From b3dd801adb1b57fa23b7c7af9bc773c789b2456d Mon Sep 17 00:00:00 2001 From: Chase Naples Date: Wed, 17 Sep 2025 08:33:03 -0400 Subject: [PATCH 1/4] rush-serve-plugin: bump express to 4.21.1 to address vulnerabilities\n\n- Update dependency in rush-serve-plugin/package.json\n- Add Rush change file (patch) for @rushstack/rush-serve-plugin\n\nFixes microsoft/rushstack#5327 --- .../rush-serve-plugin/express-4-21-bump.json | 11 +++++++++++ rush-plugins/rush-serve-plugin/package.json | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 common/changes/@rushstack/rush-serve-plugin/express-4-21-bump.json diff --git a/common/changes/@rushstack/rush-serve-plugin/express-4-21-bump.json b/common/changes/@rushstack/rush-serve-plugin/express-4-21-bump.json new file mode 100644 index 00000000000..782d095131d --- /dev/null +++ b/common/changes/@rushstack/rush-serve-plugin/express-4-21-bump.json @@ -0,0 +1,11 @@ +{ + "changes": [ + { + "comment": "Bump \"express\" to 4.21.1 to address reported vulnerabilities in 4.20.0.", + "type": "patch", + "packageName": "@rushstack/rush-serve-plugin" + } + ], + "packageName": "@rushstack/rush-serve-plugin", + "email": "cnaples79@users.noreply.github.com" +} diff --git a/rush-plugins/rush-serve-plugin/package.json b/rush-plugins/rush-serve-plugin/package.json index f684f5b5f86..7b076109926 100644 --- a/rush-plugins/rush-serve-plugin/package.json +++ b/rush-plugins/rush-serve-plugin/package.json @@ -24,7 +24,7 @@ "@rushstack/ts-command-line": "workspace:*", "compression": "~1.7.4", "cors": "~2.8.5", - "express": "4.20.0", + "express": "4.21.1", "http2-express-bridge": "~1.0.7", "ws": "~8.14.1" }, From 9958ebf721a30c712365e175289ff51793263df0 Mon Sep 17 00:00:00 2001 From: Ian Clanton-Thuon Date: Thu, 18 Sep 2025 12:00:03 -0700 Subject: [PATCH 2/4] Update changefile. --- .../changes/@rushstack/rush-serve-plugin/express-4-21-bump.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/changes/@rushstack/rush-serve-plugin/express-4-21-bump.json b/common/changes/@rushstack/rush-serve-plugin/express-4-21-bump.json index 782d095131d..cffa8918b56 100644 --- a/common/changes/@rushstack/rush-serve-plugin/express-4-21-bump.json +++ b/common/changes/@rushstack/rush-serve-plugin/express-4-21-bump.json @@ -3,7 +3,7 @@ { "comment": "Bump \"express\" to 4.21.1 to address reported vulnerabilities in 4.20.0.", "type": "patch", - "packageName": "@rushstack/rush-serve-plugin" + "packageName": "@microsoft/rush" } ], "packageName": "@rushstack/rush-serve-plugin", From a835b281669eab391dc3a02fe6beaae97d0adfdf Mon Sep 17 00:00:00 2001 From: Ian Clanton-Thuon Date: Thu, 18 Sep 2025 12:00:15 -0700 Subject: [PATCH 3/4] Update changefile. --- .../changes/@rushstack/rush-serve-plugin/express-4-21-bump.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/changes/@rushstack/rush-serve-plugin/express-4-21-bump.json b/common/changes/@rushstack/rush-serve-plugin/express-4-21-bump.json index cffa8918b56..bd297dd2c0d 100644 --- a/common/changes/@rushstack/rush-serve-plugin/express-4-21-bump.json +++ b/common/changes/@rushstack/rush-serve-plugin/express-4-21-bump.json @@ -2,7 +2,7 @@ "changes": [ { "comment": "Bump \"express\" to 4.21.1 to address reported vulnerabilities in 4.20.0.", - "type": "patch", + "type": "none", "packageName": "@microsoft/rush" } ], From f5cd24caa6d527bc90fe0155b32cdf0788927d12 Mon Sep 17 00:00:00 2001 From: Ian Clanton-Thuon Date: Sun, 28 Sep 2025 14:19:12 +0200 Subject: [PATCH 4/4] Bump version in lockfile explorer. --- apps/lockfile-explorer/package.json | 2 +- ...h-serve-express-bump_2025-09-28-12-18.json | 10 +++ .../config/subspaces/default/pnpm-lock.yaml | 76 ++++++++----------- .../config/subspaces/default/repo-state.json | 2 +- 4 files changed, 42 insertions(+), 48 deletions(-) create mode 100644 common/changes/@rushstack/lockfile-explorer/fix-rush-serve-express-bump_2025-09-28-12-18.json diff --git a/apps/lockfile-explorer/package.json b/apps/lockfile-explorer/package.json index 62e03b0be7f..08e933a32d2 100644 --- a/apps/lockfile-explorer/package.json +++ b/apps/lockfile-explorer/package.json @@ -68,7 +68,7 @@ "@rushstack/terminal": "workspace:*", "@rushstack/ts-command-line": "workspace:*", "cors": "~2.8.5", - "express": "4.20.0", + "express": "4.21.1", "js-yaml": "~4.1.0", "open": "~8.4.0", "semver": "~7.5.4", diff --git a/common/changes/@rushstack/lockfile-explorer/fix-rush-serve-express-bump_2025-09-28-12-18.json b/common/changes/@rushstack/lockfile-explorer/fix-rush-serve-express-bump_2025-09-28-12-18.json new file mode 100644 index 00000000000..3b4b15dacaf --- /dev/null +++ b/common/changes/@rushstack/lockfile-explorer/fix-rush-serve-express-bump_2025-09-28-12-18.json @@ -0,0 +1,10 @@ +{ + "changes": [ + { + "packageName": "@rushstack/lockfile-explorer", + "comment": "Bump \"express\" to 4.21.1 to address reported vulnerabilities in 4.20.0.", + "type": "patch" + } + ], + "packageName": "@rushstack/lockfile-explorer" +} \ No newline at end of file diff --git a/common/config/subspaces/default/pnpm-lock.yaml b/common/config/subspaces/default/pnpm-lock.yaml index 834d96fe91a..3a3593e7ad2 100644 --- a/common/config/subspaces/default/pnpm-lock.yaml +++ b/common/config/subspaces/default/pnpm-lock.yaml @@ -215,8 +215,8 @@ importers: specifier: ~2.8.5 version: 2.8.5 express: - specifier: 4.20.0 - version: 4.20.0 + specifier: 4.21.1 + version: 4.21.1 js-yaml: specifier: ~4.1.0 version: 4.1.0 @@ -4634,8 +4634,8 @@ importers: specifier: ~2.8.5 version: 2.8.5 express: - specifier: 4.20.0 - version: 4.20.0 + specifier: 4.21.1 + version: 4.21.1 http2-express-bridge: specifier: ~1.0.7 version: 1.0.7(@types/express@4.17.21) @@ -11724,7 +11724,7 @@ packages: detect-port-alt: 1.1.6 esbuild: 0.14.54 esbuild-runner: 2.2.2(esbuild@0.14.54) - express: 4.20.0 + express: 4.21.1 fs-extra: 9.1.0 remeda: 0.0.32 source-map-support: 0.5.21 @@ -11765,7 +11765,7 @@ packages: dotenv-expand: 5.1.0 esbuild: 0.14.54 escodegen: 2.1.0 - express: 4.20.0 + express: 4.21.1 fs-extra: 9.1.0 immer: 9.0.21 js-yaml: 4.1.0 @@ -12809,7 +12809,7 @@ packages: core-js: 3.36.0 cross-spawn: 7.0.3 envinfo: 7.11.1 - express: 4.20.0 + express: 4.21.1 find-up: 5.0.0 fs-extra: 9.1.0 get-port: 5.1.1 @@ -13011,7 +13011,7 @@ packages: babel-plugin-polyfill-corejs3: 0.1.7(@babel/core@7.20.12) chalk: 4.1.2 core-js: 3.36.0 - express: 4.20.0 + express: 4.21.1 file-system-cache: 1.1.0 find-up: 5.0.0 fork-ts-checker-webpack-plugin: 6.5.3(eslint@9.25.1)(typescript@5.8.2)(webpack@4.47.0) @@ -13087,7 +13087,7 @@ packages: core-js: 3.36.0 cpy: 8.1.2 detect-port: 1.5.1 - express: 4.20.0 + express: 4.21.1 file-system-cache: 1.1.0 fs-extra: 9.1.0 globby: 11.1.0 @@ -13209,7 +13209,7 @@ packages: chalk: 4.1.2 core-js: 3.36.0 css-loader: 3.6.0(webpack@4.47.0) - express: 4.20.0 + express: 4.21.1 file-loader: 6.2.0(webpack@4.47.0) file-system-cache: 1.1.0 find-up: 5.0.0 @@ -17574,8 +17574,8 @@ packages: engines: {node: '>= 0.6'} dev: false - /cookie@0.6.0: - resolution: {integrity: sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw==} + /cookie@0.7.1: + resolution: {integrity: sha512-6DnInpx7SJ2AK3+CTUE/ZM0vWTUboZCegxhC2xiIydHR9jNuTAASBrfEpHhiGOZw/nX51bHt6YQl8jsGo4y/0w==} engines: {node: '>= 0.6'} /cookie@0.7.2: @@ -20171,8 +20171,8 @@ packages: express: 5.1.0 dev: false - /express@4.20.0: - resolution: {integrity: sha512-pLdae7I6QqShF5PnNTCVn4hI91Dx0Grkn2+IAsMTgMIKuQVte2dN9PeGSSAME2FR8anOhVA62QDIUaWVfEXVLw==} + /express@4.21.1: + resolution: {integrity: sha512-YSFlK1Ee0/GC8QaO91tHcDxJiE/X4FbpAyQWkxAvG6AXCuR65YzK8ua6D9hvi/TzUfZMpc+BwuM1IPw8fmQBiQ==} engines: {node: '>= 0.10.0'} dependencies: accepts: 1.3.8 @@ -20180,14 +20180,14 @@ packages: body-parser: 1.20.3 content-disposition: 0.5.4 content-type: 1.0.5 - cookie: 0.6.0 + cookie: 0.7.1 cookie-signature: 1.0.6 debug: 2.6.9 depd: 2.0.0 encodeurl: 2.0.0 escape-html: 1.0.3 etag: 1.8.1 - finalhandler: 1.2.0 + finalhandler: 1.3.1 fresh: 0.5.2 http-errors: 2.0.0 merge-descriptors: 1.0.3 @@ -20196,11 +20196,11 @@ packages: parseurl: 1.3.3 path-to-regexp: 0.1.10 proxy-addr: 2.0.7 - qs: 6.11.0 + qs: 6.13.0 range-parser: 1.2.1 safe-buffer: 5.2.1 send: 0.19.0 - serve-static: 1.16.0 + serve-static: 1.16.2 setprototypeof: 1.2.0 statuses: 2.0.1 type-is: 1.6.18 @@ -20514,12 +20514,12 @@ packages: dependencies: to-regex-range: 5.0.1 - /finalhandler@1.2.0: - resolution: {integrity: sha512-5uXcUVftlQMFnWC9qu/svkWv3GTd2PfUhK/3PLkYNAe7FbqJMt3515HaxE6eRL74GdsriiwujiawdaB1BpEISg==} + /finalhandler@1.3.1: + resolution: {integrity: sha512-6BN9trH7bp3qvnrRyzsBz+g3lZxTNZTbVO2EV1CS0WIcDbawYVdYvGflME/9QP0h0pYlCDBCTjYa9nZzMDpyxQ==} engines: {node: '>= 0.8'} dependencies: debug: 2.6.9 - encodeurl: 1.0.2 + encodeurl: 2.0.0 escape-html: 1.0.3 on-finished: 2.4.1 parseurl: 1.3.3 @@ -26407,7 +26407,8 @@ packages: resolution: {integrity: sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q==} engines: {node: '>=0.6'} dependencies: - side-channel: 1.0.6 + side-channel: 1.1.0 + dev: true /qs@6.12.0: resolution: {integrity: sha512-trVZiI6RMOkO476zLGaBIzszOdFPnCCXHPG9kn0yuS1uz6xdVxPfZdB3vUig9pxPFDM9BRAgz/YUIVQ1/vuiUg==} @@ -27862,24 +27863,6 @@ packages: statuses: 1.5.0 dev: false - /send@0.18.0: - resolution: {integrity: sha512-qqWzuOjSFOuqPjFe4NOsMLafToQQwBSOEpS+FwEt3A2V3vKubTquT3vmLTQpFgMXp8AlFWFuP1qKaJZOtPpVXg==} - engines: {node: '>= 0.8.0'} - dependencies: - debug: 2.6.9 - depd: 2.0.0 - destroy: 1.2.0 - encodeurl: 1.0.2 - escape-html: 1.0.3 - etag: 1.8.1 - fresh: 0.5.2 - http-errors: 2.0.0 - mime: 1.6.0 - ms: 2.1.3 - on-finished: 2.4.1 - range-parser: 1.2.1 - statuses: 2.0.1 - /send@0.19.0: resolution: {integrity: sha512-dW41u5VfLXu8SJh5bwRmyYUbAoSB3c9uQh6L8h/KtsFREPWpbX1lrljJo186Jc4nmci/sGUZ9a0a0J2zgfq2hw==} engines: {node: '>= 0.8.0'} @@ -27963,14 +27946,14 @@ packages: parseurl: 1.3.3 dev: false - /serve-static@1.16.0: - resolution: {integrity: sha512-pDLK8zwl2eKaYrs8mrPZBJua4hMplRWJ1tIFksVC3FtBEBnl8dxgeHtsaMS8DhS9i4fLObaon6ABoc4/hQGdPA==} + /serve-static@1.16.2: + resolution: {integrity: sha512-VqpjJZKadQB/PEbEwvFdO43Ax5dFBZ2UECszz8bQ7pi7wt//PWe1P6MN7eCnjsatYtBT6EuiClbjSWP2WrIoTw==} engines: {node: '>= 0.8.0'} dependencies: - encodeurl: 1.0.2 + encodeurl: 2.0.0 escape-html: 1.0.3 parseurl: 1.3.3 - send: 0.18.0 + send: 0.19.0 /serve-static@2.2.0: resolution: {integrity: sha512-61g9pCh0Vnh7IutZjtLGGpTA355+OPn2TyDv/6ivP2h/AdAVX9azsoxmg2/M6nZeQZNYBEwIcsne1mJd9oQItQ==} @@ -28131,6 +28114,7 @@ packages: es-errors: 1.3.0 get-intrinsic: 1.2.4 object-inspect: 1.13.4 + dev: true /side-channel@1.1.0: resolution: {integrity: sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw==} @@ -30337,7 +30321,7 @@ packages: compression: 1.7.4 connect-history-api-fallback: 2.0.0 default-gateway: 6.0.3 - express: 4.20.0 + express: 4.21.1 graceful-fs: 4.2.11 html-entities: 2.5.2 http-proxy-middleware: 2.0.6 @@ -30391,7 +30375,7 @@ packages: colorette: 2.0.20 compression: 1.7.4 connect-history-api-fallback: 2.0.0 - express: 4.20.0 + express: 4.21.1 graceful-fs: 4.2.11 html-entities: 2.5.2 http-proxy-middleware: 2.0.6 diff --git a/common/config/subspaces/default/repo-state.json b/common/config/subspaces/default/repo-state.json index bf2c1a8ba42..2167e96174f 100644 --- a/common/config/subspaces/default/repo-state.json +++ b/common/config/subspaces/default/repo-state.json @@ -1,5 +1,5 @@ // DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush. { - "pnpmShrinkwrapHash": "99186b016ffe5874093a1b9fb71c52c903b86978", + "pnpmShrinkwrapHash": "07641f4e10427e5749da9c164023aa3bc7b4b8ec", "preferredVersionsHash": "61cd419c533464b580f653eb5f5a7e27fe7055ca" }