How to fix Express.js and @nestjs/core vulnerabilities in a fresh NestJS project without introducing breaking changes?

Question

I've just initiated a new project with NestJS and upon running npm audit, I encountered some moderate severity vulnerabilities related to both express and @nestjs/core

The vulnerabilities are:

• Express.js Open Redirect in malformed URLs - GHSA-rv95-896h-c2vc

• @nestjs/core Information Exposure via StreamableFile pipe - GHSA-4jpv-8r57-pv7j

Here are the relevant parts of the npm audit output:

@nestjs/core  <9.0.5
Severity: moderate
fix available via `npm audit fix --force`
Will install @nestjs/[email protected], which is a breaking change
node_modules/@nestjs/core
  @nestjs/testing  <=9.0.0-next.2
  Depends on vulnerable versions of @nestjs/core
  node_modules/@nestjs/testing

express  <4.19.2
Severity: moderate
No fix available
node_modules/express
  @nestjs/platform-express  *
  Depends on vulnerable versions of express
  node_modules/@nestjs/platform-express

For @nestjs/core, running npm audit fix --force will install @nestjs/[email protected], introducing a potential breaking change. Additionally, there appears to be no fix available for the Express.js vulnerability.

• How can I fix these vulnerabilities without the risk of introducing breaking changes due to forced updates?

• Is there a way to patch these security issues while maintaining my current versions, or is upgrading the only option?

• How critical is it to address these vulnerabilities immediately in the context of a new development environment?

Any assistance or recommendations on managing these vulnerabilities without compromising the stability of the application would be immensely helpful.

Answer 1

TL;DR: Use overrides to override the nested dependency.

---

As the message says, the Express team had patched express in the version 4.19.2 of the package. If you are using express directly, update it to the version 4.19.2 or higher.

If your dependencies (namely, @nestjs/platform-express) use unpatched express, you must override the nested dependency using npm's overrides field (available since npm CLI version 8.13.0). Keep in mind that once the NestJS team updates @nestjs/platform-express by using the patched version of express, you should remove the override.

1. Install the patched version of express:

npm install [email protected]

2. Add the override instruction in package.json:

{
  "name": "my-package",
  "dependencies": {
    "express": "4.19.2"
  },
  "overrides": {
    "express": "$express"
  }
}

3. Reinstall dependencies, for them to pick up the changes:

npm ci
# or `npm install` if you don't have the lockfile; consider using a lockfile

You can then run npm ls express to see the dependency tree.

---

If you are using express directly in your package and you don't want to mix the express that you use with the express that your dependencies use, consider installing the patched version under an alias:

npm install express-patched-CVE-2024-29041@npm:[email protected]
#           { alias                      }     { known package name and version }

{
  "name": "my-package",
  "dependencies": {
    "express": "3.1415926",
    "express-patched-CVE-2024-29041": "npm:[email protected]"
  },
  "overrides": {
    "@nestjs/platform-express": {
      "express": "$express-patched-CVE-2024-29041"
    }
  }
}