Fix for the ReDOS vulnerability

[snyk-community]

camperbot is currently affected by the high-severity ReDoS vulnerability.

Vulnerable module: negotiator Introduced through: express

This PR fixes the ReDoS vulnerability by upgrading express to version 4.14.0. This upgrade will also fix the following other vulnerabilities:

• Directory Traversal vulnerability in the send dependency.
• Denial of Service (Event Loop Blocking) vulnerability in the qs dependency.
• Denial of Service (Memory Exhaustion) vulnerability in the qs dependency.
• Cross-Site Scripting vulnerability in the express dependency.
• Non-Constant Time String Comparison vulnerability in the cookie-signature dependency.
• Root Path Disclosure vulnerability in the send dependency.

Check out the Snyk test report to review other vulnerabilities that affect this repo.

Watch the repo to

• get alerts if newly disclosed vulnerabilities affect this repo in the future.
• generate pull requests with the fixes you want, or let us do the work: when a newly disclosed vulnerability affects you, we'll submit a fix to you right away.

Stay secure, The Snyk team

[QuincyLarson]

@raisedadead since you now have CamperBot running locally, can you verify that updating the Express version doesn't seem to break any existing functionality?

[raisedadead]

Before I test and merge this, I want to confirm with @BerkeleyTrue

[BerkeleyTrue]

@raisedadead Confirm what?

[raisedadead]

Opps, sorry incorrect mention. I meant @dhcodes !

Dylan, could also double check?

[dhcodes]

Doesn't seem to break anything on my end. Merging in.

[dhcodes]

Submitted a revert request. This does actually break the install. Based on the error, Express now has you install middlewares separately so we need to determine which we need to add to package.json before we update express. Here's the list: https://github.com/senchalabs/connect#middleware.