incubator-retired-ripple icon indicating copy to clipboard operation
incubator-retired-ripple copied to clipboard

Published 20 hours ago verified publisher icon apache

Update express to mitigate vulnerabilities

Open abstractj opened this issue 9 years ago • 2 comments

Good morning, express 3.1.0 is vulnerable to:

  • https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting
  • https://nodesecurity.io/advisories/send-directory-traversal
  • https://nodesecurity.io/advisories/qs_dos_extended_event_loop_blocking
  • https://nodesecurity.io/advisories/qs_dos_memory_exhaustion

@brentlintner I couldn't find any place to disclose this issue in private, neither make this issue security sensitive. Let me know if you have questions.

I think is important to get this fix in, once it also affects cordova-cli.

abstractj avatar Apr 08 '15 16:04 abstractj

Hey @abstractj awesome! Thanks for the PR. I plan to pull in ASAP. I just noticed that with the 4.x update, some middleware was moved out of core into their own packages that need to be added. Unless you or someone else does, I will try to do that when I get a chance. :-)

brentlintner avatar Apr 08 '15 23:04 brentlintner

@brentlintner go ahead my friend, I think you're more familiar with ripple than me. Glad to help.

abstractj avatar Apr 09 '15 11:04 abstractj