[Snyk] Security upgrade express from 4.18.2 to 4.22.0#192
[Snyk] Security upgrade express from 4.18.2 to 4.22.0#192acid-chicken wants to merge 1 commit intoimastodonfrom
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-QS-14724253
There was a problem hiding this comment.
Pull request overview
This is a Snyk-generated security upgrade that updates Express from version 4.18.2 to 4.22.0 (which resolves to 4.22.1 in yarn.lock) to address a high-severity security vulnerability (SNYK-JS-QS-14724253) related to "Allocation of Resources Without Limits or Throttling" in the qs dependency with a score of 828/1000.
Key Changes
- Express upgraded from ^4.18.2 to ^4.22.0 (resolves to 4.22.1)
- Critical dependency update:
qspackage upgraded from 6.11.0 to 6.14.1 - Multiple transitive dependencies updated to support the Express upgrade
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Updates Express version constraint from ^4.18.2 to ^4.22.0 |
| yarn.lock | Adds Express 4.22.1 entry with updated dependencies including body-parser (~1.20.3), cookie (~0.7.1), qs (~6.14.0), and numerous supporting packages; retains the old 4.18.2 entry for compatibility with other dependencies still using express@^4.17.1 |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "escape-html": "^1.0.3", | ||
| "exif-js": "^2.3.0", | ||
| "express": "^4.18.2", | ||
| "express": "^4.22.0", |
There was a problem hiding this comment.
The PR title and description indicate an upgrade to Express 4.22.0, but the actual resolved version in yarn.lock is 4.22.1. While using the caret range (^4.22.0) that resolves to 4.22.1 is functionally correct, there's a mismatch between the PR description and the actual upgrade target. Consider updating the PR description to reflect that the actual version being installed is 4.22.1, not 4.22.0, to avoid confusion.
Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
package.jsonyarn.lockNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-QS-14724253
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Allocation of Resources Without Limits or Throttling