Open Galudas opened 2 months ago
karlismelderis-mckinsey
commented
1 month ago I wonder why even @nx/webpack and @nx/react is pulling in express?
it's bloating dependency tree and slows down installation of dependency
can we make such things optional dependencies?
if we (e.g. our project) don't use anything in @nx/react that would require express we could benefit from less dependencies and faster pnpm i
binhxn
commented
1 month ago I'm getting the same issue where it requires express v4.21.0. Here's the dependabot alert:
The latest possible version that can be installed is 1.8.0 because of the following conflicting dependencies:
@nx/react@19.8.2 requires path-to-regexp@0.1.10 via a transitive dependency on express@4.21.0
@nx/webpack@19.8.2 requires path-to-regexp@0.1.10 via a transitive dependency on express@4.21.0
@nx/next@19.8.2 requires path-to-regexp@0.1.10 via a transitive dependency on express@4.21.0
json-server@0.17.4 requires path-to-regexp@0.1.10 via a transitive dependency on express@4.21.0If decisions haven't been made to remove express, can this be a quick upgrade to fix the alert?
Current Behavior
Our pipelines are failing due to the vulnerability issue cased by the library path-to-regexp
Although nx is not using this library, it is used inside of
express, so this is the library that needs a bump.The following nx package are using the wrong version of express. Latest version is 4.20.0 which contain the necessary bump to avoid the vulnerability
Expected Behavior
Express should have the latest version which is 4.20.0
GitHub Repo
No response
Steps to Reproduce
No step
Nx Report
Failure Logs
No response
Package Manager Version
No response
Operating System
Additional Information
No response