Issue using qs while using Express@5

Question

Issue using qs while using Express@5

aderchox opened this issue a year ago · comments

There seems to be an issue using qs while using Express@5. Is this an issue of qs or express@5?

qs 6.9.0 - 6.9.6
Severity: high
qs vulnerable to Prototype Pollution - GHSA-hrpp-h998-j3pp
fix available via npm audit fix --force
Will install express@4.18.2, which is a breaking change
node_modules/qs
body-parser 1.19.1 || 2.0.0-beta.1
Depends on vulnerable versions of qs
node_modules/body-parser
express 4.17.2 || >=5.0.0-alpha.1
Depends on vulnerable versions of body-parser
Depends on vulnerable versions of qs
node_modules/express

Jordan Harband · Answer 1 · Sat Mar 11 2023 01:50:39 GMT+0800 (China Standard Time)

That suggests you're using express 4, not 5. Can you confirm that you're on the latest of v4 or v5, and which you're on?

aderchox · Answer 2 · Sat Mar 11 2023 03:39:12 GMT+0800 (China Standard Time)

That suggests you're using express 4, not 5. Can you confirm that you're on the latest of v4 or v5, and which you're on?

I'm pretty sure I was using version 5, and the error is saying if I force run npm audit fix, it will install express version 4 for me to fix the above issue, which is a breaking change (major version of my express changes from v5 to v4).

Jordan Harband · Answer 3 · Sat Mar 11 2023 04:32:26 GMT+0800 (China Standard Time)

What does npm explain qs print out?

aderchox · Answer 4 · Sat Mar 11 2023 04:42:53 GMT+0800 (China Standard Time)

What does npm explain qs print out?

$ npm explain qs
qs@6.9.6
node_modules/qs
  qs@"6.9.6" from body-parser@2.0.0-beta.1
  node_modules/body-parser
    body-parser@"2.0.0-beta.1" from express@5.0.0-beta.1
    node_modules/express
      express@"^5.0.0-beta.1" from the root project
  qs@"6.9.6" from express@5.0.0-beta.1
  node_modules/express
    express@"^5.0.0-beta.1" from the root project

Jordan Harband · Answer 5 · Sat Mar 11 2023 04:45:10 GMT+0800 (China Standard Time)

ah, looks like express 5 as well as body-parser 2 are depending on qs without a ^. Can you file an issue on those projects to use a caret range?

Otherwise, you'll probably just have to wait until they release an update.

Douglas Wilson · Answer 6 · Sat Mar 11 2023 04:49:43 GMT+0800 (China Standard Time)

Hello 👋 apologies, I am in progress at the moment with the updated express 5 for qs an a couple other reported vuluns. We have a new body-parser 2 out already now with the updated qs, just not the express 5 (as we're wrapping up non-qs vulun fixes atm).

aderchox · Answer 7 · Sat Mar 11 2023 04:58:22 GMT+0800 (China Standard Time)

Hello 👋 apologies, I am in progress at the moment with the updated express 5 for qs an a couple other reported vuluns. We have a new body-parser 2 out already now with the updated qs, just not the express 5 (as we're wrapping up non-qs vulun fixes atm).

Hi @dougwilson, ah you were quick! I was commenting on an issue where you were asked about the date of the v5 stable release, and you'd asked everyone to report problems they encounter. But before I submit the comment, whoosh, you appeared here 😃, thanks for all your efforts. So you know about this already, and I'll close this issue. May the Force be with you ✌.