Vulnerable dependency send < 19.0 being pulled in via express@4.17.21. #423
Description
Checklist
- I have looked into the Readme and Examples, and have not found a suitable solution or answer.
- I have searched the issues and have not found a suitable solution or answer.
- I have searched the Auth0 Community forums and have not found a suitable solution or answer.
- I agree to the terms within the Auth0 Code of Conduct.
Description
Vulnerable dependency send < 19.0 being pulled in via express@4.17.21. Please consider updating package.json and package-lock.json to specify a version of at least "@types/express": "^4.21.0" for express to mitigate the possibility of the vulnerable transitive dependency.
├─┬ jwks-rsa@3.1.0
│ ├─┬ @types/express@4.17.21
│ │ ├─┬ @types/body-parser@1.19.5
│ │ │ ├─┬ @types/connect@3.4.38
│ │ │ │ └── @types/node@22.5.5 deduped
│ │ │ └── @types/node@22.5.5 deduped
│ │ ├─┬ @types/express-serve-static-core@4.19.5
│ │ │ ├── @types/node@22.5.5 deduped
│ │ │ ├── @types/qs@6.9.16 deduped
│ │ │ ├── @types/range-parser@1.2.7
│ │ │ └─┬ @types/send@0.17.4 Here
│ │ │ ├── @types/mime@1.3.5
│ │ │ └── @types/node@22.5.5 deduped
│ │ ├── @types/qs@6.9.16
│ │ └─┬ @types/serve-static@1.15.7
│ │ ├── @types/http-errors@2.0.4
│ │ ├── @types/node@22.5.5 deduped
│ │ └── @types/send@0.17.4 deduped Here
Reproduction
Scan installed project with dependency-check. Review results.
Additional context
Please consider updating express-serve-static-core and serve-static to current versions to mitigate this vulnerable dependency.
https://www.npmjs.com/package/send
jwks-rsa version
3.1.0
Node.js version
18.20.3