Skip to content

Commit

Permalink
chore(deps): update dependency express to v4.19.2 [security] (#7859)
Browse files Browse the repository at this point in the history 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [express](http://expressjs.com/)
([source](https://togithub.com/expressjs/express)) | [`4.18.2` ->
`4.19.2`](https://renovatebot.com/diffs/npm/express/4.18.2/4.19.2) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/express/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/express/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/express/4.18.2/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/express/4.18.2/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-29041](https://togithub.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc)

### Impact

Versions of Express.js prior to 4.19.2 and pre-release alpha and beta
versions before 5.0.0-beta.3 are affected by an open redirect
vulnerability using malformed URLs.

When a user of Express performs a redirect using a user-provided URL
Express performs an encode [using
`encodeurl`](https://togithub.com/pillarjs/encodeurl) on the contents
before passing it to the `location` header. This can cause malformed
URLs to be evaluated in unexpected ways by common redirect allow list
implementations in Express applications, leading to an Open Redirect via
bypass of a properly implemented allow list.

The main method impacted is `res.location()` but this is also called
from within `res.redirect()`.

### Patches


expressjs/express@0867302

expressjs/express@0b74695

An initial fix went out with `express@4.19.0`, we then patched a feature
regression in `4.19.1` and added improved handling for the bypass in
`4.19.2`.

### Workarounds

The fix for this involves pre-parsing the url string with either
`require('node:url').parse` or `new URL`. These are steps you can take
on your own before passing the user input string to `res.location` or
`res.redirect`.

### References


[expressjs/express#5539

[koajs/koa#1800
https://expressjs.com/en/4x/api.html#res.location

---

### Release Notes

<details>
<summary>expressjs/express (express)</summary>

###
[`v4.19.2`](https://togithub.com/expressjs/express/blob/HEAD/History.md#4192--2024-03-25)

[Compare
Source](https://togithub.com/expressjs/express/compare/4.19.1...4.19.2)

\==========

-   Improved fix for open redirect allow list bypass

###
[`v4.19.1`](https://togithub.com/expressjs/express/blob/HEAD/History.md#4191--2024-03-20)

[Compare
Source](https://togithub.com/expressjs/express/compare/4.19.0...4.19.1)

\==========

- Allow passing non-strings to res.location with new encoding handling
checks

###
[`v4.19.0`](https://togithub.com/expressjs/express/compare/4.18.3...83e77aff6a3859d58206f3ff9501277023c03f87)

[Compare
Source](https://togithub.com/expressjs/express/compare/4.18.3...4.19.0)

###
[`v4.18.3`](https://togithub.com/expressjs/express/blob/HEAD/History.md#4183--2024-02-26)

[Compare
Source](https://togithub.com/expressjs/express/compare/4.18.2...4.18.3)

\==========

-   Fix routing requests without method
-   deps: body-parser@1.20.2
    -   Fix strict json error message on Node.js 19+
    -   deps: content-type@~1.0.5
    -   deps: raw-body@2.5.2

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone America/Los_Angeles,
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/apollographql/apollo-server).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
  • Loading branch information
@renovate
renovate[bot] committed Mar 28, 2024
1 parent 80afc33 commit 5cf2928
Show file tree
Hide file tree
Showing 2 changed files with 117 additions and 86 deletions.
201 changes: 116 additions & 85 deletions package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
View file
Expand Up @@ -79,7 +79,7 @@
"cspell": "6.31.3",
"eslint": "8.56.0",
"eslint-plugin-import": "2.29.1",
"express": "4.18.2",
"express": "4.19.2",
"graphql": "16.8.1",
"graphql-subscriptions": "2.0.0",
"graphql-tag": "2.12.6",
Expand Down

0 comments on commit 5cf2928

Please sign in to comment.