Express: outdated dependencies

Yea, we can look at updating them :) for the non dev ones, would you be willing to list what all has chaned in each one so we can determine if updating it would be a patch version, minor version, or major version for express? For example cookie-signature drops support for Node.js less than 6.6 I believe making it a major version bump for express. Getting the details for each one of thos will help plan.

We'd want to split into the three version buckets so we can make the relevant releases which each type of change. We need to gather what the differences are anyway for HISTORY.md file.

Thanks for the fast replay @dougwilson!

Sure. I will create new PRs follow your advise. As we are looking to support old nodejs version (0.10) I will investigate each of them to see how far I can go with the upgrade and create separete PRs 👍

After that I will open an issue for branch 5.0. There I will use a different strategy as I assume we only need to support v10. Maybe I can wait until branch 5.0 got updated with master changes?, seems like last sync was at 5f0c829d7ca7da746ee859f13a54631000f8a9b5

Ah, yes, we will get 4.17 line into the 5.0 branch along with the router updates that will make up the beta.1 release this month.

Depending on how this dep updates shake out, we may do a patch 4.17, then merge into 5.0.

So, time for a new approach:

:warning: Important

• This message will be changing once this issue is getting fix. So please refresh the browser before replay :-)

:information_source: Context

• Outdated dependencies update is not an easy tasks at the current status of Express.
• I will use this issue (#4171) to coordinate dependencies upgrade for version 4.x (not breaking with Nodejs v0.10)
• I will use a different issue (Not yet created) to coordinate dependencies upgrade for Express 5.x (not breaking with Nodejs v10)
• As suggest by @dougwilson, I will create a new PR per dependency in order to simplify the express bumping versioning and HISTORY.md sustainability.

:taco: Pending actions for @UlisesGascon

• [x] Evaluate which libraries are in scope for this change (not development)
• [x] Evaluate what are the latests non-breaking versions (compatible to v0.10)
• [ ] Create PRs per each one including impact evaluation (semver impact, changes to make, etc...) so the Express team can coordinate the next 4.x release w/o suffering ❤️
• [ ] Document the missing ones for further discussions and 5.x target

:muscle: Pending PRs

Extra context

• debug version 4.1.1 will break.
• qs version 6.9.1 is working but @dougwilson recommend 6.7.0. see
• safe-buffer version 5.2.0 is working but @dougwilson recommend 5.1.2. see
• debug update is not backwards-compatible. In scope for 5.0. see: #4173

Expected PRs

• [ ] array-flatten -> 2.1.2 (OK) -> 3.0.0 (Need work)
• [ ] path-to-regexp -> 6.1.0 (Need Work)
• [x] cookie-signature -> 1.1.0 (OK) PR: #4174
• [x] depd -> 2.0.0 (OK) PR: #4174
• [x] setprototypeof -> 1.2.0 (OK) PR: #4174

Notes:

List of libraries in scope for the current issue and derivate PRs:

In scope for v4.x

• array-flatten
• cookie-signature
• debug
• depd
• path-to-regexp
• qs
• safe-buffer
• setprototypeof

Out of scope

• connect-redis (due devDependencie)
• cookie-session (due devDependencie)
• ejs (due devDependencie)
• eslint (due devDependencie)
• express-session (due devDependencie)
• hbs (due devDependencie)
• marked (due devDependencie)
• mocha (due devDependencie)
• supertest (due devDependencie)

Starting point for Express 4.0

_Just the npm outdatemessage for context. Nothing else ;-)_

Package           Current  Wanted  Latest  Location
array-flatten       1.1.1   1.1.1   3.0.0  express
connect-redis       3.4.1   3.4.1   4.0.4  express
cookie-session      1.3.3   1.3.3   1.4.0  express
cookie-signature    1.0.6   1.0.6   1.1.0  express
debug               2.6.9   2.6.9   4.1.1  express
depd                1.1.2   1.1.2   2.0.0  express
ejs                 2.6.1   2.6.1   3.0.1  express
eslint             2.13.1  2.13.1   6.8.0  express
express-session    1.16.1  1.16.1  1.17.0  express
hbs                 4.0.4   4.0.4   4.1.0  express
marked              0.6.2   0.6.2   0.8.0  express
mocha               5.2.0   5.2.0   7.0.1  express
path-to-regexp      0.1.7   0.1.7   6.1.0  express
qs                  6.7.0   6.7.0   6.9.1  express
safe-buffer         5.1.2   5.1.2   5.2.0  express
setprototypeof      1.1.1   1.1.1   1.2.0  express
supertest           3.3.0   3.3.0   4.0.2  express

Fancy bash script to simulate CI for Node v0.10

@dougwilson do you think that [email protected] or [email protected] and path-to-regexp still relevant for 4.0 or just to 5.0?

Sorry, just took a look and yea, I don't think any of those can be upgraded; path-to-regexp we know cannot because it changes how you declare the routes in a non-backwards-compatible manner, and array-flatten is exported externally in 4.x, so even though it wouldn't break our internal usage, there is code in the wild using our export.

So this is the outdated (production) tree of the current version, where I have removed the ones already excluded in conversation above:

Package           Current  Wanted  Latest  Location
depd                1.1.2   1.1.2   2.0.0  express
depd                1.1.2   1.1.2   2.0.0  express > body-parser
depd                1.1.2   1.1.2   2.0.0  express > send
depd                1.1.2   1.1.2   2.0.0  express > serve-static > send
http-errors         1.7.2   1.7.2   1.7.3  express > body-parser
http-errors         1.7.2   1.7.3   1.7.3  express > send
http-errors         1.7.2   1.7.3   1.7.3  express > serve-static > send
iconv-lite         0.4.24  0.4.24   0.5.1  express > body-parser
ipaddr.js           1.9.0   1.9.0   1.9.1  express > proxy-addr
media-typer         0.3.0   0.3.0   1.1.0  express > type-is
media-typer         0.3.0   0.3.0   1.1.0  express > body-parser > type-is
mime                1.6.0   1.6.0   2.4.4  express > send
mime                1.6.0   1.6.0   2.4.4  express > serve-static > send
qs                  6.7.0   6.7.0   6.9.1  express
qs                  6.7.0   6.7.0   6.9.1  express > body-parser
raw-body            2.4.0   2.4.0   2.4.1  express > body-parser
safe-buffer         5.1.2   5.1.2   5.2.0  express
safe-buffer         5.1.2   5.1.2   5.2.0  express > content-disposition
ms                  2.1.1   2.1.1   2.1.2  express > send
ms                  2.1.1   2.1.1   2.1.2  express > serve-static > send
setprototypeof      1.1.1   1.1.1   1.2.0  express

So from that, I think there is a quick patch version we can release of 4.17 to get some of them updated, namely updated (bubble them up from the deps as well) the following:

• http-errors
• ipaddr.js

These are "hidden" deps that even though they look non-patch, depending on the change may surface to our users as a patch, but just needs investigation to confirm:

• media-typer
• qs
• safe-buffer
• setprototypeof

Hi @UlisesGascon just wanted to check in on if you have done any additional research, or should I take over this?

As you wish ;-)

I can submit a PR for [email protected] and [email protected] in their relevant repos. And the same for "hidden" deps.

What do you want me to do? 🤔

I can submit a PR for [email protected] and ipaddr.[email protected] in their relevant repos.

Sure!

And the same for "hidden" deps.

Well, we need to research on _if_ they would result in a patch, minor, or major of the relevant repo first. Would you want to take on that research task, or wait to hear back on it and do the prs?

by the way, expressjs why not use es2015+ syntax?

Hi @anlexN.

Please, stop asking for ES6 in all the issues and PRs. Let me explain you why right now Express is not capable of support es2015+:

• For Express 4.x the minium nodejs version supported is Node 0.10 see. ES6 is not compatible (Node 4.x)
• For Express 5.x there will be support (promises, etc...). You can see the full roadmap here

Hello everyone,
I can help with array-flatten (2.1.2) -> (3.0.0) if someone can mentor me a bit.

Hi @sarthak0906 the array-flatten is not possible to updated in the 4.x line, which this issue is tracking.

Hi,

cookie versions <= 0.4.0 are affected by

Vulnerability ID Package Severity Fix CVE Refs Vulnerability URL Type Feed Group Package Path CVE-2017-18589 cookie-0.4.0 High None CVE-2017-18589 https://nvd.nist.gov/vuln/detail/CVE-2017-18589 npm nvdv2:cves /opt/magic_mirror/node_modules/cookie/package.json

So updating to fixed version 0.4.1 would be great.

Thanks,

Karsten.

Hi @khassel you need to contact whatever vendor is incorrectly doing that detection. (1) what you showed there says "Fix: none", implying that upgrading to 0.4.1 will not fix your issue (2) Going to https://nvd.nist.gov/vuln/detail/CVE-2017-18589 it says that is a Rust package, not a Node.js package, affecting cookie crate before 0.7.6 (of course the npm cookie versions max out at 0.4.1).

yes, the description of the CVE points to a rust package:

An issue was discovered in the cookie crate before 0.7.6 for Rust. Large integers in the Max-Age of a cookie cause a panic.

But the release info of cookie 0.4.1 is Fix maxAge option to reject invalid values so may its related.

The scan was done with anchore cli.

Hi @khassel I, myself, made the change in the cookie 0.4.1 release. It was simply to provide a better error message to the developer; there is no security issue. An error is thrown no matter what, I just changed the message to help understand the error in 0.4.1. The message you provided seems to say there is no fix version. Where exactly did you get that "it affects <= 0.4.0" ? Can you cite where it says that actually updating it to 0.4.1 will fix the issue? I suspect if they are mixing up the rust and npm packages, then it would need to be version 0.7.6 to make the message go away, which there is no such version.

Please provide evidence that (1) there is actually a security issue in cookie 0.4.0 and (2) updating to 0.4.1 will actually fix the listing of it in your scanning software.

Thanks for your replies.

I can't evidence (1) and may this is a false positive of anchore cli. So sorry for wasting your time.
For (2) I built 2 simple simple docker images.

Nr.1:
````
FROM node:lts-buster-slim

RUN npm install -g [email protected]
````

Nr.2:
````
FROM node:lts-buster-slim

RUN npm install -g [email protected]
````

Scanning Nr.1 produces the CVE, scanning Nr.2 does not.

Thank you @khassel for validating that with anchore cli. I am attempting to contact anchore about this in the meantime for you. If you have an enterprise license and some method to contact this company, that would be a big help as well.

Sorry, no enterprise licence ...

They are writing here some lines about false positives. I can take a look in the logs tomorow (its to late now ...).

So far here are the full results of the 2 scans:

````
k13@k8s:~/tmp$ docker exec anchore_api anchore-cli image vuln registry.gitlab.com/khassel/container/cookie:0.4.0 non-os
Vulnerability ID Package Severity Fix CVE Refs Vulnerability URL Type Feed Group Package Path
CVE-2017-18589 cookie-0.4.0 High None CVE-2017-18589 https://nvd.nist.gov/vuln/detail/CVE-2017-18589 npm nvdv2:cves /usr/local/lib/node_modules/cookie/package.json
CVE-2020-7754 npm-user-validate-1.0.0 High None CVE-2020-7754 https://nvd.nist.gov/vuln/detail/CVE-2020-7754 npm nvdv2:cves /usr/local/lib/node_modules/npm/node_modules/npm-user-validate/package.json
CVE-2020-7774 y18n-4.0.0 High None CVE-2020-7774 https://nvd.nist.gov/vuln/detail/CVE-2020-7774 npm nvdv2:cves /usr/local/lib/node_modules/npm/node_modules/y18n/package.json
GHSA-xgh6-85xh-479p npm-user-validate-1.0.0 Low 1.0.1 https://github.com/advisories/GHSA-xgh6-85xh-479p npm github:npm /usr/local/lib/node_modules/npm/node_modules/npm-user-validate/package.json

k13@k8s:~/tmp$ docker exec anchore_api anchore-cli image vuln registry.gitlab.com/khassel/container/cookie:0.4.1 non-os
Vulnerability ID Package Severity Fix CVE Refs Vulnerability URL Type Feed Group Package Path
CVE-2020-7754 npm-user-validate-1.0.0 High None CVE-2020-7754 https://nvd.nist.gov/vuln/detail/CVE-2020-7754 npm nvdv2:cves /usr/local/lib/node_modules/npm/node_modules/npm-user-validate/package.json
CVE-2020-7774 y18n-4.0.0 High None CVE-2020-7774 https://nvd.nist.gov/vuln/detail/CVE-2020-7774 npm nvdv2:cves /usr/local/lib/node_modules/npm/node_modules/y18n/package.json
GHSA-xgh6-85xh-479p npm-user-validate-1.0.0 Low 1.0.1 https://github.com/advisories/GHSA-xgh6-85xh-479p npm github:npm /usr/local/lib/node_modules/npm/node_modules/npm-user-validate/package.json
````