Skip to content

chore(deps): update express and related types to their latest compatible versions#5561

Merged
alexander-akait merged 1 commit intowebpack:version-4from
romariomelo:chore/v4-update-version-express-lib
Aug 13, 2025
Merged

chore(deps): update express and related types to their latest compatible versions#5561
alexander-akait merged 1 commit intowebpack:version-4from
romariomelo:chore/v4-update-version-express-lib

Conversation

@romariomelo
Copy link
Copy Markdown

@romariomelo romariomelo commented Aug 12, 2025

  • This is a bugfix
  • This is a feature
  • This is a code refactor
  • This is a test update
  • This is a docs update
  • This is a metadata update

For Bugs and Features; did you add new tests?

N/A - This is a dependency update to fix a security vulnerability.

Motivation / Use-Case

This PR addresses a critical security vulnerability CVE-2024-45296 in the path-to-regexp dependency, which is a transitive dependency of Express.

Vulnerability Details:

The vulnerability affects path-to-regexp versions < 0.1.10, which can generate backtracking regular expressions that consume excessive CPU cycles, potentially leading to DoS attacks.

Changes Made:

  • Updated express from 4.17.3 to 4.21.2
  • Updated @types/express from 4.17.13 to 4.17.21
  • This update includes the patched version of path-to-regexp (0.1.12) which resolves the vulnerability

References:

Breaking Changes

No breaking changes are expected. This is a security patch that maintains backward compatibility.

Additional Info

The update includes several other dependency updates that are part of the Express ecosystem:

  • body-parser: 1.20.1 → 1.20.3
  • cookie: 0.5.0 → 0.7.1
  • encodeurl: 1.0.2 → 2.0.0
  • finalhandler: 1.2.0 → 1.3.1
  • merge-descriptors: 1.0.1 → 1.0.3
  • path-to-regexp: 0.1.7 → 0.1.12 (critical security fix)
  • qs: 6.11.0 → 6.13.0
  • send: 0.18.0 → 0.19.0
  • serve-static: 1.15.0 → 1.16.2

All changes are backward compatible and primarily focus on security improvements and bug fixes.

@romariomelo
chore(deps): update express and related types to latest versions
47f53a0 
- Updated `@types/express` from `^4.17.13` to `^4.17.21`
- Updated `express` from `^4.17.3` to `^4.21.2`
- Updated various dependencies in `package-lock.json` to their latest versions, including `body-parser`, `cookie`, `qs`, and others.

This ensures compatibility with the latest features and security updates.
@linux-foundation-easycla
Copy link
Copy Markdown

linux-foundation-easycla Bot commented Aug 12, 2025
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: romariomelo / name: Romário Marques Melo (47f53a0)

@romariomelo romariomelo changed the title chore(deps): update express and related types to latest versions chore(deps): update express and related types to their latest compatible versions Aug 12, 2025
@alexander-akait alexander-akait merged commit 8af6dee into webpack:version-4 Aug 13, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexander-akait alexander-akait alexander-akait approved these changes

@hiroppy hiroppy Awaiting requested review from hiroppy hiroppy is a code owner

@snitin315 snitin315 Awaiting requested review from snitin315 snitin315 is a code owner

@anshumanv anshumanv Awaiting requested review from anshumanv anshumanv is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@romariomelo @alexander-akait