I've just initiated a new project with NestJS and upon running npm audit, I encountered some moderate severity vulnerabilities related to both express
and @nestjs/core
The vulnerabilities are:
Express.js Open Redirect in malformed URLs - GHSA-rv95-896h-c2vc
@nestjs/core Information Exposure via StreamableFile pipe - GHSA-4jpv-8r57-pv7j
Here are the relevant parts of the npm audit
output:
@nestjs/core <9.0.5
Severity: moderate
fix available via `npm audit fix --force`
Will install @nestjs/[email protected], which is a breaking change
node_modules/@nestjs/core
@nestjs/testing <=9.0.0-next.2
Depends on vulnerable versions of @nestjs/core
node_modules/@nestjs/testing
express <4.19.2
Severity: moderate
No fix available
node_modules/express
@nestjs/platform-express *
Depends on vulnerable versions of express
node_modules/@nestjs/platform-express
For @nestjs/core
, running npm audit fix --force
will install @nestjs/[email protected]
, introducing a potential breaking change. Additionally, there appears to be no fix available for the Express.js vulnerability.
How can I fix these vulnerabilities without the risk of introducing breaking changes due to forced updates?
Is there a way to patch these security issues while maintaining my current versions, or is upgrading the only option?
How critical is it to address these vulnerabilities immediately in the context of a new development environment?
Any assistance or recommendations on managing these vulnerabilities without compromising the stability of the application would be immensely helpful.
TL;DR: Use overrides
to override the nested dependency.
As the message says, the Express team had patched express
in the version 4.19.2 of the package. If you are using express
directly, update it to the version 4.19.2
or higher.
If your dependencies (namely, @nestjs/platform-express
) use unpatched express
, you must override the nested dependency using npm's overrides
field (available since npm
CLI version 8.13.0). Keep in mind that once the NestJS team updates @nestjs/platform-express
by using the patched version of express
, you should remove the override.
express
:npm install [email protected]
{
"name": "my-package",
"dependencies": {
"express": "4.19.2"
},
"overrides": {
"express": "$express"
}
}
npm ci
# or `npm install` if you don't have the lockfile; consider using a lockfile
You can then run npm ls express
to see the dependency tree.
If you are using express
directly in your package and you don't want to mix the express
that you use with the express
that your dependencies use, consider installing the patched version under an alias:
npm install express-patched-CVE-2024-29041@npm:[email protected]
# { alias } { known package name and version }
{
"name": "my-package",
"dependencies": {
"express": "3.1415926",
"express-patched-CVE-2024-29041": "npm:[email protected]"
},
"overrides": {
"@nestjs/platform-express": {
"express": "$express-patched-CVE-2024-29041"
}
}
}