Vulnerable dependency send < 19.0 being pulled in via [email protected].

[davidsyckle]

Checklist

• I have looked into the Readme and Examples, and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

Vulnerable dependency send < 19.0 being pulled in via [email protected]. Please consider updating package.json and package-lock.json to specify a version of at least "@types/express": "^4.21.0" for express to mitigate the possibility of the vulnerable transitive dependency.

├─┬ [email protected]
│ ├─┬ @types/[email protected]
│ │ ├─┬ @types/[email protected]
│ │ │ ├─┬ @types/[email protected]
│ │ │ │ └── @types/[email protected] deduped
│ │ │ └── @types/[email protected] deduped
│ │ ├─┬ @types/[email protected]
│ │ │ ├── @types/[email protected] deduped
│ │ │ ├── @types/[email protected] deduped
│ │ │ ├── @types/[email protected]
│ │ │ └─┬ @types/[email protected] Here
│ │ │ ├── @types/[email protected]
│ │ │ └── @types/[email protected] deduped
│ │ ├── @types/[email protected]
│ │ └─┬ @types/[email protected]
│ │ ├── @types/[email protected]
│ │ ├── @types/[email protected] deduped
│ │ └── @types/[email protected] deduped Here

Reproduction

Scan installed project with dependency-check. Review results.

Additional context

Please consider updating express-serve-static-core and serve-static to current versions to mitigate this vulnerable dependency.

https://ossindex.sonatype.org/vulnerability/CVE-2024-43799?component-type=npm&component-name=send&utm_source=dependency-check&utm_medium=integration&utm_content=10.0.2

GHSA-m6fv-jmcg-4jfg

https://www.npmjs.com/package/send

jwks-rsa version

3.1.0

Node.js version

18.20.3