Express update required due to a vulnerability

[nathaniel-watson-ctg-com]

Node version: v20.18.0
Sails version (sails): 1.5.12
ORM hook version (sails-hook-orm): N/A
Sockets hook version (sails-hook-sockets): N/A
Organics hook version (sails-hook-organics): N/A
Grunt hook version (sails-hook-grunt): N/A
Uploads hook version (sails-hook-uploads): N/A
DB adapter & version (e.g. sails-mysql@5.55.5): N/A
Skipper adapter & version (e.g. skipper-s3@5.55.5): N/A

---

Sails is currently referencing a slightly out of date version of Express within the 4.x line. Express has been updated: https://github.com/expressjs/express/blob/4.x/package.json . This is introducing a vulnerability: GHSA-pxg6-pf52-xh8x . The Express entry should be updated.

D:\temp>mkdir auditTest

D:\temp>cd auditTest

D:\temp\auditTest>npm init
This utility will walk you through creating a package.json file.
It only covers the most common items, and tries to guess sensible defaults.

See `npm help init` for definitive documentation on these fields
and exactly what they do.

Use `npm install <pkg>` afterwards to install a package and
save it as a dependency in the package.json file.

Press ^C at any time to quit.
package name: (audittest)
version: (1.0.0)
description:
entry point: (index.js)
test command:
git repository:
keywords:
author:
license: (ISC)
About to write to D:\temp\auditTest\package.json:

{
  "name": "audittest",
  "version": "1.0.0",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC",
  "description": ""
}


Is this OK? (yes)


D:\temp\auditTest>npm install sails
npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated rimraf@2.7.1: Rimraf versions prior to v4 are no longer supported
npm warn deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm warn deprecated glob@7.1.2: Glob versions prior to v9 are no longer supported

added 234 packages, and audited 235 packages in 8s

17 packages are looking for funding
  run `npm fund` for details

6 low severity vulnerabilities

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

D:\temp\auditTest>npm audit
# npm audit report

cookie  <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix --force`
Will install sails@0.10.5, which is a breaking change
node_modules/cookie
node_modules/cookie-parser/node_modules/cookie
node_modules/csurf/node_modules/cookie
node_modules/express/node_modules/cookie
  cookie-parser  1.0.1 - 1.4.6
  Depends on vulnerable versions of cookie
  node_modules/cookie-parser
    sails  0.8.92 - 0.8.94 || >=0.9.0
    Depends on vulnerable versions of cookie
    Depends on vulnerable versions of cookie-parser
    Depends on vulnerable versions of csurf
    Depends on vulnerable versions of express
    Depends on vulnerable versions of express-session
    node_modules/sails
  csurf  >=1.3.0
  Depends on vulnerable versions of cookie
  node_modules/csurf
  express  3.0.0-alpha1 - 4.21.0 || 5.0.0-alpha.1 - 5.0.0
  Depends on vulnerable versions of cookie
  node_modules/express
  express-session  1.0.1 - 1.18.0
  Depends on vulnerable versions of cookie
  node_modules/express-session

6 low severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

D:\temp\auditTest>node --version
v20.18.0

D:\temp\auditTest>

[sailsbot]

@nathaniel-watson-ctg-com Thanks for posting! We'll take a look as soon as possible.

In the mean time, there are a few ways you can help speed things along:

• look for a workaround. (Even if it's just temporary, sharing your solution can save someone else a lot of time and effort.)
• tell us why this issue is important to you and your team. What are you trying to accomplish? (Submissions with a little bit of human context tend to be easier to understand and faster to resolve.)
• make sure you've provided clear instructions on how to reproduce the bug from a clean install.
• double-check that you've provided all of the requested version and dependency information. (Some of this info might seem irrelevant at first, like which database adapter you're using, but we ask that you include it anyway. Oftentimes an issue is caused by a confluence of unexpected factors, and it can save everybody a ton of time to know all the details up front.)
• read the code of conduct.
• if appropriate, ask your business to sponsor your issue. (Open source is our passion, and our core maintainers volunteer many of their nights and weekends working on Sails. But you only get so many nights and weekends in life, and stuff gets done a lot faster when you can work on it during normal daylight hours.)
• let us know if you are using a 3rd party plugin; whether that's a database adapter, a non-standard view engine, or any other dependency maintained by someone other than our core team. (Besides the name of the 3rd party package, it helps to include the exact version you're using. If you're unsure, check out this list of all the core packages we maintain.)

---

Please remember: never post in a public forum if you believe you've found a genuine security vulnerability. Instead, disclose it responsibly.

For help with questions about Sails, click here.

[nathaniel-watson-ctg-com]

I can't really think of a workaround for this. This issue is relevant because it's a security issue. I didn't use any third party plugins when verifying the issue.

[nathaniel-watson-ctg-com]

This can be fixed by updating the version of express within the package.json file to use version "version": "4.21.1", instead of "version": "4.21.0".

[eashaw]

Hi @nathaniel-watson-ctg-com, we published a new version of Sails to resolve this issue.

[nathaniel-watson-ctg-com]

Great! I'm marking this issue as closed.