search

maptiler / tileserver-gl

Vector and raster maps with GL styles. Server side rendering by MapLibre GL Native. Map tile server for MapLibre GL JS, Android, iOS, Leaflet, OpenLayers, GIS via WMTS, etc.
https://tileserver.readthedocs.io/en/latest/
Other
2.24k stars 639 forks source link

Security Vulnerabilities - Request to update express version from 4.19.2 to 4.21.1 #1412

Open tblauer opened 6 days ago

tblauer commented 6 days ago

When running anchor and trivy vulnerability scans on this library, there are 6 CVEs showing up that are all associated with the version of express and/or it's dependencies.

Updating to express 4.21.1 would update all of the affected libraries to versions in which the vulnerabilities have been fixed

The table below shows the affected libraries, the fixed version according to the CVE and which version of the dependent libraries are in the specified version of express

CVE Package Installed Version Fixed In express 4.20.0 express 4.21.0 express 4.21.1
CVE-2024-43796 express 4.19.2 4.20.0 4.20.0 4.21.0 4.21.1
CVE-2024-45296 path-to-regexp 0.1.7 0.1.10 or 8.0.0 0.1.10 0.1.10 0.1.10
CVE-2024-45590 body-parser 1.20.2 1.20.3 1.20.3 1.20.3 1.20.3
CVE-2024-43799 send 0.18.0 0.19.0 0.19.0 0.19.0 0.19.0
CVE-2024-43800 serve-static 1.16.0 1.16.0 1.16.0 1.16.2 1.16.2
CVE-2024-47764 cookie 0.6.0 0.7.0 0.6.0 0.6.0 0.7.1
acalcutt commented 5 days ago

Seems like a failed test stopped that from getting updated in https://github.com/maptiler/tileserver-gl/pull/1401 . If someone wants to look into that we can move it forward