[Snyk] Security upgrade express from 4.21.2 to 4.22.0#108
[Snyk] Security upgrade express from 4.21.2 to 4.22.0#108Puthikunkim wants to merge 1 commit intomainfrom
Conversation
…rabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-QS-15268416
There was a problem hiding this comment.
Pull request overview
Security-driven dependency bump generated by Snyk to remediate a reported vulnerability in the backend’s npm dependency tree by upgrading Express.
Changes:
- Upgraded
expressfrom^4.21.2to^4.22.0inbackend/package.json. - Updated
backend/package-lock.jsonto reflect the newexpress@4.22.0resolution and its transitive dependency graph (including an updatedqsunderexpress).
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| backend/package.json | Bumps Express version to the Snyk-specified target. |
| backend/package-lock.json | Updates resolved Express package and transitive dependencies (adds nested qs@6.14.x under Express). |
Files not reviewed (1)
- backend/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "body-parser": "~1.20.3", | ||
| "content-disposition": "~0.5.4", | ||
| "content-type": "~1.0.4", | ||
| "cookie": "0.7.1", | ||
| "cookie-signature": "1.0.6", | ||
| "cookie": "~0.7.1", | ||
| "cookie-signature": "~1.0.6", |
There was a problem hiding this comment.
express@4.22.0 now brings in qs@6.14.x under node_modules/express, but this lockfile still contains a top-level qs@6.13.0 (pulled in via body-parser@1.20.3). If the Snyk issue is for qs, scanners may still flag the project. Consider upgrading the dependency that pins qs@6.13.0 (e.g., body-parser) or adding an npm overrides entry to force qs@>=6.14.0, then re-generate the lockfile to ensure the vulnerable version is removed.
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
backend/package.jsonbackend/package-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-QS-15268416
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Allocation of Resources Without Limits or Throttling