Issue using qs while using Express@5

ljharb / qs

A querystring parser with nesting support

BSD 3-Clause "New" or "Revised" License

8.47k stars 731 forks source link

Issue using qs while using Express@5 #468

Closed aderchox closed 1 year ago

aderchox commented 1 year ago

There seems to be an issue using qs while using Express@5. Is this an issue of qs or express@5?

qs 6.9.0 - 6.9.6 Severity: high qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp fix available via npm audit fix --force Will install express@4.18.2, which is a breaking change node_modules/qs body-parser 1.19.1 || 2.0.0-beta.1 Depends on vulnerable versions of qs node_modules/body-parser express 4.17.2 || >=5.0.0-alpha.1 Depends on vulnerable versions of body-parser Depends on vulnerable versions of qs node_modules/express

ljharb commented 1 year ago

That suggests you're using express 4, not 5. Can you confirm that you're on the latest of v4 or v5, and which you're on?

aderchox commented 1 year ago

That suggests you're using express 4, not 5. Can you confirm that you're on the latest of v4 or v5, and which you're on?

I'm pretty sure I was using version 5, and the error is saying if I force run npm audit fix, it will install express version 4 for me to fix the above issue, which is a breaking change (major version of my express changes from v5 to v4).

ljharb commented 1 year ago

What does npm explain qs print out?

aderchox commented 1 year ago

What does npm explain qs print out?

$ npm explain qs
qs@6.9.6
node_modules/qs
  qs@"6.9.6" from body-parser@2.0.0-beta.1
  node_modules/body-parser
    body-parser@"2.0.0-beta.1" from express@5.0.0-beta.1
    node_modules/express
      express@"^5.0.0-beta.1" from the root project
  qs@"6.9.6" from express@5.0.0-beta.1
  node_modules/express
    express@"^5.0.0-beta.1" from the root project

ljharb commented 1 year ago

ah, looks like express 5 as well as body-parser 2 are depending on qs without a ^. Can you file an issue on those projects to use a caret range?

Otherwise, you'll probably just have to wait until they release an update.

dougwilson commented 1 year ago

Hello 👋 apologies, I am in progress at the moment with the updated express 5 for qs an a couple other reported vuluns. We have a new body-parser 2 out already now with the updated qs, just not the express 5 (as we're wrapping up non-qs vulun fixes atm).

aderchox commented 1 year ago

Hello 👋 apologies, I am in progress at the moment with the updated express 5 for qs an a couple other reported vuluns. We have a new body-parser 2 out already now with the updated qs, just not the express 5 (as we're wrapping up non-qs vulun fixes atm).

Hi @dougwilson, ah you were quick! I was commenting on an issue where you were asked about the date of the v5 stable release, and you'd asked everyone to report problems they encounter. But before I submit the comment, whoosh, you appeared here 😃, thanks for all your efforts. So you know about this already, and I'll close this issue. May the Force be with you ✌.