Skip to content

Update dependencies to fix vulnerability#20

Merged
odanado merged 4 commits intoline:mainfrom
D-ske104:update-libs
Mar 5, 2025
Merged

Update dependencies to fix vulnerability#20
odanado merged 4 commits intoline:mainfrom
D-ske104:update-libs

Conversation

@D-ske104
Copy link
Contributor

@D-ske104 D-ske104 commented Sep 9, 2024
edited
Loading

Update dependencies to fix vulnerability

Fix #19

  • run npm update
  • update ws
  • update express
  • update webpack

No breaking changes.

package before after release note
ws 8.5.0 8.18.0 https://github.com/websockets/ws/releases
express 4.17.3 4.21.1 https://github.com/expressjs/express/releases
webpack 5.89.0 5.94.0 https://github.com/webpack/webpack/releases

@D-ske104
Update dependencies to fix vulnerability
0d0ddcb 
run `npm update`

update ws

update express

update webpack
@D-ske104
update express into 4.21.1
c2b557a 
npm audit report

body-parser  <1.20.3
Severity: high
body-parser vulnerable to denial of service when url encoding is enabled - GHSA-qwcr-r2fm-qrc7
fix available via `npm audit fix --force`
Will install express@4.21.1, which is outside the stated dependency range
node_modules/body-parser
  express  <=4.21.0 || 5.0.0-alpha.1 - 5.0.0
  Depends on vulnerable versions of body-parser
  Depends on vulnerable versions of cookie
  Depends on vulnerable versions of path-to-regexp
  Depends on vulnerable versions of send
  Depends on vulnerable versions of serve-static
  node_modules/express

cookie  <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix --force`
Will install express@4.21.1, which is outside the stated dependency range
node_modules/cookie

path-to-regexp  <0.1.10
Severity: high
path-to-regexp outputs backtracking regular expressions - GHSA-9wv6-86v2-598j
fix available via `npm audit fix --force`
Will install express@4.21.1, which is outside the stated dependency range
node_modules/path-to-regexp

send  <0.19.0
Severity: moderate
send vulnerable to template injection that can lead to XSS - GHSA-m6fv-jmcg-4jfg
fix available via `npm audit fix --force`
Will install express@4.21.1, which is outside the stated dependency range
node_modules/send
  serve-static  <=1.16.0
  Depends on vulnerable versions of send
  node_modules/serve-static

6 vulnerabilities (1 low, 2 moderate, 3 high)
@D-ske104
Copy link
Contributor Author

D-ske104 commented Oct 15, 2024

Hi @cola119,

Thank you for your fantastic work on this package!

I've fixed the vulnerability reported in #19 . When you have a moment, could you please review my Pull Request?

No rush at all—whenever you have time.

Thanks again!

@odanado
Copy link
Member

odanado commented Oct 15, 2024

@D-ske104
Thank you for your pull request. Please wait a moment while we check the difference.

@odanado
Copy link
Member

odanado commented Oct 15, 2024

There is an error with GitHub Actions.

Error: ../../node_modules/@types/node/stream/web.d.ts(469,56): error TS1005: '?' expected.
npm error Lifecycle script `build` failed with error:
npm error code 2
npm error path /home/runner/work/liff-inspector/liff-inspector/packages/headless-inspector-core
npm error workspace @line/headless-inspector-core@1.0.2
npm error location /home/runner/work/liff-inspector/liff-inspector/packages/headless-inspector-core
npm error command failed
npm error command sh -c tsc

It is likely that you will also need to update the TypeScript version. Could you check this?

@odanado odanado self-requested a review October 16, 2024 04:39
@odanado odanado added the status: in progress In Progress label Nov 20, 2024
@odanado odanado mentioned this pull request Jan 24, 2025
Merged
@odanado odanado requested a review from a team as a code owner February 7, 2025 07:14
@odanado odanado added the dependencies Pull requests that update a dependency file label Feb 7, 2025
@odanado odanado merged commit afa0a78 into line:main Mar 5, 2025
1 check passed
@soranakahara soranakahara added the type: dependencies Dependencies Update label Nov 11, 2025
This was referenced Nov 11, 2025
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@odanado odanado odanado approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file status: in progress In Progress type: dependencies Dependencies Update

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ws package affected by a DoS when handling a request with many HTTP headers

3 participants

@D-ske104 @odanado @soranakahara

Comments