package vulnerabilities with dependency "path-to-regexp" and "send" #2242
Description
Hi Team,
I am using "@slack/bolt": "^3.21.2" and getting vulnerabilities notification.
Can you please fix the following vulnerabilities?
# npm audit report
path-to-regexp 0.2.0 - 7.2.0
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix --force`
Will install @slack/[email protected], which is a breaking change
node_modules/path-to-regexp
@slack/bolt *
Depends on vulnerable versions of express
Depends on vulnerable versions of path-to-regexp
node_modules/@slack/bolt
send <0.19.0
Severity: moderate
send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
fix available via `npm audit fix --force`
Will install @slack/[email protected], which is a breaking change
node_modules/serve-static/node_modules/send
serve-static <=1.16.0
Depends on vulnerable versions of send
node_modules/serve-static
express 4.0.0-rc1 - 5.0.0-beta.3
Depends on vulnerable versions of serve-static
node_modules/express
5 vulnerabilities (3 moderate, 2 high)
To address all issues (including breaking changes), run:
npm audit fix --force
npm ls send
myProject
└─┬ @slack/[email protected]
└─┬ [email protected]
├── [email protected]
└─┬ [email protected]
└── [email protected]
npm ls path-to-regexp
myProject
└─┬ @slack/[email protected]
├─┬ [email protected]
│ └── [email protected]
└── [email protected]