[Snyk] Security upgrade express from 4.19.2 to 4.22.0#43
[Snyk] Security upgrade express from 4.19.2 to 4.22.0#43
Conversation
…ties The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-QS-14724253
There was a problem hiding this comment.
Pull request overview
This PR upgrades Express from version 4.19.2 to 4.22.0 to address a high-severity security vulnerability (SNYK-JS-QS-14724253) related to "Allocation of Resources Without Limits or Throttling" in the qs dependency, with a severity score of 828/1000.
Key Changes:
- Express upgraded from 4.19.2 to 4.22.0
- Associated dependency updates including
qs(6.11.0 → 6.14.1),body-parser(1.20.2 → 1.20.4), and numerous other transitive dependencies - Addition of new dependencies like
call-bind-apply-helpers,call-bound,dunder-proto,get-proto, andmath-intrinsicsto support the updated packages
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| back/package.json | Updates Express version specifier from ~4.19.2 to ~4.22.0 |
| back/package-lock.json | Comprehensive lock file update with Express 4.22.0 and all transitive dependency updates, including the critical qs package upgrade that addresses the security vulnerability |
Files not reviewed (1)
- back/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "cookie-parser": "~1.4.4", | ||
| "debug": "~2.6.9", | ||
| "express": "~4.19.2", | ||
| "express": "^4.22.0", |
There was a problem hiding this comment.
Inconsistent version specifier between package.json and package-lock.json. In package.json, express uses tilde (~4.22.0) which allows patch-level updates only (4.22.x), but package-lock.json uses caret (^4.22.0) which allows minor version updates (4.x.x). This inconsistency could lead to unexpected version resolution. The package-lock.json should use ~4.22.0 to match package.json.
| "express": "^4.22.0", | |
| "express": "~4.22.0", |
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
back/package.jsonback/package-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-QS-14724253
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Allocation of Resources Without Limits or Throttling