fix(security): update path-to-regex (#2357)

- also related parent module express - and related module body-parser - dependencies are dev only - removed test project file change - second upgrade of express overnight - and related module static-server - and related module send Issue: tools-suite/issues/31259 Issue: https://github.com/SAP/open-ux-tools/security/dependabot/148 Issue: https://github.com/SAP/open-ux-tools/security/dependabot/149 Issue: https://github.com/SAP/open-ux-tools/security/dependabot/135 Issue: https://github.com/SAP/open-ux-tools/security/dependabot/151 Issue: https://github.com/SAP/open-ux-tools/security/dependabot/150 Co-authored-by: Austin Devine <[email protected]> Co-authored-by: Klaus Keller <[email protected]>
SAP · Sep 17, 2024 · b6a9bbb · b6a9bbb
1 parent 5587c3f
commit b6a9bbb
Show file tree

Hide file tree

Showing 11 changed files with 263 additions and 210 deletions.
diff --git a/docs/version-overrides.md b/docs/version-overrides.md
@@ -2,6 +2,26 @@
 
 This document lists the version overrides for vulnerable (nested) dependencies and the reason.
 
-```
+## @ui5/cli -> @ui5/server -> router
+
+- waiting on UI5 fixes to be released
+- may be necessary to upgrade to version 4 of the UI5 cli
 
 ```
+┌─────────────────────┬────────────────────────────────────────────────────────┐
+│ high                │ path-to-regexp outputs backtracking regular            │
+│                     │ expressions                                            │
+├─────────────────────┼────────────────────────────────────────────────────────┤
+│ Package             │ path-to-regexp                                         │
+├─────────────────────┼────────────────────────────────────────────────────────┤
+│ Vulnerable versions │ <0.1.10                                                │
+├─────────────────────┼────────────────────────────────────────────────────────┤
+│ Patched versions    │ >=0.1.10                                               │
+├─────────────────────┼────────────────────────────────────────────────────────┤
+│ Paths               │ packages\preview-middleware-client > @ui5/[email protected] >  │
+│                     │ @ui5/[email protected] > [email protected] >                     │
+│                     │ [email protected]                                   │
+├─────────────────────┼────────────────────────────────────────────────────────┤
+│ More info           │ https://github.com/advisories/GHSA-9wv6-86v2-598j      │
+└─────────────────────┴────────────────────────────────────────────────────────┘
+```
diff --git a/package.json b/package.json
@@ -62,6 +62,7 @@
     "packageManager": "[email protected]",
     "pnpm": {
         "overrides": {
+            "router>path-to-regexp": "0.1.10"
         }
     }
 }
diff --git a/packages/adp-tooling/package.json b/packages/adp-tooling/package.json
@@ -65,7 +65,7 @@
         "@types/supertest": "2.0.12",
         "@types/uuid": "10.0.0",
         "dotenv": "16.3.1",
-        "express": "4.19.2",
+        "express": "4.21.0",
         "nock": "13.4.0",
         "rimraf": "5.0.5",
         "supertest": "6.3.3"

diff --git a/packages/backend-proxy-middleware/package.json b/packages/backend-proxy-middleware/package.json
@@ -48,7 +48,7 @@
         "@types/prompts": "2.4.4",
         "@types/proxy-from-env": "1.0.1",
         "@types/supertest": "2.0.12",
-        "express": "4.19.2",
+        "express": "4.21.0",
         "nock": "13.4.0",
         "supertest": "6.3.3",
         "yaml": "2.2.2"

diff --git a/packages/cards-editor-middleware/package.json b/packages/cards-editor-middleware/package.json
@@ -35,7 +35,8 @@
         "@types/ejs": "3.1.2",
         "@types/express": "4.17.21",
         "@types/supertest": "2.0.12",
-        "supertest": "6.3.3"
+        "supertest": "6.3.3",
+        "express": "4.21.0"
     },
     "peerDependencies": {
         "express": "4"

diff --git a/packages/control-property-editor/package.json b/packages/control-property-editor/package.json
@@ -37,7 +37,7 @@
         "@types/remote-redux-devtools": "0.5.4",
         "@types/source-map-support": "0.5.0",
         "@types/react": "16.14.55",
-        "body-parser": "1.20.1",
+        "body-parser": "1.20.3",
         "eslint-plugin-react": "7.33.2",
         "http-proxy-middleware": "1.3.1",
         "i18next": "20.6.1",

diff --git a/packages/preview-middleware/package.json b/packages/preview-middleware/package.json
@@ -61,7 +61,7 @@
         "copyfiles": "2.4.1",
         "@types/mem-fs": "1.1.2",
         "@types/mem-fs-editor": "7.0.1",
-        "express": "4.19.2",
+        "express": "4.21.0",
         "npm-run-all2": "6.2.0",
         "nock": "13.4.0",
         "supertest": "6.3.3",

diff --git a/packages/reload-middleware/package.json b/packages/reload-middleware/package.json
@@ -45,7 +45,7 @@
         "@types/livereload": "0.9.5",
         "@types/supertest": "2.0.12",
         "axios": "1.7.4",
-        "express": "4.19.2",
+        "express": "4.21.0",
         "supertest": "6.3.3"
     },
     "engines": {

diff --git a/packages/serve-static-middleware/package.json b/packages/serve-static-middleware/package.json
@@ -36,8 +36,8 @@
         "@sap-ux/logger": "workspace:*"
     },
     "devDependencies": {
-        "express": "4.19.2",
-        "serve-static": "1.15.0",
+        "express": "4.21.0",
+        "serve-static": "1.16.2",
         "supertest": "6.3.3",
         "@types/express": "4.17.21",
         "@types/serve-static": "1.15.5",

diff --git a/packages/ui5-proxy-middleware/package.json b/packages/ui5-proxy-middleware/package.json
@@ -46,7 +46,7 @@
         "@types/express": "4.17.21",
         "@types/supertest": "2.0.12",
         "@types/proxy-from-env": "1.0.1",
-        "express": "4.19.2",
+        "express": "4.21.0",
         "nock": "13.4.0",
         "supertest": "6.3.3",
         "yaml": "2.2.2"