Updating to version 0.19.0 tries to install old webpack-dev-server version

[jrtsnabc]

When running npm audit fix to fix the send < 0.19.0 vulnerability, I get a message saying the fix can't be done because it will install a (very) old version of webpack-dev-server, which is a breaking change.

The latest version of webpack-dev-server is 5.1.0, and my product is on 4.15.2. To fix the send vulnerability, webpack-dev-server version 1.2.9 would be installed.

npm audit report

send <0.19.0 Severity: moderate send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg fix available via npm audit fix --force Will install webpack-dev-server@1.2.9, which is a breaking change node_modules/serve-static/node_modules/send serve-static <=1.16.0 Depends on vulnerable versions of send node_modules/serve-static express 4.0.0-rc1 - 5.0.0-beta.3 Depends on vulnerable versions of serve-static node_modules/express webpack-dev-server >=1.3.0 Depends on vulnerable versions of express node_modules/webpack-dev-server

4 moderate severity vulnerabilities

To address all issues (including breaking changes), run: npm audit fix --force

Forcing a fix installs the old version of webpack-dev-server, and creates 18 vulnerabilities, 4 of which are critical, and 12 high:

18 vulnerabilities (2 moderate, 12 high, 4 critical)

Maybe I'm missing a step?

[jrtsnabc]

I actually think this may be an issue with static-serve, and not send.