search

expressjs / generator

Express' application generator
MIT License
1.83k stars 548 forks source link

`express-generator` app uses modules which have critical security vulnerabilities #327

Open RushilJalal opened 1 week ago

RushilJalal commented 1 week ago

image

I created an app using express-generator and on running npm i i am told that some of the modules have high and several critical level security vulnerabilities. I ran npm audit fix --force which still didn't fix the problem. I referred https://stackoverflow.com/questions/57923270/vulnerabilities-problem-using-npm-install which asked to uninstall jade and install pug instead which fixed the issue. I believe this should be inbuilt and the user should not be required to manually install pug.

RushilJalal commented 1 week ago

Even after following https://stackoverflow.com/questions/57923270/vulnerabilities-problem-using-npm-install On running npm start, I am greeted with image I would be grateful if someone could point me to the solution as I am completely new with express.

IamLizu commented 1 week ago

Can we please transfer this to https://github.com/expressjs/generator

cc: @UlisesGascon

RushilJalal commented 1 week ago

Yes that would be much better. Apologies, I was not aware of generator being a seperate repo.

IamLizu commented 1 week ago

No worries @RushilJalal

Thank you for reporting this.

RushilJalal commented 6 days ago

Is it possible to assign this issue to me? I would love to contribute, although I would need some help...

IamLizu commented 6 days ago

Sure @RushilJalal

RushilJalal commented 6 days ago 
//cmd.js
it('should have a package.json file', function () {
      var file = path.resolve(ctx.dir, 'package.json')
      var contents = fs.readFileSync(file, 'utf8')
      assert.strictEqual(contents, '{\n' +
        '  "name": "express-1-no-args",\n' +
        '  "version": "0.0.0",\n' +
        '  "private": true,\n' +
        '  "scripts": {\n' +
        '    "start": "node ./bin/www"\n' +
        '  },\n' +
        '  "dependencies": {\n' +
        '    "cookie-parser": "~1.4.5",\n' +
        '    "debug": "~2.6.9",\n' +
        '    "express": "~4.17.1",\n' +
        '    "http-errors": "~1.7.2",\n' +
        //replace default jade with pug
        // '    "jade": "~1.11.0",\n' +
        '    "pug": "~3.0.3",\n' +
        '    "morgan": "~1.10.0"\n' +
        '  }\n' +
        '}\n')
    })
//express-cli.js
// Default view engine
    if (options.view === true) {
      warning('the default view engine will not be jade in future releases\n' +
        "use `--view=jade' or `--help' for additional options")
      options.view = 'pug'//changed jade to pug
    }

I have made the changes as highlighted in the comment. I want to run the app and test if there are no errors due to the changes I made. How to do so? Is there anything else I need to change? Kindly advise.