Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

express-generator app uses modules which have critical security vulnerabilities #327

Open
RushilJalal opened this issue Nov 16, 2024 · 8 comments · May be fixed by #328
Open

express-generator app uses modules which have critical security vulnerabilities #327

RushilJalal opened this issue Nov 16, 2024 · 8 comments · May be fixed by #328
Assignees
@RushilJalal
Labels
question

Comments

@RushilJalal
Copy link

RushilJalal commented Nov 16, 2024
edited
Loading

image

I created an app using express-generator and on running npm i i am told that some of the modules have high and several critical level security vulnerabilities.
I ran npm audit fix --force which still didn't fix the problem.
I referred https://stackoverflow.com/questions/57923270/vulnerabilities-problem-using-npm-install which asked to uninstall jade and install pug instead which fixed the issue.
I believe this should be inbuilt and the user should not be required to manually install pug.
@RushilJalal
Copy link
Author

Even after following https://stackoverflow.com/questions/57923270/vulnerabilities-problem-using-npm-install
On running npm start, I am greeted with
image
I would be grateful if someone could point me to the solution as I am completely new with express.

@IamLizu

This comment was marked as resolved.

Sign in to view
@RushilJalal
Copy link
Author

Yes that would be much better.
Apologies, I was not aware of generator being a seperate repo.

@IamLizu
Copy link
Member

IamLizu commented Nov 17, 2024

No worries @RushilJalal

Thank you for reporting this.

@UlisesGascon UlisesGascon transferred this issue from expressjs/express Nov 17, 2024
@RushilJalal
Copy link
Author

Is it possible to assign this issue to me?
I would love to contribute, although I would need some help...

@IamLizu
Copy link
Member

IamLizu commented Nov 18, 2024

Sure @RushilJalal

@RushilJalal
Copy link
Author

RushilJalal commented Nov 18, 2024
edited
Loading 

//cmd.js
it('should have a package.json file', function () {
      var file = path.resolve(ctx.dir, 'package.json')
      var contents = fs.readFileSync(file, 'utf8')
      assert.strictEqual(contents, '{\n' +
        '  "name": "express-1-no-args",\n' +
        '  "version": "0.0.0",\n' +
        '  "private": true,\n' +
        '  "scripts": {\n' +
        '    "start": "node ./bin/www"\n' +
        '  },\n' +
        '  "dependencies": {\n' +
        '    "cookie-parser": "~1.4.5",\n' +
        '    "debug": "~2.6.9",\n' +
        '    "express": "~4.17.1",\n' +
        '    "http-errors": "~1.7.2",\n' +
        //replace default jade with pug
        // '    "jade": "~1.11.0",\n' +
        '    "pug": "~3.0.3",\n' +
        '    "morgan": "~1.10.0"\n' +
        '  }\n' +
        '}\n')
    })
//express-cli.js
// Default view engine
    if (options.view === true) {
      warning('the default view engine will not be jade in future releases\n' +
        "use `--view=jade' or `--help' for additional options")
      options.view = 'pug'//changed jade to pug
    }

I have made the changes as highlighted in the comment.
I want to run the app and test if there are no errors due to the changes I made. How to do so?
Is there anything else I need to change? Kindly advise.

@RushilJalal
Copy link
Author

@IamLizu Kindly advise...

@RushilJalal RushilJalal linked a pull request Dec 13, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RushilJalal RushilJalal

Labels
question
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: update default view engine from jade to pug RushilJalal/generator
2 participants
@IamLizu @RushilJalal