically detects the express version in your `package.json` and updates your `dependencies` and `overrides` to use the corresponding TuxCare `@els-js/*` packages.
+
+     <CodeWithCopy>
+
+     ```text
+     npm install -g @els-js/tuxcare-patcher --userconfig ./.npmrc
+     tuxcare-patch-js
+     ```
+
+     </CodeWithCopy>
+
+     The patcher will update your `package.json`, for example, from:
+
+     ```text
+     "dependencies": {
+       "express": "^3.21.2"
+     }
+     ```
+
+     to:
+
+     ```text
+     "dependencies": {
+       "express": "npm:@els-js/[email protected]"
+     },
+     "overrides": {
+       "[email protected]": "npm:@els-js/[email protected]"
+     }
+     ```
+    
+   * **Option 2: Manual Update**
+
+     Manually update your `package.json` file by replacing your express dependencies with the TuxCare packages. This method gives you full control over which packages to update.
+
+     <CodeWithCopy>
+
+     ```text
+     "dependencies": {
+       "express": "npm:@els-js/[email protected]"
+     }
+     ```
+
+     </CodeWithCopy>
+
+5. You need to remove the `node_modules` directory and the `package-lock.json` file, and also clear the `npm cache` before installing the patched packages. Use the following commands:
+   
+   <CodeWithCopy>
+
+   ```text
+   rm -rf node_modules package-lock.json && npm cache clean --force
+   ```
+
+   </CodeWithCopy>
+
+6. Run the following command to install the ELS version of the express library (token for the TuxCare repository will be automatically picked up from your `.npmrc` file):
+
+   <CodeWithCopy>
+
+   ```text
+   npm install
+   ```
+
+   </CodeWithCopy>
+
+   You will see an output like:
+
+   ```text
+    added 1 package, and audited 2 packages in 792ms
+    
+    found 0 vulnerabilities
+   ```
+
+7. You've successfully installed the Tuxcare ELS version of the express library into your project.
+
+## Vulnerability Exploitability eXchange (VEX) 
+
+VEX is a machine-readable format that tells you if a known vulnerability and is actually exploitable in your product. It reduces false positives, helps prioritize real risks.
+
+TuxCare provides VEX for express ELS versions: [security.tuxcare.com/vex/cyclonedx/els_lang_javascript/express/](https://security.tuxcare.com/vex/cyclonedx/els_lang_javascript/express/).
+
+## How to Upgrade to a Newer Version of TuxCare Packages
+
+If you have already installed a package with a `tuxcare.1` suffix and want to upgrade to a newer release (for example, `tuxcare.3`), you can use one of the following methods:
+
+* **Option 1: TuxCare Patcher (Automated). Recommended for projects with multiple TuxCare dependencies.**
+
+  The TuxCare Patcher automatically detects all TuxCare dependencies in your `package.json` and updates them to the latest available versions.
+
+  <CodeWithCopy>
+
+  ```text
+  tuxcare-patch-js --upgrade
+  ```
+
+  </CodeWithCopy>
+
+* **Option 2: Manual Update via CLI (Single Dependency)**
+
+  If you want to update a single TuxCare dependency, use the npm install command with the specific version. This automatically updates both `package.json` and `package-lock.json`:
+
+  <CodeWithCopy>
+
+  ```text
+  npm install express@npm:@els-js/[email protected]
+  ```
+
+  </CodeWithCopy>
+
+* **Option 3: Manual Update via package.json (Multiple Dependencies)**
+
+  If you want to update several TuxCare dependencies, manually update the version strings in your `package.json`, then remove installed files and clear npm cache to avoid conflicts:
+
+  <CodeWithCopy>
+
+  ```text
+  rm -rf node_modules package-lock.json && npm cache clean --force
+  npm install
+  ```
+
+  </CodeWithCopy>
+
+## Resolved CVEs
+
+Fixes for the following vulnerabilities are available in ELS for express from TuxCare versions:
+
+| CVE ID         | CVE Type | Severity | Affected Libraries | Vulnerable Versions |
+| :------------: | :------: |:--------:|:------------------:| :----------------: |
+| CVE-2024-10491 | Direct   | Medium   | express            | <= 3.21.4          |
+| CVE-2024-29041 | Direct   | Medium   | express            | < 4.19.2, >= 5.0.0-alpha.1 < 5.0.0-beta.3 |
+| CVE-2024-43796 | Direct   | Medium   | express            | < 4.20.0           |
+| CVE-2024-9266  | Direct   | Medium   | express            | >= 3.4.5 < 4.0.0   |
+
+If you are interested in the TuxCare Endless Lifecycle Support, contact [[email protected]](mailto:[email protected]).
+

docs/els-for-libraries/javascript-libraries/README.md

@@ -13,7 +13,6 @@ Endless Lifecycle Support (ELS) for Libraries from TuxCare provides security fix
 * **crypto-js** 3.3.0
 * **debug** 4.1.1
 * **dompurify** 2.3.0, 2.4.3
-* **express** 3.21.2
 * **express-jwt** 0.1.3
 * **form-data** 2.3.3
 * **formidable** 2.1.2
@@ -106,18 +105,18 @@ TuxCare provides ELS for JavaScript libraries as NPM packages, hosted on a secur
 
       ```text
       "dependencies": {
-        "express": "^3.21.2"
+        "cookie": "^0.4.2"
       }
       ```
 
       to:
 
       ```text
       "dependencies": {
-        "express": "npm:@els-js/[email protected].2-tuxcare.1"
+        "cookie": "npm:@els-js/[email protected].2-tuxcare.2"
       },
       "overrides": {
-        "[email protected].2": "npm:@els-js/[email protected].2-tuxcare.1"
+        "[email protected].2": "npm:@els-js/[email protected].2-tuxcare.2"
       }
       ```
     
@@ -129,7 +128,7 @@ TuxCare provides ELS for JavaScript libraries as NPM packages, hosted on a secur
 
       ```text
       "dependencies": {
-        "express": "npm:@els-js/[email protected].2-tuxcare.1"
+        "cookie": "npm:@els-js/[email protected].2-tuxcare.2"
       }
       ```
 
@@ -214,7 +213,7 @@ If you have already installed a package with a `tuxcare.1` suffix and want to up
   <CodeWithCopy>
 
   ```text
-  npm install express@npm:@els-js/[email protected].2-tuxcare.2
+  npm install cookie@npm:@els-js/[email protected].2-tuxcare.2
   ```
 
   </CodeWithCopy>
@@ -277,15 +276,11 @@ Fixes for the following vulnerabilities are available in ELS for JavaScript Libr
 | CVE-2020-7608  | Direct   | Medium   | yargs-parser      | < 5.0.1, ≥ 6.0.0 < 13.1.2, ≥ 14.0.0 < 15.0.1, ≥ 16.0.0 < 18.1.1 |
 | CVE-2023-0842  | Direct   | Medium   | xml2js            | 0.4.23             |
 | CVE-2023-28155 | Direct   | Medium   | request           | <= 2.88.1          |
-| CVE-2024-10491 | Direct   | Medium   | express           | <= 3.21.4          |
-| CVE-2024-29041 | Direct   | Medium   | express           | < 4.19.2, >= 5.0.0-alpha.1 < 5.0.0-beta.3 |
 | CVE-2024-47764 | Direct   | Medium   | cookie            | < 0.7.0            |
 | CVE-2024-4067  | Direct   | Medium   | micromatch        | < 4.0.8            |
-| CVE-2024-43796 | Direct   | Medium   | express           | < 4.20.0           |
 | CVE-2024-45801 | Direct   | Medium   | dompurify         | < 2.5.4, >= 3.0.0 < 3.1.3 |
 | CVE-2024-47068 | Direct   | Medium   | rollup            | < 2.79.2, < 3.29.5, < 4.22.4 |
 | CVE-2024-47875 | Direct   | Medium   | dompurify         | < 2.5.0, >= 3.0.0 < 3.1.3 |
-| CVE-2024-9266  | Direct   | Medium   | express           | >= 3.4.5 < 4.0.0   |
 | CVE-2025-26791 | Direct   | Medium   | dompurify         | < 3.2.4            |
 | CVE-2025-30359 | Direct   | Medium   | webpack-dev-server | < 5.2.1            |
 | CVE-2025-32997 | Direct   | Medium   | http-proxy-middleware | < 2.0.9, 3.x < 3.0.5 |