Skip to content

Update dependency express to v4.20.0 #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
staging-whitesource-for-github-com wants to merge 1 commit into
base: main
Choose a base branch
from

Update dependency express to v4.20.0

7fb7d90
Select commit
Loading
Failed to load commit list.
Open

Update dependency express to v4.20.0 #10

Update dependency express to v4.20.0
7fb7d90
Select commit
Loading
Failed to load commit list.
Staging - WhiteSource for GitHub.com / Mend Security Check failed Apr 8, 2026 in 8m 34s

Security Report

You have successfully remediated 39 vulnerabilities, but introduced 7 new vulnerabilities in this branch.

❌ New vulnerabilities:

Vulnerability Severity CVSS Score Vulnerable Library Direct Library Suggested Fix Issue Reachability
CVE-2026-4867

Path to dependency file: /NodeGoat/package.json

Path to vulnerable library: /NodeGoat/package.json

Dependency Hierarchy:

-> express-4.20.0.tgz (Root Library)

   -> ❌ path-to-regexp-0.1.10.tgz (Vulnerable Library)

High 7.5 Transitive path-to-regexp-0.1.10.tgz express-4.20.0.tgz None

Reachable
CVE-2024-52798

Path to dependency file: /NodeGoat/package.json

Path to vulnerable library: /NodeGoat/package.json

Dependency Hierarchy:

-> express-4.20.0.tgz (Root Library)

   -> ❌ path-to-regexp-0.1.10.tgz (Vulnerable Library)

High 7.5 Transitive path-to-regexp-0.1.10.tgz express-4.20.0.tgz Transitive path-to-regexp - 0.1.12 None

Reachable
CVE-2024-47764

Path to dependency file: /NodeGoat/package.json

Path to vulnerable library: /NodeGoat/package.json

Dependency Hierarchy:

-> express-4.20.0.tgz (Root Library)

   -> ❌ cookie-0.6.0.tgz (Vulnerable Library)

Medium 5.3 Transitive cookie-0.6.0.tgz express-4.20.0.tgz Transitive cookie - 0.7.0 None

Reachable
CVE-2026-2391

Path to dependency file: /NodeGoat/package.json

Path to vulnerable library: /NodeGoat/package.json

Dependency Hierarchy:

-> express-4.20.0.tgz (Root Library)

   -> ❌ qs-6.11.0.tgz (Vulnerable Library)

Low 3.7 Transitive qs-6.11.0.tgz express-4.20.0.tgz Transitive 6.14.2 None

Reachable
CVE-2026-2391

Path to dependency file: /NodeGoat/package.json

Path to vulnerable library: /NodeGoat/package.json

Dependency Hierarchy:

-> body-parser-1.20.3.tgz (Root Library)

   -> ❌ qs-6.13.0.tgz (Vulnerable Library)

Low 3.7 Transitive qs-6.13.0.tgz body-parser-1.20.3.tgz Transitive 6.14.2 None

Reachable
CVE-2025-15284

Path to dependency file: /NodeGoat/package.json

Path to vulnerable library: /NodeGoat/package.json

Dependency Hierarchy:

-> express-4.20.0.tgz (Root Library)

   -> ❌ qs-6.11.0.tgz (Vulnerable Library)

Low 3.7 Transitive qs-6.11.0.tgz express-4.20.0.tgz None

Reachable
CVE-2025-15284

Path to dependency file: /NodeGoat/package.json

Path to vulnerable library: /NodeGoat/package.json

Dependency Hierarchy:

-> body-parser-1.20.3.tgz (Root Library)

   -> ❌ qs-6.13.0.tgz (Vulnerable Library)

Low 3.7 Transitive qs-6.13.0.tgz body-parser-1.20.3.tgz None

Reachable

✔️ Remediated vulnerabilities:

Vulnerability Vulnerable Library
CVE-2020-25649 jackson-databind-2.9.10.4.jar
CVE-2025-15284 qs-6.5.2.tgz
CVE-2020-35490 jackson-databind-2.9.10.4.jar
CVE-2020-36187 jackson-databind-2.9.10.4.jar
CVE-2022-42004 jackson-databind-2.9.10.4.jar
CVE-2020-14062 jackson-databind-2.9.10.4.jar
CVE-2020-36181 jackson-databind-2.9.10.4.jar
CVE-2020-36184 jackson-databind-2.9.10.4.jar
CVE-2020-24616 jackson-databind-2.9.10.4.jar
CVE-2026-2391 qs-6.5.2.tgz
CVE-2026-4867 path-to-regexp-0.1.7.tgz
CVE-2020-36183 jackson-databind-2.9.10.4.jar
CVE-2020-35491 jackson-databind-2.9.10.4.jar
CVE-2020-14061 jackson-databind-2.9.10.4.jar
CVE-2020-11022 jquery-1.11.2.min.js
CVE-2022-24999 qs-6.5.2.tgz
CVE-2020-36179 jackson-databind-2.9.10.4.jar
CVE-2020-36189 jackson-databind-2.9.10.4.jar
CVE-2020-36188 jackson-databind-2.9.10.4.jar
CVE-2017-16137 debug-2.2.0.tgz
CVE-2020-36185 jackson-databind-2.9.10.4.jar
CVE-2020-36182 jackson-databind-2.9.10.4.jar
CVE-2020-14060 jackson-databind-2.9.10.4.jar
CVE-2020-11023 jquery-1.11.2.min.js
CVE-2021-20190 jackson-databind-2.9.10.4.jar
CVE-2020-35728 jackson-databind-2.9.10.4.jar
CVE-2020-14195 jackson-databind-2.9.10.4.jar
CVE-2024-45296 path-to-regexp-0.1.7.tgz
CVE-2019-11358 jquery-1.11.2.min.js
CVE-2015-9251 jquery-1.11.2.min.js
CVE-2022-42003 jackson-databind-2.9.10.4.jar
CVE-2024-45590 body-parser-1.18.3.tgz
CVE-2020-24750 jackson-databind-2.9.10.4.jar
CVE-2020-36180 jackson-databind-2.9.10.4.jar
CVE-2024-43800 serve-static-1.13.2.tgz
CVE-2022-22971 spring-messaging-4.3.7.RELEASE.jar
CVE-2024-43796 express-4.16.4.tgz
CVE-2024-52798 path-to-regexp-0.1.7.tgz
CVE-2020-36186 jackson-databind-2.9.10.4.jar

Base branch total remaining vulnerabilities: 150
Base branch commit: null


Total libraries scanned: 428

Scan token: a684e784691748b9a38bb4d00b450d7c

View more details on Staging - WhiteSource for GitHub.com