npm audit fail on last Express version (4.20.0) due to send(0.19.0) vulnerability

[poiuylkkk]

Bug Report: npm audit fails on latest Express version (4.20.0) due to send(0.19.0) vulnerability

Issue Description

Running npm audit on the latest version of Express (4.20.0) fails due to a moderate severity vulnerability in send (<0.19.0).

Here’s the relevant output from npm audit:

npm audit report send <0.19.0

Severity: moderate
send vulnerability to template injection can lead to XSS - http://github.com/advisories/GHSA-m6fv-jmcg-4jfg
No fix available

Steps to reproduce

npm install express --save

Belonging report in serve-static, where the upgrade to send 0.19.0 is already prepared: expressjs/serve-static#175

[NewEraCracker]

My advice for now, if using express v4, until the maintainers actually fix this. See: Mismatched dependency versions

  "overrides": {
    "encodeurl": "~2.0.0",
    "qs": "^6.13.0",
    "send": "^0.19.0"
  },

Be aware it may not be possible for every occasion if other dependencies use a completely different version. My two cents.

[wesleytodd]

Closing this in favor of this more complete list of things we need to align versions for: #5943

[wesleytodd]

https://github.com/expressjs/express/releases/tag/4.21.0