Skip to content

[rush-serve-plugin] [lockfile-explorer] Upgrade express to 5.1.0#5350

Closed
cmalonzo wants to merge 3 commits intomicrosoft:mainfrom
cmalonzo:user/cmalonzo/npmaudit/express
Closed

[rush-serve-plugin] [lockfile-explorer] Upgrade express to 5.1.0#5350
cmalonzo wants to merge 3 commits intomicrosoft:mainfrom
cmalonzo:user/cmalonzo/npmaudit/express

Conversation

@cmalonzo
Copy link
Contributor

@cmalonzo cmalonzo commented Sep 8, 2025
edited
Loading

Summary

Bump express version to 5.1.0, addressing npm audit report vulnerabilities as described in #5327

Details

Details in bug #5327

How it was tested

Testing lockfile-explorer

image 1. run `rush start` in `apps\lockfile-explorer`

Testing rush-serve-plugins

In progress

Impacted documentation

@github-project-automation github-project-automation bot moved this to Needs triage in Bug Triage Sep 8, 2025
@cmalonzo cmalonzo mentioned this pull request Sep 8, 2025
Closed
@dmichon-msft
Copy link
Contributor

dmichon-msft commented Sep 8, 2025

Do we know if this impacts compatibility with http2-express-bridge? Last publish of that package was 4 years ago.

@cmalonzo
Copy link
Contributor Author

cmalonzo commented Sep 8, 2025

@dmichon-msft The @types/express version didnt need to change with the express bump and it looks like http2-express-bridge only depends on the former. Are there specific debug steps I can take to test this?

@dmichon-msft
Copy link
Contributor

dmichon-msft commented Sep 8, 2025

Temporarily:
Add a dependency on @rushstack/rush-serve-plugin here: https://github.com/microsoft/rushstack/blob/main/apps/rush/package.json
Add a line like this one for rush-serve-plugin:
https://github.com/microsoft/rushstack/blob/fea58ce44fa59872754df9edb51f265b750cfedf/apps/rush/src/start-dev.ts#L31C1-L31C47
rush update
rush build -t rush
Define a file at common/config/rush-plugins/rush-serve-plugin.json with content:

{
  "$schema": "https://developer.microsoft.com/json-schemas/rush/v5/rush-serve-plugin-options.schema.json",
  "phasedCommands": ["start"],
  "portParameterLongName": "--port",
  "globalRouting": [
    {
      "workspaceRelativeFolder": "rush.json",
      "servePath": "/"
    }
  ],
  "buildStatusWebSocketPath": "/ws",
  "logServePath": "/logs"
}

Also add the following entry in the parameters section of common/config/rush/command-line.json:

    {
      "longName": "--port",
      "argumentName": "PORT_NAME",
      "parameterKind": "integer",
      "description": "If specified, Rush will serve files on the specified port.",
      "associatedPhases": [],
      "associatedCommands": ["start"]
    },

Then run node ./apps/rush/lib/start-dev.js start --to module-minifier
Open the localhost link and verify that the path at / loads successfully and reports in the browser as being served via HTTP/2.

@dmichon-msft
Copy link
Contributor

dmichon-msft commented Sep 8, 2025

It appears that this value needs to be updated:

rushstack/rush-plugins/rush-serve-plugin/src/phasedCommandHandler.ts

Line 147 in fea58ce

'*',

@cmalonzo cmalonzo closed this Sep 8, 2025
@github-project-automation github-project-automation bot moved this from Needs triage to Closed in Bug Triage Sep 8, 2025
@cmalonzo
Copy link
Contributor Author

cmalonzo commented Sep 8, 2025

Abandoning for an alternative change

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@iclanton iclanton iclanton approved these changes

@octogonz octogonz Awaiting requested review from octogonz octogonz is a code owner

@apostolisms apostolisms Awaiting requested review from apostolisms apostolisms is a code owner

@D4N14L D4N14L Awaiting requested review from D4N14L

@dmichon-msft dmichon-msft Awaiting requested review from dmichon-msft dmichon-msft is a code owner

@patmill patmill Awaiting requested review from patmill

Assignees

No one assigned

Labels

None yet

Projects

Bug Triage
Status: Closed

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cmalonzo @dmichon-msft @iclanton