[Snyk] Security upgrade express from 4.21.1 to 4.21.2 (#4985)

* fix: packages/web/package.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-PATHTOREGEXP-8482416 * fix * test --------- Co-authored-by: snyk-bot <snyk-bot@snyk.io>
2024-12-16 21:56:25 -05:00 · 2024-12-11 20:46:11 +01:00 · 2024-12-11 20:46:11 +01:00 · dee09011cb
commit dee09011cb
parent ff78ea6911
5 changed files with 73 additions and 32 deletions
--- a/packages/api/package.json
+++ b/packages/api/package.json
@ -49,7 +49,7 @@
    "body-parser": "1.20.3",
    "cookies": "0.9.1",
    "debug": "4.3.7",
-    "express": "4.21.1",
+    "express": "4.21.2",
    "lodash": "4.17.21",
    "mime": "2.6.0",
    "semver": "7.6.3"
--- a/packages/web/package.json
+++ b/packages/web/package.json
@ -35,7 +35,7 @@
    "@verdaccio/url": "workspace:13.0.0-next-8.4",
    "@verdaccio/utils": "workspace:8.1.0-next-8.4",
    "debug": "4.3.7",
-    "express": "4.21.1",
+    "express": "4.21.2",
    "lodash": "4.17.21"
  },
  "devDependencies": {
--- a/packages/web/src/api/readme.ts
+++ b/packages/web/src/api/readme.ts
@ -36,7 +36,7 @@ function addReadmeWebApi(storage: Storage, auth: Auth): Router {
  const pkgRouter = Router(); /* eslint new-cap: 0 */

  pkgRouter.get(
-    '/package/readme/(@:scope/)?:package/:version?',
+    '/package/readme/:scope(@[^/]+)?/:package/:version?',
    can('access'),
    async function (
      req: $RequestExtend,
@ -44,9 +44,9 @@ function addReadmeWebApi(storage: Storage, auth: Auth): Router {
      next: $NextFunctionVer
    ): Promise<void> {
      debug('readme hit');
-      const name = req.params.scope
-        ? addScope(req.params.scope, req.params.package)
-        : req.params.package;
+      const rawScope = req.params.scope; // May include '@'
+      const scope = rawScope ? rawScope.slice(1) : null; // Remove '@' if present
+      const name = scope ? addScope(scope, req.params.package) : req.params.package;
      debug('readme name %o', name);
      const requestOptions = {
        protocol: req.protocol,
--- a/packages/web/src/api/sidebar.ts
+++ b/packages/web/src/api/sidebar.ts
@ -26,18 +26,18 @@ function addSidebarWebApi(config: Config, storage: Storage, auth: Auth): Router
    beforeAll: (a, b) => logger.trace(a, b),
    afterAll: (a, b) => logger.trace(a, b),
  });
-  // Get package readme
+  // Get package sidebar
  router.get(
-    '/sidebar/(@:scope/)?:package',
+    '/sidebar/:scope(@[^/]+)?/:package',
    can('access'),
    async function (
      req: $RequestExtend,
      res: $ResponseExtend,
      next: $NextFunctionVer
    ): Promise<void> {
-      const name: string = req.params.scope
-        ? addScope(req.params.scope, req.params.package)
-        : req.params.package;
+      const rawScope = req.params.scope; // May include '@'
+      const scope = rawScope ? rawScope.slice(1) : null; // Remove '@' if present
+      const name: string = scope ? addScope(scope, req.params.package) : req.params.package;
      const requestOptions = {
        protocol: req.protocol,
        headers: req.headers as any,
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@ -570,8 +570,8 @@ importers:
        specifier: 4.3.7
        version: 4.3.7(supports-color@5.5.0)
      express:
-        specifier: 4.21.1
-        version: 4.21.1(supports-color@6.1.0)
+        specifier: 4.21.2
+        version: 4.21.2(supports-color@6.1.0)
      lodash:
        specifier: 4.17.21
        version: 4.17.21
@ -636,7 +636,7 @@ importers:
        version: link:../core/types
      express:
        specifier: 4.21.1
-        version: 4.21.1(supports-color@6.1.0)
+        version: 4.21.1
      supertest:
        specifier: 7.0.0
        version: 7.0.0
@ -941,7 +941,7 @@ importers:
        version: 4.3.7(supports-color@5.5.0)
      express:
        specifier: 4.21.1
-        version: 4.21.1(supports-color@6.1.0)
+        version: 4.21.1
      express-rate-limit:
        specifier: 5.5.1
        version: 5.5.1
@ -1015,7 +1015,7 @@ importers:
        version: link:../../core/core
      express:
        specifier: 4.21.1
-        version: 4.21.1(supports-color@6.1.0)
+        version: 4.21.1
      https-proxy-agent:
        specifier: 5.0.1
        version: 5.0.1
@ -1553,7 +1553,7 @@ importers:
        version: 4.3.7(supports-color@5.5.0)
      express:
        specifier: 4.21.1
-        version: 4.21.1(supports-color@6.1.0)
+        version: 4.21.1
      lodash:
        specifier: 4.17.21
        version: 4.17.21
@ -1850,7 +1850,7 @@ importers:
        version: 4.3.7(supports-color@5.5.0)
      express:
        specifier: 4.21.1
-        version: 4.21.1(supports-color@6.1.0)
+        version: 4.21.1
      fs-extra:
        specifier: 11.2.0
        version: 11.2.0
@ -2199,8 +2199,8 @@ importers:
        specifier: 4.3.7
        version: 4.3.7(supports-color@5.5.0)
      express:
-        specifier: 4.21.1
-        version: 4.21.1(supports-color@6.1.0)
+        specifier: 4.21.2
+        version: 4.21.2(supports-color@6.1.0)
      lodash:
        specifier: 4.17.21
        version: 4.17.21
@ -5619,7 +5619,7 @@ packages:
      detect-port: 1.5.1
      escape-html: 1.0.3
      eta: 1.14.2
-      express: 4.21.1(supports-color@6.1.0)
+      express: 4.21.2(supports-color@6.1.0)
      file-loader: 6.2.0(webpack@5.90.0)
      fs-extra: 10.1.0
      github-slugger: 1.5.0
@ -9871,7 +9871,7 @@ packages:
      babel-plugin-polyfill-corejs3: 0.1.7(@babel/core@7.24.9)
      chalk: 4.1.2
      core-js: 3.37.1
-      express: 4.21.1(supports-color@6.1.0)
+      express: 4.21.2(supports-color@6.1.0)
      file-system-cache: 1.1.0
      find-up: 5.0.0
      fork-ts-checker-webpack-plugin: 6.5.3(eslint@8.57.1)(typescript@4.9.5)(webpack@4.47.0)
@ -9950,7 +9950,7 @@ packages:
      core-js: 3.37.1
      cpy: 8.1.2
      detect-port: 1.5.1
-      express: 4.21.1(supports-color@6.1.0)
+      express: 4.21.2(supports-color@6.1.0)
      fs-extra: 9.1.0
      global: 4.4.0
      globby: 11.1.0
@ -10111,7 +10111,7 @@ packages:
      chalk: 4.1.2
      core-js: 3.37.1
      css-loader: 3.6.0(webpack@4.47.0)
-      express: 4.21.1(supports-color@6.1.0)
+      express: 4.21.2(supports-color@6.1.0)
      file-loader: 6.2.0(webpack@4.47.0)
      find-up: 5.0.0
      fs-extra: 9.1.0
@ -10168,7 +10168,7 @@ packages:
      chalk: 4.1.2
      core-js: 3.37.1
      css-loader: 5.2.7(webpack@5.93.0)
-      express: 4.21.1(supports-color@6.1.0)
+      express: 4.21.2(supports-color@6.1.0)
      find-up: 5.0.0
      fs-extra: 9.1.0
      html-webpack-plugin: 5.6.0(webpack@5.93.0)
@ -17819,7 +17819,7 @@ packages:
    resolution: {integrity: sha512-MTjE2eIbHv5DyfuFz4zLYWxpqVhEhkTiwFGuB74Q9CSou2WHO52nlE5y3Zlg6SIsiYUIPj6ifFxnkPz6O3sIUg==}
    dev: false

-  /express@4.21.1(supports-color@6.1.0):
+  /express@4.21.1:
    resolution: {integrity: sha512-YSFlK1Ee0/GC8QaO91tHcDxJiE/X4FbpAyQWkxAvG6AXCuR65YzK8ua6D9hvi/TzUfZMpc+BwuM1IPw8fmQBiQ==}
    engines: {node: '>= 0.10.0'}
    dependencies:
@ -17857,6 +17857,44 @@ packages:
    transitivePeerDependencies:
      - supports-color

+  /express@4.21.2(supports-color@6.1.0):
+    resolution: {integrity: sha512-28HqgMZAmih1Czt9ny7qr6ek2qddF4FclbMzwhCREB6OFfH+rXAnuNCwo1/wFvrtbgsQDb4kSbX9de9lFbrXnA==}
+    engines: {node: '>= 0.10.0'}
+    dependencies:
+      accepts: 1.3.8
+      array-flatten: 1.1.1
+      body-parser: 1.20.3(supports-color@6.1.0)
+      content-disposition: 0.5.4
+      content-type: 1.0.5
+      cookie: 0.7.1
+      cookie-signature: 1.0.6
+      debug: 2.6.9(supports-color@6.1.0)
+      depd: 2.0.0
+      encodeurl: 2.0.0
+      escape-html: 1.0.3
+      etag: 1.8.1
+      finalhandler: 1.3.1(supports-color@6.1.0)
+      fresh: 0.5.2
+      http-errors: 2.0.0
+      merge-descriptors: 1.0.3
+      methods: 1.1.2
+      on-finished: 2.4.1
+      parseurl: 1.3.3
+      path-to-regexp: 0.1.12
+      proxy-addr: 2.0.7
+      qs: 6.13.0
+      range-parser: 1.2.1
+      safe-buffer: 5.2.1
+      send: 0.19.0(supports-color@6.1.0)
+      serve-static: 1.16.2(supports-color@6.1.0)
+      setprototypeof: 1.2.0
+      statuses: 2.0.1
+      type-is: 1.6.18
+      utils-merge: 1.0.1
+      vary: 1.1.2
+    transitivePeerDependencies:
+      - supports-color
+
  /extend-shallow@2.0.1:
    resolution: {integrity: sha512-zCnTtlxNoAiDc3gqY2aYAWFx7XWWiasuF2K8Me5WbN8otHKTUKBwjPtNpRs/rbUZm7KxWAaNj7P1a/p52GbVug==}
    engines: {node: '>=0.10.0'}
@ -22120,7 +22158,7 @@ packages:
      minipass-fetch: 2.1.2
      minipass-flush: 1.0.5
      minipass-pipeline: 1.2.4
-      negotiator: 0.6.3
+      negotiator: 0.6.4
      promise-retry: 2.0.1
      socks-proxy-agent: 7.0.0
      ssri: 9.0.1
@ -22143,7 +22181,7 @@ packages:
      minipass-fetch: 3.0.5
      minipass-flush: 1.0.5
      minipass-pipeline: 1.2.4
-      negotiator: 0.6.3
+      negotiator: 0.6.4
      promise-retry: 2.0.1
      socks-proxy-agent: 7.0.0
      ssri: 10.0.6
@ -22166,7 +22204,7 @@ packages:
      minipass-fetch: 1.4.1
      minipass-flush: 1.0.5
      minipass-pipeline: 1.2.4
-      negotiator: 0.6.3
+      negotiator: 0.6.4
      promise-retry: 2.0.1
      socks-proxy-agent: 6.2.1
      ssri: 8.0.1
@ -24773,6 +24811,9 @@ packages:
  /path-to-regexp@0.1.10:
    resolution: {integrity: sha512-7lf7qcQidTku0Gu3YDPc8DJ1q7OOucfa/BSsIwjuh56VU7katFvuM8hULfkwB3Fns/rsVF7PwPKVw1sl5KQS9w==}

+  /path-to-regexp@0.1.12:
+    resolution: {integrity: sha512-RA1GjUVMnvYFxuqovrEqZoxxW5NUZqbwKtYz/Tt7nXerk0LbLblQmrsgdeOxV5SFHf0UDggjS/bSeOZwt1pmEQ==}
+
  /path-to-regexp@1.8.0:
    resolution: {integrity: sha512-n43JRhlUKUAlibEJhPeir1ncUID16QnEjNpwzNdO3Lm4ywrBpBZ5oLD0I6br9evr1Y9JTqwRtAh7JLoOzAQdVA==}
    dependencies:
@ -31458,7 +31499,7 @@ packages:
      connect-history-api-fallback: 1.6.0
      debug: 4.3.7(supports-color@6.1.0)
      del: 4.1.1
-      express: 4.21.1(supports-color@6.1.0)
+      express: 4.21.2(supports-color@6.1.0)
      html-entities: 1.4.0
      http-proxy-middleware: 0.19.1(debug@4.3.7)(supports-color@6.1.0)
      import-local: 2.0.0
@ -31509,7 +31550,7 @@ packages:
      connect-history-api-fallback: 1.6.0
      debug: 4.3.7(supports-color@6.1.0)
      del: 4.1.1
-      express: 4.21.1(supports-color@6.1.0)
+      express: 4.21.2(supports-color@6.1.0)
      html-entities: 1.4.0
      http-proxy-middleware: 0.19.1(debug@4.3.7)(supports-color@6.1.0)
      import-local: 2.0.0
@ -31568,7 +31609,7 @@ packages:
      compression: 1.7.5(supports-color@6.1.0)
      connect-history-api-fallback: 2.0.0
      default-gateway: 6.0.3
-      express: 4.21.1(supports-color@6.1.0)
+      express: 4.21.2(supports-color@6.1.0)
      graceful-fs: 4.2.11
      html-entities: 2.3.3
      http-proxy-middleware: 2.0.6(@types/express@4.17.21)(debug@4.3.7)