Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

In-place Express update to 4.15.5 still has old forwarded #3432

Closed
JaneCoder opened this issue Sep 27, 2017 · 7 comments
Closed

In-place Express update to 4.15.5 still has old forwarded #3432

JaneCoder opened this issue Sep 27, 2017 · 7 comments
Labels
question
Milestone
4.16

Comments

@JaneCoder
Copy link

Hello, I'm writing to request an update for the dependency proxy-addr to a version, like version 2.0.2, that has the security patched version of forwarded in it's dependencies., 0.1.2.

Thanks!
@dougwilson
Copy link
Contributor

The semver range already covers the patched version. Simply upgrading to 4.15.5 will force the new version of the dependency.

@dougwilson
Copy link
Contributor

The plan is to include proxy-addr 2.0.2 in Express.js 4.16 on Monday Oct 2, but until then installing a fresh Express.js 4.15.5 will drop you forwarded 0.1.2 in your tree.

@dougwilson
Copy link
Contributor

If it helps, here is what the forwarded tree looks like for an install of Express 4.15.5:

$ npm i express
+ [email protected]
added 42 packages in 3.213s

$ npm ls forwarded
express-3432
└─┬ [email protected]
  └─┬ [email protected]
    └── [email protected]

Let me know if there is still something you need or if there is something preventing you from picking up the correct version of forwarded in your installation of 4.15.5, and I'm happy to get you onto the correct version 👍

@dougwilson
Copy link
Contributor

Ok, so I've been experimenting a bit, and definitely with npm@5 getting a simple command to bump forwarded on a non-clean express install is not straight forward. The only command that actually worked was npm i --no-save [email protected], but that assumes what you actually need to do.

I think that even if this causes the "mime" fixed to be delayed, juggling around the dependencies more and getting an Express 4.15.6 that have all semver ranges to not allow forwarded < 0.1.2 may be the only ideal way to resolve this for a lot of folks.

@dougwilson dougwilson reopened this Sep 27, 2017
@dougwilson dougwilson changed the title Need updates version of proxy-addr due to forwarded security issue In-place Express update to 4.15.5 still has old forwarded Sep 27, 2017
@dougwilson dougwilson mentioned this issue Sep 27, 2017
Merged
20 tasks
@dougwilson
Copy link
Contributor

This certainly will make me think about bothering with semver ranges at all any more. Having ranges instead of a specific version adds risk to the install, but it's generally been argued that the trade off of getting security updates is worth it. This seems to indicate that it really only helps users who don't already have it installed, and the existing user base cannot take advantage of it as easily :(

@JaneCoder
Copy link
Author

Yes, that is an interesting paradox. Thank you so much for your help.
You rock, digging into it like this. Sorry I did not get back to you sooner.

@dougwilson dougwilson added this to the 4.16 milestone Sep 28, 2017
@dougwilson
Copy link
Contributor

Express.js 4.16.0 is out now where the forwarded ranges don't include anything below 0.1.2 🎉

@expressjs expressjs locked as resolved and limited conversation to collaborators Jun 25, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
4.16
Development

No branches or pull requests
2 participants
@dougwilson @JaneCoder