Issue using qs while using Express@5
aderchox opened this issue ยท comments
There seems to be an issue using qs while using Express@5. Is this an issue of qs or express@5?
qs 6.9.0 - 6.9.6
Severity: high
qs vulnerable to Prototype Pollution - GHSA-hrpp-h998-j3pp
fix available vianpm audit fix --force
Will install express@4.18.2, which is a breaking change
node_modules/qs
body-parser 1.19.1 || 2.0.0-beta.1
Depends on vulnerable versions of qs
node_modules/body-parser
express 4.17.2 || >=5.0.0-alpha.1
Depends on vulnerable versions of body-parser
Depends on vulnerable versions of qs
node_modules/express
That suggests you're using express 4, not 5. Can you confirm that you're on the latest of v4 or v5, and which you're on?
That suggests you're using express 4, not 5. Can you confirm that you're on the latest of v4 or v5, and which you're on?
I'm pretty sure I was using version 5, and the error is saying if I force run npm audit fix, it will install express version 4 for me to fix the above issue, which is a breaking change (major version of my express changes from v5 to v4).
What does npm explain qs
print out?
What does
npm explain qs
print out?
$ npm explain qs
qs@6.9.6
node_modules/qs
qs@"6.9.6" from body-parser@2.0.0-beta.1
node_modules/body-parser
body-parser@"2.0.0-beta.1" from express@5.0.0-beta.1
node_modules/express
express@"^5.0.0-beta.1" from the root project
qs@"6.9.6" from express@5.0.0-beta.1
node_modules/express
express@"^5.0.0-beta.1" from the root project
ah, looks like express 5 as well as body-parser 2 are depending on qs without a ^
. Can you file an issue on those projects to use a caret range?
Otherwise, you'll probably just have to wait until they release an update.
Hello ๐ apologies, I am in progress at the moment with the updated express 5 for qs
an a couple other reported vuluns. We have a new body-parser
2 out already now with the updated qs
, just not the express 5 (as we're wrapping up non-qs
vulun fixes atm).
Hello ๐ apologies, I am in progress at the moment with the updated express 5 for
qs
an a couple other reported vuluns. We have a newbody-parser
2 out already now with the updatedqs
, just not the express 5 (as we're wrapping up non-qs
vulun fixes atm).
Hi @dougwilson, ah you were quick! I was commenting on an issue where you were asked about the date of the v5 stable release, and you'd asked everyone to report problems they encounter. But before I submit the comment, whoosh, you appeared here ๐, thanks for all your efforts. So you know about this already, and I'll close this issue. May the Force be with you โ.