Skip to content

chore(deps): update dependency express to v4.19.2 [security] #105

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 30, 2024
Merged

chore(deps): update dependency express to v4.19.2 [security] #105

merged 1 commit into from
May 30, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 29, 2024
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
express (source) 4.18.2 -> 4.19.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-29041

Impact

Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.

When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.

The main method impacted is res.location() but this is also called from within res.redirect().

Patches

expressjs/express@0867302
expressjs/express@0b74695

An initial fix went out with [email protected], we then patched a feature regression in 4.19.1 and added improved handling for the bypass in 4.19.2.

Workarounds

The fix for this involves pre-parsing the url string with either require('node:url').parse or new URL. These are steps you can take on your own before passing the user input string to res.location or res.redirect.

References

https://github.com/expressjs/express/pull/5539
https://github.com/koajs/koa/issues/1800
https://expressjs.com/en/4x/api.html#res.location

Release Notes

expressjs/express (express)

v4.19.2

Compare Source

==========

  • Improved fix for open redirect allow list bypass

v4.19.1

Compare Source

==========

  • Allow passing non-strings to res.location with new encoding handling checks

v4.19.0

Compare Source

v4.18.3

Compare Source

==========

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@netlify Netlify
Copy link

netlify bot commented Mar 29, 2024
edited
Loading

Deploy Preview for plugin-angular-universal-demo ready!

Name Link
🔨 Latest commit 3452c9b
🔍 Latest deploy log https://app.netlify.com/sites/plugin-angular-universal-demo/deploys/66589828591a120008ac3b77
😎 Deploy Preview https://deploy-preview-105--plugin-angular-universal-demo.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@github-actions github-actions bot added the type: bug code to address defects in shipped code label Mar 29, 2024
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch from 0fc9543 to 10bd783 Compare April 21, 2024 08:33
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch from 10bd783 to 3730cd6 Compare May 23, 2024 10:33
@renovate renovate bot enabled auto-merge (squash) May 27, 2024 13:30
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch 2 times, most recently from 95fb081 to d2862d4 Compare May 27, 2024 19:41
@renovate renovate bot requested a review from a team as a code owner May 27, 2024 19:41
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch 2 times, most recently from 3c120b0 to eba62e0 Compare May 28, 2024 21:49
@renovate renovate bot changed the title fix(deps): update dependency express to v4.19.2 [security] chore(deps): update dependency express to v4.19.2 [security] May 29, 2024
@github-actions github-actions bot added the type: chore work needed to keep the product and development running smoothly label May 29, 2024
@renovate renovate bot force-pushed the renovate/npm-express-vulnerability branch from eba62e0 to 3452c9b Compare May 30, 2024 15:15
mrstork
mrstork approved these changes May 30, 2024
View reviewed changes
Copy link
Contributor

@mrstork mrstork left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested locally, demo works as expected

@renovate renovate bot merged commit 9e891cd into main May 30, 2024
16 checks passed
@renovate renovate bot deleted the renovate/npm-express-vulnerability branch May 30, 2024 15:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mrstork mrstork mrstork approved these changes

Assignees
No one assigned
Labels
dependencies javascript type: bug code to address defects in shipped code type: chore work needed to keep the product and development running smoothly
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mrstork