hybrid ruin
Hi, I know there is an issue with this package that is not affecting everyone in NestJS projects, but do you know the current status? Or is there any issue that I can follow? I have seen solutions like making a:
"overrides": {
"@nestjs/platform-express": {
"body-parser": "1.20.3",
"express": "4.21.0",
"path-to-regexp": "^3.3.0"
},
"@nestjs/core": {
"path-to-regexp": "^3.3.0"
}
}
But I think it's something that must be temporary, I imagine.
light jackal
I guess the status is: we are wating for Kamil to merge this PR: https://github.com/nestjs/nest/pull/13971
but you can address this in your side already using the overrides feature + monkey patching as I said here: https://github.com/nestjs/nest/issues/13955#issuecomment-2341952757
hybrid ruin
I guess the status is: we are wating for Kamil to merge this PR: https://github....
Thanks, I'll be reviewing
noble minnow
but you can address this in your side already using the overrides feature + monk...
Did this actually resolve an issue? I see "path-to-regexp": "3.3.0",
in core dependencies, but still
light jackal
Did this actually resolve an issue? I see "path-to-regexp": "3.3.0",
in core...
still what? I didn't get.
v3.3.0 addresses that vuln
noble minnow
My bad, i sent incomplete message,
the vulnerability stemmed from @nestjs/platform-express which had an express 4.21.1 as a dependency and express has a dependency on path-to-regex of version 0.1.10,
I'm going to see overriding the express and path-to-regex for @nestjs/platform-express fixes this issue
light jackal
btw in express v5 they dropped that dependency
noble minnow
It seems to have fixed an issue, reinstalled dependencies and 0 vulnerabilities reported.
noble minnow
btw in express v5 they dropped that dependency
Would you recommend to go for express v5? I'm starting a fresh project,
light jackal
Would you recommend to go for express v5? I'm starting a fresh project,
express v5 was not released yet
and nestjs doesn't support it yet so
it will be supported in nestjs v11
noble minnow
That's great, I was boasting of nest js dependency management to my peers at work and i hardly made everyone agreed to go with nestjs, and i saw this vulnerability today, thankGod I saw it on weekend 😄
btw, do you have any information if theres going to be fix for this in coming versions of @nestjs/platform-express?
light jackal
well, since that package is a dep of express@4, we can't do much on @nestjs/* side
it will be fixed in the next major release of @nestjs/platform-express
due to the updates made on express
noble minnow
One thing I notice is, the most recent version of @nestjs/platform on npm is 10.4.13, and it is "@nestjs/platform-express": "^10.0.0", in my app package.json file, I have nest 10.4.8, I wonder why the application was not generated with latest version of @nestjs/platform-express