Skip to content

Update express dependency to version 4.22.1 #85

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
hardillb wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Update express dependency to version 4.22.1 #85

hardillb wants to merge 3 commits into from

Conversation

@hardillb
Copy link
Member

@hardillb hardillb commented Dec 2, 2025

Bump to pick up CVE fix for downstream projects

@hardillb
Update express dependency to version 4.22.0
e540ecf 
Bump to pick up CVE fix for downstream projects
@dceejay
Copy link
Member

dceejay commented Dec 2, 2025

saw you bumped main one to 4.22.1 ... may as well do same here

@hardillb hardillb changed the title Update express dependency to version 4.22.0 Update express dependency to version 4.22.1 Dec 2, 2025
@hlovdal
Copy link

hlovdal commented Jan 3, 2026
edited
Loading

For reference:

npm audit 
# npm audit report

qs  <6.14.1
Severity: high
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - https://github.com/advisories/GHSA-6rw7-vpxm-498p
...

and

npm ls -a
...
├─┬ node-red-node-test-helper@0.3.5
│ ├─┬ body-parser@1.20.3
...
│ │ ├─┬ qs@6.13.0
...

Temporary workaround while waiting for this pull request to be completed and releases, add

  ...
  "overrides": {
    "node-red-node-test-helper": {
      "body-parser": "1.20.4"
     }
  },
  ....

to package.json.

hlovdal added a commit to hlovdal/node-red-display-property that referenced this pull request Jan 3, 2026
@hlovdal
Temporary override qs package
838efb3 
While waiting for upstream pull request to complete and be released,
node-red/node-red-node-test-helper#85.
@hlovdal
Copy link

hlovdal commented Jan 3, 2026

@hardillb You might preferably also bump body-parser to ^1.20.4 since that version fixes a qs security dependency.

hardillb
hardillb commented Jan 3, 2026
View reviewed changes
hlovdal added a commit to hlovdal/hlovdal-node-red-lowercase-in-typescript that referenced this pull request Jan 4, 2026
@hlovdal
Temporary override qs package
a97e62c 
While waiting for upstream pull request to complete and be released,
node-red/node-red-node-test-helper#85.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hardillb @dceejay @hlovdal