Vulnerable dependency send < 19.0 being pulled in via express@4.17.21.

[davidsyckle]

Checklist

• [X] I have looked into the Readme and Examples, and have not found a suitable solution or answer.
• [X] I have searched the issues and have not found a suitable solution or answer.
• [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• [X] I agree to the terms within the Auth0 Code of Conduct.

Description

Vulnerable dependency send < 19.0 being pulled in via express@4.17.21. Please consider updating package.json and package-lock.json to specify a version of at least "@types/express": "^4.21.0" for express to mitigate the possibility of the vulnerable transitive dependency.

├─┬ jwks-rsa@3.1.0 │ ├─┬ @types/express@4.17.21 │ │ ├─┬ @types/body-parser@1.19.5 │ │ │ ├─┬ @types/connect@3.4.38 │ │ │ │ └── @types/node@22.5.5 deduped │ │ │ └── @types/node@22.5.5 deduped │ │ ├─┬ @types/express-serve-static-core@4.19.5 │ │ │ ├── @types/node@22.5.5 deduped │ │ │ ├── @types/qs@6.9.16 deduped │ │ │ ├── @types/range-parser@1.2.7 │ │ │ └─┬ @types/send@0.17.4 Here │ │ │ ├── @types/mime@1.3.5 │ │ │ └── @types/node@22.5.5 deduped │ │ ├── @types/qs@6.9.16 │ │ └─┬ @types/serve-static@1.15.7 │ │ ├── @types/http-errors@2.0.4 │ │ ├── @types/node@22.5.5 deduped │ │ └── @types/send@0.17.4 deduped Here

Reproduction

Scan installed project with dependency-check. Review results.

Additional context

Please consider updating express-serve-static-core and serve-static to current versions to mitigate this vulnerable dependency.

https://ossindex.sonatype.org/vulnerability/CVE-2024-43799?component-type=npm&component-name=send&utm_source=dependency-check&utm_medium=integration&utm_content=10.0.2

https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg

https://www.npmjs.com/package/send

jwks-rsa version

3.1.0

Node.js version

18.20.3