From 02762acdca5412565acb89fb5b985fb5453347e1 Mon Sep 17 00:00:00 2001
From: Jane Chu <7559015+janechu@users.noreply.github.com>
Date: Fri, 19 Jul 2024 09:16:29 -0700
Subject: [PATCH] Fix a dependency issue with express open redirect
 vulnerability (#7003)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

# Pull Request

## 📖 Description

This fixes a vulnerability with express for open redirects.

## 👩‍💻 Reviewer Notes

The SSR test site is not exposed publicly, nevertheless to close out some vulnerability alerts this change was made.

## ✅ Checklist

### General

<!--- Review the list and put an x in the boxes that apply. -->

- [ ] I have included a change request file using `$ npm run change`
- [ ] I have added tests for my changes.
- [x] I have tested my changes.
- [ ] I have updated the project documentation to reflect my changes.
- [x] I have read the [CONTRIBUTING](https://github.com/microsoft/fast/blob/master/CONTRIBUTING.md) documentation and followed the [standards](https://github.com/microsoft/fast/blob/master/CODE_OF_CONDUCT.md#our-standards) for this project.
---
 ...-8176173d-9744-4690-9420-c31966e0b3b6.json |  7 +++++
 examples/ssr/package.json                     |  2 +-
 package-lock.json                             | 31 ++++++++++---------
 packages/web-components/fast-ssr/package.json |  4 +--
 4 files changed, 26 insertions(+), 18 deletions(-)
 create mode 100644 change/@microsoft-fast-ssr-8176173d-9744-4690-9420-c31966e0b3b6.json

diff --git a/change/@microsoft-fast-ssr-8176173d-9744-4690-9420-c31966e0b3b6.json b/change/@microsoft-fast-ssr-8176173d-9744-4690-9420-c31966e0b3b6.json
new file mode 100644
index 00000000000..9d14c6ee303
--- /dev/null
+++ b/change/@microsoft-fast-ssr-8176173d-9744-4690-9420-c31966e0b3b6.json
@@ -0,0 +1,7 @@
+{
+  "type": "none",
+  "comment": "Fix a dependency issue with express open redirect vulnerability",
+  "packageName": "@microsoft/fast-ssr",
+  "email": "7559015+janechu@users.noreply.github.com",
+  "dependentChangeType": "none"
+}
diff --git a/examples/ssr/package.json b/examples/ssr/package.json
index 1c4f55177ea..106a14ef8f4 100644
--- a/examples/ssr/package.json
+++ b/examples/ssr/package.json
@@ -26,7 +26,7 @@
     "@microsoft/fast-element": "^2.0.0-beta.26",
     "@microsoft/fast-foundation": "^3.0.0-alpha.33",
     "@microsoft/fast-ssr": "^1.0.0-beta.33",
-    "express": "^4.18.1",
+    "express": "^4.19.2",
     "fast-todo-app": "1.0.0",
     "ts-loader": "^9.3.0",
     "tslib": "^2.6.3",
diff --git a/package-lock.json b/package-lock.json
index c8b7e1b200d..7f462a04ca6 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -55,7 +55,7 @@
         "@microsoft/fast-element": "^2.0.0-beta.26",
         "@microsoft/fast-foundation": "^3.0.0-alpha.33",
         "@microsoft/fast-ssr": "^1.0.0-beta.33",
-        "express": "^4.18.1",
+        "express": "^4.19.2",
         "fast-todo-app": "1.0.0",
         "ts-loader": "^9.3.0",
         "tslib": "^2.6.3",
@@ -17134,10 +17134,9 @@
       }
     },
     "node_modules/jsonwebtoken": {
-      "version": "8.5.1",
-      "resolved": "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz",
-      "integrity": "sha512-XjwVfRS6jTMsqYs0EsuJ4LGxXV14zQybNd4L2r0UvbVnSF9Af8x7p5MzbJ90Ioz/9TI41/hTCvznF/loiSzn8w==",
-      "dev": true,
+      "version": "9.0.2",
+      "resolved": "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-9.0.2.tgz",
+      "integrity": "sha512-PRp66vJ865SSqOlgqS8hujT5U4AOgMfhrwYIuIhfKaoSCZcirrmASQr8CX7cUg+RMih+hgznrjp99o+W4pJLHQ==",
       "dependencies": {
         "jws": "^3.2.2",
         "lodash.includes": "^4.3.0",
@@ -17148,20 +17147,22 @@
         "lodash.isstring": "^4.0.1",
         "lodash.once": "^4.0.0",
         "ms": "^2.1.1",
-        "semver": "^5.6.0"
+        "semver": "^7.5.4"
       },
       "engines": {
-        "node": ">=4",
-        "npm": ">=1.4.28"
+        "node": ">=12",
+        "npm": ">=6"
       }
     },
     "node_modules/jsonwebtoken/node_modules/semver": {
-      "version": "5.7.2",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.2.tgz",
-      "integrity": "sha512-cBznnQ9KjJqU67B52RMC65CMarK2600WFnbkcaiwWq3xy/5haFJlshgnpjovMVJ+Hff49d8GEn0b87C5pDQ10g==",
-      "dev": true,
+      "version": "7.6.2",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.6.2.tgz",
+      "integrity": "sha512-FNAIBWCx9qcRhoHcgcJ0gvU7SN1lYU2ZXuSfl04bSC5OpvDHFyJCjdNHomPXxjQlCBU67YW64PzY7/VIEH7F2w==",
       "bin": {
-        "semver": "bin/semver"
+        "semver": "bin/semver.js"
+      },
+      "engines": {
+        "node": ">=10"
       }
     },
     "node_modules/jstat": {
@@ -31248,9 +31249,9 @@
         "@microsoft/fast-element": "^2.0.0-beta.26",
         "@microsoft/fast-foundation": "^3.0.0-alpha.33",
         "@playwright/test": "^1.41.2",
-        "@types/express": "^4.17.13",
+        "@types/express": "^4.17.21",
         "@types/node": "^17.0.17",
-        "express": "^4.17.1",
+        "express": "^4.19.2",
         "typescript": "~5.3.0"
       },
       "peerDependencies": {
diff --git a/packages/web-components/fast-ssr/package.json b/packages/web-components/fast-ssr/package.json
index c3125302df2..1e4aff2610f 100644
--- a/packages/web-components/fast-ssr/package.json
+++ b/packages/web-components/fast-ssr/package.json
@@ -63,9 +63,9 @@
     "@microsoft/fast-foundation": "^3.0.0-alpha.33",
     "@microsoft/api-extractor": "^7.47.0",
     "@playwright/test": "^1.41.2",
-    "@types/express": "^4.17.13",
+    "@types/express": "^4.17.21",
     "@types/node": "^17.0.17",
-    "express": "^4.17.1",
+    "express": "^4.19.2",
     "typescript": "~5.3.0"
   }
 }