Vulnerable dependency send < 19.0 being pulled in via [email protected].

[davidsyckle]

Checklist

• [X] I have looked into the Readme and Examples, and have not found a suitable solution or answer.
• [X] I have searched the issues and have not found a suitable solution or answer.
• [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• [X] I agree to the terms within the Auth0 Code of Conduct.

Description

Vulnerable dependency send < 19.0 being pulled in via [email protected]. Please consider updating package.json and package-lock.json to specify a version of at least "@types/express": "^4.21.0" for express to mitigate the possibility of the vulnerable transitive dependency.

├─┬ [email protected] │ ├─┬ @types/[email protected] │ │ ├─┬ @types/[email protected] │ │ │ ├─┬ @types/[email protected] │ │ │ │ └── @types/[email protected] deduped │ │ │ └── @types/[email protected] deduped │ │ ├─┬ @types/[email protected] │ │ │ ├── @types/[email protected] deduped │ │ │ ├── @types/[email protected] deduped │ │ │ ├── @types/[email protected] │ │ │ └─┬ @types/[email protected] Here │ │ │ ├── @types/[email protected] │ │ │ └── @types/[email protected] deduped │ │ ├── @types/[email protected] │ │ └─┬ @types/[email protected] │ │ ├── @types/[email protected] │ │ ├── @types/[email protected] deduped │ │ └── @types/[email protected] deduped Here

Reproduction

Scan installed project with dependency-check. Review results.

Additional context

Please consider updating express-serve-static-core and serve-static to current versions to mitigate this vulnerable dependency.

https://ossindex.sonatype.org/vulnerability/CVE-2024-43799?component-type=npm&component-name=send&utm_source=dependency-check&utm_medium=integration&utm_content=10.0.2

https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg

https://www.npmjs.com/package/send

jwks-rsa version

3.1.0

Node.js version

18.20.3